W3C home > Mailing lists > Public > public-webid@w3.org > June 2017

WebID-protected WebID document

From: Martynas Jusevičius <martynas@atomgraph.com>
Date: Wed, 21 Jun 2017 11:55:23 +0300
Message-ID: <CAE35VmzjVikZNjUqRc4BEuazMrcKdMZwM1vh8W6gWjmqgp+yWA@mail.gmail.com>
To: public-webid <public-webid@w3.org>
Hi,

I've started implementing the WebID Authentication Protocol.

I extract the WebID URIs from certificates and try to look them up and
verify -- so far so good.

But, since the WebID URIs are local to my system, and the whole system is
protected by WebID, it means that WebID URIs themselves are protected by
WebID. This leads the Guard/Verifier into an eternal loopback.

WebID 1.0 says both that WebID documents should be public and served over
HTTPS.

The only way to achieve that that I can see is for the Verifier to
dereference WebID document over HTTPS but without sending a client
certificate. Which also means that the server's clientAuth has to be
configured as 'want' rather than 'need' (and naturally the ACL has to be
configured to allow public access to WebID).

Are my assumptions correct? Maybe this should be clarified in the protocol
spec?


Martynas
atomgraph.com
Received on Wednesday, 21 June 2017 08:55:57 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 21 June 2017 08:55:58 UTC