- From: Henry Story <henry.story@bblfish.net>
- Date: Fri, 19 Oct 2012 11:22:09 +0200
- To: "public-webid@w3.org" <public-webid@w3.org>
Received on Friday, 19 October 2012 09:22:45 UTC
to add to ISSUE-34: the security considerations section should suggest that certificates using keygen be created over a TLS connection. The danger otherwise is that a man in the middle could intercept the public key data, send that on to the server, which would add the public key to the profile, create a certificate and return it in the usual manner. But here the man in the middle would then capture the returned certificate, create a new certificate but add a new webid to the san, sign it, and send it on to the client. This would allow the man in the middle then to later confuse servers that could decude from the existence of the two WebIDs in the certificate that both were owl:sameAs each other. Henry Social Web Architect http://bblfish.net/
Received on Friday, 19 October 2012 09:22:45 UTC