Re: WEbID Todos from Ben Laurie on 2012-10-08 (public-webid@w3.org from October 2012)

From: Ben Laurie <benl@google.com>
Date: Mon, 8 Oct 2012 12:48:52 +0100
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: Henry Story <henry.story@bblfish.net>, "public-webid@w3.org" <public-webid@w3.org>
Message-ID: <CABrd9STMfpfMb2ie4TkrSTOT+vu8_Azs4qdOqg5E=GjmJL0X9Q@mail.gmail.com>

On 8 October 2012 12:39, Melvin Carvalho <melvincarvalho@gmail.com> wrote:
>
>
> On 8 October 2012 13:34, Ben Laurie <benl@google.com> wrote:
>>
>> On 8 October 2012 11:28, Melvin Carvalho <melvincarvalho@gmail.com> wrote:
>> >
>> >
>> > On 8 October 2012 11:36, Ben Laurie <benl@google.com> wrote:
>> >>
>> >> On 6 October 2012 08:48, Melvin Carvalho <melvincarvalho@gmail.com>
>> >> wrote:
>> >> > WebID is actually 2 specs.
>> >> >
>> >> > 1. The first part is authentication via your public key which is a
>> >> > IFP
>> >> > of
>> >> > your identity.  In certain circumstances (ie caching, just like
>> >> > ~/.ssh/authorized_keys ) you can be done here and it operates like
>> >> > SSH.
>> >> >
>> >> > (1) I think solves the unlinkability problem
>> >>
>> >> How? Clearly the public key makes all authentications that use it
>> >> linkable.
>> >
>> >
>> > You're absolutely right.  We discussed this topic a bit more in the
>> > WebID CG
>> > group over the weekend.
>> >
>> > You'd have to either
>> >
>> > 1) Change key every time
>> > 2) Use a widely used shared key e.g. if we set one up at
>> > http://webid.info/#anonymous
>> >
>> > However, the easy option if you want anonymity (which I believe
>> > unlinkability is related to) is not to send a certificate at all.  This
>> > is
>> > much of the normal flow as you should only need to send the cert when
>> > logging in, and you can hit 'cancel' on all major browsers.
>>
>> How do you log in, then? That is, how do I get linkability between
>> sessions at a particular site but not between sessions at different
>> sites?
>
>
> There is a different dialog in each browser.  I think henry has screenshots
> of them all.
>
> If you look at this screencast:
>
> http://webid.info/
>
> From 4m30s -> 6m00 It will show you some of the different UIs

You miss my point: if the advice is that to remain unlinkable, don't
use a cert, then how do I log in to a site I want to log into but do
not want to give the ability to link me to other sites?

>
>>
>>
>>
>> >
>> > Or even easier use a different browser / different browser profile.
>
>

Received on Monday, 8 October 2012 11:49:20 UTC