W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: Question/idea: Self-contained WebID

From: Mo McRoberts <Mo.McRoberts@bbc.co.uk>
Date: Wed, 28 May 2014 08:38:41 +0000
To: DaniŽl Bos <corani@gmail.com>
CC: Kingsley Idehen <kidehen@openlinksw.com>, "public-webid@w3.org" <public-webid@w3.org>
Message-ID: <0F2EF845-3029-418E-B0EC-525A2AAC0AA2@bbc.co.uk>

On  2014-May-28, at 06:20, DaniŽl Bos <corani@gmail.com> wrote:

> OpenID can actually run locally, since the browser handles all the redirects. In the past I've used an OpenID provider running on localhost. This could just as easily have been baked into the browser.

Thatís going to very much depend upon the server. Thereís nothing about that which is guaranteed to work. The server youíre communicating with *should* be able to dereference the URI in the certificate as a means of (1) verifying your WebID (the URI), and (2) performing attribute exchange.

A local-only server will only work if the above happens client-side, which itself would make me nervous.

The whole point of hosting the FOAF (or equivalent) somewhere accessible is that the server being able to fetch it, and its contents matching your key, is a way of confirming that the URI youíre claiming to control is actually something you control. Itís the server which needs to obtain this verification, not the browser. The browser doesnít have any particular reason to care.

A local-only server would be the equivalent of verifying your e-mail address on a site which requires it, but only running a mail server which is also bound only to localhost.

M.

-- 
Mo McRoberts - Chief Technical Architect - Archives & Digital Public Space,
Zone 2.12, BBC Scotland, 40 Pacific Quay, Glasgow G51 1DA.

Inside the BBC? My movements this week: http://neva.li/where-is-mo
Received on Wednesday, 28 May 2014 08:39:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC