W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: New official drafts published. [via WebID Community Group]

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 01 May 2014 16:27:30 +0200
Message-ID: <536259D2.1000309@gmail.com>
To: "henry.story@bblfish.net" <henry.story@bblfish.net>
CC: Andrei Sambra <andrei@fcns.eu>, public-webid@w3.org
On 2014-05-01 16:04, henry.story@bblfish.net wrote:
> 
> On 30 Apr 2014, at 07:02, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
> 
>> On 2014-04-30 06:04, Andrei Sambra wrote:
>>> Hi Anders,
>>>
>>> On 04/29/2014 11:49 PM, Anders Rundgren wrote:
>>>> On 2014-04-30 03:40, Andrei Sambra wrote:
>>>>
>>>> Hi Andrei,
>>>>
>>>> I took a quick peak at http://www.w3.org/2005/Incubator/webid/spec/tls/
>>>>
>>>> I don't understand why the flowchart in 4.1 shows a social graph in step 3
>>>> because at this stage you should only know if the resource is protected or not.
>>>> If the resource isn't protected wouldn't you just be transferred to step 8?
>>>> The social graph seems more appropriate for step 7.
>>>
>>> The point is that if the resource has no ACL policy of if it allows
>>> everyone to access it, then there is no need to authenticate the request
>>> anymore.
>>
>> Yes, this is stated in step 3.
>>
>> I interpret your answer as WebID-TLS presumes a rather unusual Web server and TLS arrangement
>> where resources are dynamically requesting TLS CCA (Client Certificate Authentication).
>>
>> Personally I think it would be wiser sticking to the more established static protected/public
>> notion and postpone authorization to step 7.
> 
> In that case you end up asking users for their certificate even if you don't need it,
> which is not user friendly. But if you don't care about user friendliness, you can go
> and ask for the certificate up front anyway.

Since you don't know who is requesting the resource before you have actually
authenticated the user (asking for the certificate), I would pre-compute which
resources that need authentication or not.

The only drawback with static protected/public is as far as I can see that
URLs would change if the protection was changed.  I would be interested to
know how you deal with dynamic TLS CCA in for example Tomcat.

Anders


> 
>>
>> Anders
>>
>>>
>>>>
>>>> Minor nit: Step 7 in the flowchart talks about access control rules in
>>>> step 2.  Shouldn't it be step 3?
>>>
>>> Step 2 is a rather long step, which contains all the subsequent steps.
>>>
>>> -- Andrei
>>>
>>>>
>>>> Anders
>>>>
>>>>> We are proud to announce that on 2014-03-05, the WebID Community Group published
>>>>> an updated set of drafts for the following specifications:
>>>>>
>>>>> 	WebID - Web Identity and Discovery
>>>>> 	WebID-TLS - Authentication over TLS
>>>>>
>>>>> Participants contribute material to this specification under the W3C Community
>>>>> Contributor License Agreement (CLA).
>>>>> If you have any questions, please contact the group on their public list:
>>>>> public-webid@w3.org.
>>>>>
>>>>>
>>>>>
>>>>> ----------
>>>>>
>>>>> This post sent on WebID Community Group
>>>>>
>>>>>
>>>>>
>>>>> 'New official drafts published.'
>>>>>
>>>>> http://www.w3.org/community/webid/2014/04/30/updated-specs/
>>>>>
>>>>>
>>>>>
>>>>> Learn more about the WebID Community Group: 
>>>>>
>>>>> http://www.w3.org/community/webid
> 
> Social Web Architect
> http://bblfish.net/
> 
Received on Thursday, 1 May 2014 14:28:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC