Re: WEbID Todos from Melvin Carvalho on 2012-10-08 (public-webid@w3.org from October 2012)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Mon, 8 Oct 2012 12:28:10 +0200
To: Ben Laurie <benl@google.com>
Cc: Henry Story <henry.story@bblfish.net>, "public-webid@w3.org" <public-webid@w3.org>
Message-ID: <CAKaEYhK+za4Rgofm6r0K9HBiBcE9QTKX1qvwHf0iBxbca1f1tQ@mail.gmail.com>

On 8 October 2012 11:36, Ben Laurie <benl@google.com> wrote:

> On 6 October 2012 08:48, Melvin Carvalho <melvincarvalho@gmail.com> wrote:
> > WebID is actually 2 specs.
> >
> > 1. The first part is authentication via your public key which is a IFP of
> > your identity.  In certain circumstances (ie caching, just like
> > ~/.ssh/authorized_keys ) you can be done here and it operates like SSH.
> >
> > (1) I think solves the unlinkability problem
>
> How? Clearly the public key makes all authentications that use it linkable.
>

You're absolutely right.  We discussed this topic a bit more in the WebID
CG group over the weekend.

You'd have to either

1) Change key every time
2) Use a widely used shared key e.g. if we set one up at
http://webid.info/#anonymous

However, the easy option if you want anonymity (which I believe
unlinkability is related to) is not to send a certificate at all.  This is
much of the normal flow as you should only need to send the cert when
logging in, and you can hit 'cancel' on all major browsers.

Or even easier use a different browser / different browser profile.

Received on Monday, 8 October 2012 10:28:43 UTC