- From: Sebastian Hellmann <hellmann@informatik.uni-leipzig.de>
- Date: Sat, 2 Mar 2019 14:19:46 +0100
- To: public-webid@w3.org
- Message-ID: <ab8bf171-e2e6-e315-3ff8-b314f4075948@informatik.uni-leipzig.de>
Hi all, I know that everybody is enthusiastic about WebID, but I would like to know a bit more about what to take care of, when setting this up. 1. https://xkcd.com/792/ applies, right? So If use another server for hosting WebID like http://holycrab13.github.io/webid.ttl Microsoft could change the pub key in some requests (without changing the data) and then log into almost anything. Same for the WebId on my own server: http://kurzum.net/webid.ttl If this get's compromised it is like a meteor hit, since you would have only one identity for everything. 2. This weakness is also mentioned in the security section of OpenID https://en.wikipedia.org/wiki/OpenID#Privacy_and_trust_issues and therefore all OpenID Connect weaknesses and security risks apply for WebID OpenConnect as well. 3. anything else? I guess the TLS part is quite standard then. Although I would need to check whether third parties listening to the traffic can trace your public key. (inversefunctional?) So they would know that you made a connection, but not the content of the connection. -- All the best, Sebastian Hellmann Director of Knowledge Integration and Linked Data Technologies (KILT) Competence Center at the Institute for Applied Informatics (InfAI) at Leipzig University Executive Director of the DBpedia Association Projects: http://dbpedia.org, http://nlp2rdf.org, http://linguistics.okfn.org, https://www.w3.org/community/ld4lt <http://www.w3.org/community/ld4lt> Homepage: http://aksw.org/SebastianHellmann Research Group: http://aksw.org
Received on Saturday, 2 March 2019 13:20:18 UTC