WebID-ISSUE-24: Privacy issues from WebID URI dereferencing [WebID Spec]

WebID-ISSUE-24: Privacy issues from WebID URI dereferencing [WebID Spec]

http://www.w3.org/2005/Incubator/webid/track/issues/24

Raised by: Nathan Rixham
On product: WebID Spec

Part of the WebID protocol includes dereferencing a "WebID URI" specified by the identifying agent.

Whilst a measure of privacy and anonymity is provided by one half of the protocol (the TLS side), the act of dereferencing a "WebID URI" currently has authority/provenance issues (as outlined in ISSUE-23) and privacy issues.

Namely, privacy is not guaranteed, an intermediary (or a "webid/profile host") can detect a request from a server (say a bank, a private site, an adult site, a gambling site) to a users WebID URI and thus know the user has attempted to identify on said site.

This may be something which the protocol needs to address (for instance, force TLS for dereferencing), or may be something that is best noted and addressed by specification text (note as a security consideration and give advice).

Received on Tuesday, 1 February 2011 11:27:23 UTC