WebID-protected WebID document from Martynas Jusevičius on 2017-06-21 (public-webid@w3.org from June 2017)

From: Martynas Jusevičius <martynas@atomgraph.com>
Date: Wed, 21 Jun 2017 11:55:23 +0300
To: public-webid <public-webid@w3.org>
Message-ID: <CAE35VmzjVikZNjUqRc4BEuazMrcKdMZwM1vh8W6gWjmqgp+yWA@mail.gmail.com>

Hi,

I've started implementing the WebID Authentication Protocol.

I extract the WebID URIs from certificates and try to look them up and
verify -- so far so good.

But, since the WebID URIs are local to my system, and the whole system is
protected by WebID, it means that WebID URIs themselves are protected by
WebID. This leads the Guard/Verifier into an eternal loopback.

WebID 1.0 says both that WebID documents should be public and served over
HTTPS.

The only way to achieve that that I can see is for the Verifier to
dereference WebID document over HTTPS but without sending a client
certificate. Which also means that the server's clientAuth has to be
configured as 'want' rather than 'need' (and naturally the ACL has to be
configured to allow public access to WebID).

Are my assumptions correct? Maybe this should be clarified in the protocol
spec?


Martynas
atomgraph.com

Received on Wednesday, 21 June 2017 08:55:57 UTC