- From: Kingsley Idehen <kidehen@openlinksw.com>
- Date: Wed, 07 Mar 2012 10:10:15 -0500
- To: public-webid@w3.org
- Message-ID: <4F577A57.7010806@openlinksw.com>
On 3/5/12 1:45 PM, nilclass@riseup.net wrote: > But I did (and do) think that it > should be made clear, that the knowledge that you have about the > authenticity of a peer after authenticating via WebID is only as likely to > be true, as the whole chain of authentication leading to the conclusion of > that knowledge is likely to be compromised. Identity is verified via relations. These relations are mirrored across your local keystore and a data space you control. You have to be able to achieve two vital tasks when compromising the system: 1. have a de-referencable URI in the subjectAlternateName (SAN) slot of an X.509 certificate 2. the URI has to resolve to a graph where the URI is in a relation (this has specific semantics) with the aforementioned X.509 certificate's public key . There is a composite key in two places, they have to match via semantically rich relations verification. This system isn't vulnerable to the scenario you describe. If you believe it is vulnerable then I would encourage you to demonstrate said vulnerability. I can easily protect a published resource using a WebID based ACL, then ask you to access this resource by exploiting the vulnerability you assume. That's what I would do etc.. -- Regards, Kingsley Idehen Founder& CEO OpenLink Software Company Web: http://www.openlinksw.com Personal Weblog: http://www.openlinksw.com/blog/~kidehen Twitter/Identi.ca handle: @kidehen Google+ Profile: https://plus.google.com/112399767740508618350/about LinkedIn Profile: http://www.linkedin.com/in/kidehen
Attachments
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Wednesday, 7 March 2012 15:10:41 UTC