Re: Question/idea: Self-contained WebID

On  2014-May-28, at 06:20, Daniël Bos <corani@gmail.com> wrote:

> OpenID can actually run locally, since the browser handles all the redirects. In the past I've used an OpenID provider running on localhost. This could just as easily have been baked into the browser.

That’s going to very much depend upon the server. There’s nothing about that which is guaranteed to work. The server you’re communicating with *should* be able to dereference the URI in the certificate as a means of (1) verifying your WebID (the URI), and (2) performing attribute exchange.

A local-only server will only work if the above happens client-side, which itself would make me nervous.

The whole point of hosting the FOAF (or equivalent) somewhere accessible is that the server being able to fetch it, and its contents matching your key, is a way of confirming that the URI you’re claiming to control is actually something you control. It’s the server which needs to obtain this verification, not the browser. The browser doesn’t have any particular reason to care.

A local-only server would be the equivalent of verifying your e-mail address on a site which requires it, but only running a mail server which is also bound only to localhost.

M.

-- 
Mo McRoberts - Chief Technical Architect - Archives & Digital Public Space,
Zone 2.12, BBC Scotland, 40 Pacific Quay, Glasgow G51 1DA.

Inside the BBC? My movements this week: http://neva.li/where-is-mo

Received on Wednesday, 28 May 2014 08:39:19 UTC