- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Thu, 01 May 2014 16:27:30 +0200
- To: "henry.story@bblfish.net" <henry.story@bblfish.net>
- CC: Andrei Sambra <andrei@fcns.eu>, public-webid@w3.org
On 2014-05-01 16:04, henry.story@bblfish.net wrote: > > On 30 Apr 2014, at 07:02, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: > >> On 2014-04-30 06:04, Andrei Sambra wrote: >>> Hi Anders, >>> >>> On 04/29/2014 11:49 PM, Anders Rundgren wrote: >>>> On 2014-04-30 03:40, Andrei Sambra wrote: >>>> >>>> Hi Andrei, >>>> >>>> I took a quick peak at http://www.w3.org/2005/Incubator/webid/spec/tls/ >>>> >>>> I don't understand why the flowchart in 4.1 shows a social graph in step 3 >>>> because at this stage you should only know if the resource is protected or not. >>>> If the resource isn't protected wouldn't you just be transferred to step 8? >>>> The social graph seems more appropriate for step 7. >>> >>> The point is that if the resource has no ACL policy of if it allows >>> everyone to access it, then there is no need to authenticate the request >>> anymore. >> >> Yes, this is stated in step 3. >> >> I interpret your answer as WebID-TLS presumes a rather unusual Web server and TLS arrangement >> where resources are dynamically requesting TLS CCA (Client Certificate Authentication). >> >> Personally I think it would be wiser sticking to the more established static protected/public >> notion and postpone authorization to step 7. > > In that case you end up asking users for their certificate even if you don't need it, > which is not user friendly. But if you don't care about user friendliness, you can go > and ask for the certificate up front anyway. Since you don't know who is requesting the resource before you have actually authenticated the user (asking for the certificate), I would pre-compute which resources that need authentication or not. The only drawback with static protected/public is as far as I can see that URLs would change if the protection was changed. I would be interested to know how you deal with dynamic TLS CCA in for example Tomcat. Anders > >> >> Anders >> >>> >>>> >>>> Minor nit: Step 7 in the flowchart talks about access control rules in >>>> step 2. Shouldn't it be step 3? >>> >>> Step 2 is a rather long step, which contains all the subsequent steps. >>> >>> -- Andrei >>> >>>> >>>> Anders >>>> >>>>> We are proud to announce that on 2014-03-05, the WebID Community Group published >>>>> an updated set of drafts for the following specifications: >>>>> >>>>> WebID - Web Identity and Discovery >>>>> WebID-TLS - Authentication over TLS >>>>> >>>>> Participants contribute material to this specification under the W3C Community >>>>> Contributor License Agreement (CLA). >>>>> If you have any questions, please contact the group on their public list: >>>>> public-webid@w3.org. >>>>> >>>>> >>>>> >>>>> ---------- >>>>> >>>>> This post sent on WebID Community Group >>>>> >>>>> >>>>> >>>>> 'New official drafts published.' >>>>> >>>>> http://www.w3.org/community/webid/2014/04/30/updated-specs/ >>>>> >>>>> >>>>> >>>>> Learn more about the WebID Community Group: >>>>> >>>>> http://www.w3.org/community/webid > > Social Web Architect > http://bblfish.net/ >
Received on Thursday, 1 May 2014 14:28:04 UTC