- From: Henry Story <henry.story@bblfish.net>
- Date: Tue, 1 Feb 2011 20:36:55 +0100
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: WebID XG <public-xg-webid@w3.org>
On 1 Feb 2011, at 19:56, Manu Sporny wrote: > Forwarding something that was sent to me that should've been sent to the > list. Thanks. That fits as an answer to ISSUE-24: "Privacy issues from WebID URI dereferencing" > > -------- Original Message -------- > Subject: Re: Documenting implicit assumptions? > Date: Tue, 1 Feb 2011 12:02:55 +0100 > From: Dominique Guardiola <dguardiola@quinode.fr> > To: Manu Sporny <msporny@digitalbazaar.com> > > My two cents, as a non-expert lurker > Launching quickly an alternative to OpenID is one task, > solving the problems other failed to solve is another > > For example : > >>> privacy is not guaranteed (an intermediary, or a "webid/profile >>> host", >>> can detect a request from an server (say a bank, a private site, an >>> adult site, a gambling site) to a users webid URI and thus know the >>> user >>> has attempted to login on said site. > > What's the difference with the knowledge current OpenID providers have > on your activity ? > This ultimately relies on the trust you put in your ID provider > >>> the notion of public key holder owns to webid uri (on which the >>> protocol >>> is currently predicated) is temporally weak, that is to say, the >>> public/private key holder is not proven to still own / have write >>> permissions to the webid resource. > > Control of the profile page is also a vital point in openID : spammers > gaining access to any google/yahoo account can use my openID to login > everywhere on my behalf. > > In fact, if classic login can be disabled on the profile hosting site, > WebID can be more secure as it requires an access to one of your > browser certificate to gain control on the profile page. > > > -- > Dominique Guardiola > • Tel : 04.27.86.84.37 > • Mob : 06.15.13.22.27 > > > > > > Social Web Architect http://bblfish.net/
Received on Tuesday, 1 February 2011 19:37:45 UTC