W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

Re: WebID security picture

From: Henry Story <henry.story@bblfish.net>
Date: Fri, 8 Apr 2011 13:45:59 +0200
Cc: WebID XG <public-xg-webid@w3.org>
Message-Id: <BE818C19-D77F-4C3C-A041-A99790F0C0E7@bblfish.net>
To: Mo McRoberts <Mo.McRoberts@bbc.co.uk>

On 8 Apr 2011, at 12:44, Mo McRoberts wrote:
>> [snip]
>> yes, this creates a very strong technical and social problems that cannot be lightly overcome
>> People will loose public keys or their private keys, or viruses will steal them from their computer - until hardware keys are widely available. To make keys the central point of focus is going to take too much teaching people.

Too much time teaching them initially. Longer term I think it will be as easy as widely adopted as owning the keys of your car.

> I maybe have more faith that the problems could be overcome: it moves the security aspects to be in the hands of the agent who already has to look after the certificate keys (rather than implicitly trusting a third party), while still allowing the FOAF to be published anywhere at all; in other words, it reduces the surface-area of potential abuse.

If you publish the foaf "anywhere at all" you still are dependent on what that agent publishes about you there. If you have to sign those documents with your private key there then you are not going to be able to generate very dynamic web pages without placing the private key there too. 

If you want to reduce the surface of attack, the best would be for your foaf to be hosted on the same device you are connecting from. WebID does not exclude that possibility: in fact it is quite possible, especially if your computer is always on. 

We are trying to stay very open to all these possibilities by being as light weight as possible. We are just specifying the minimum to get going. This should allow many different implementations of webid to emerge and a network effect to get going. Being too restrictive early on for the sake of security, that people have trouble understanding is not going to enable adoption.


Social Web Architect
Received on Friday, 8 April 2011 11:51:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:43 UTC