- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Tue, 01 Feb 2011 13:56:19 -0500
- To: WebID XG <public-xg-webid@w3.org>
Forwarding something that was sent to me that should've been sent to the list. -------- Original Message -------- Subject: Re: Documenting implicit assumptions? Date: Tue, 1 Feb 2011 12:02:55 +0100 From: Dominique Guardiola <dguardiola@quinode.fr> To: Manu Sporny <msporny@digitalbazaar.com> My two cents, as a non-expert lurker Launching quickly an alternative to OpenID is one task, solving the problems other failed to solve is another For example : >> privacy is not guaranteed (an intermediary, or a "webid/profile >> host", >> can detect a request from an server (say a bank, a private site, an >> adult site, a gambling site) to a users webid URI and thus know the >> user >> has attempted to login on said site. What's the difference with the knowledge current OpenID providers have on your activity ? This ultimately relies on the trust you put in your ID provider >> the notion of public key holder owns to webid uri (on which the >> protocol >> is currently predicated) is temporally weak, that is to say, the >> public/private key holder is not proven to still own / have write >> permissions to the webid resource. Control of the profile page is also a vital point in openID : spammers gaining access to any google/yahoo account can use my openID to login everywhere on my behalf. In fact, if classic login can be disabled on the profile hosting site, WebID can be more secure as it requires an access to one of your browser certificate to gain control on the profile page. -- Dominique Guardiola • Tel : 04.27.86.84.37 • Mob : 06.15.13.22.27
Received on Tuesday, 1 February 2011 18:56:48 UTC