- From: Brian Allen Vanderburg II <brianvanderburg2@aim.com>
- Date: Wed, 28 May 2014 09:56:46 -0400
- To: public-webid@w3.org
- Message-ID: <5385EB1E.9020802@aim.com>
I'm using the overview section at http://bblfish.net/tmp/2011/04/26/ This is what it seems to be saying. Please correct any misconceptions. The server that you log into must support HTTPS/TLS. This means either spending money on an SSL certificate for the website or using StartSSL for free at least as long as it is provided for free (or self-signing and the user getting warnings about the certificate all the time). Since the X.509 cert. is sent to the server, how does the web application that is being logged into get access to the information needed from the cert? Does this require the web server to handle the authentication via some CA specified in the web server configuration, or can the web application handle the checking of the cert via PHP/ASP/etc? The server hosting the WebID profile doesn't have to be SSL. It is just whatever URL is specified in the client-side X.509 certificate. The client-side certificate references the WebID URL. If the location of the WebID Profile changes for whatever reason (server shutting down, domain name change), is it enough to edit the local client-side certificate and change the URL field to point to another location for any sites using it to keep working at the next login? This would probably break any web of trust that depends on the URL specified, but could allow for keeping login working by moving the WebID Profile somewhere else and updating the client-side certificate once? Is it possible to generate your own WebID offline for use with multiple sites by importing it into the browser and hosting the WebID Profile online somewhere, or does it require an online site to generate? Overall it looks very interesting and I definitely think that some standard like this should exist and become widespread.
Received on Wednesday, 28 May 2014 13:59:47 UTC