- From: Nathan <nathan@webr3.org>
- Date: Wed, 02 Feb 2011 01:27:19 +0000
- To: Manu Sporny <msporny@digitalbazaar.com>
- CC: WebID XG <public-xg-webid@w3.org>
Manu Sporny wrote: >>> the notion of public key holder owns to webid uri (on which the >>> protocol >>> is currently predicated) is temporally weak, that is to say, the >>> public/private key holder is not proven to still own / have write >>> permissions to the webid resource. > > Control of the profile page is also a vital point in openID : spammers > gaining access to any google/yahoo account can use my openID to login > everywhere on my behalf. > > In fact, if classic login can be disabled on the profile hosting site, > WebID can be more secure as it requires an access to one of your > browser certificate to gain control on the profile page. combined with (optional) SRP it'd be rather wonderful.. I always see WebID as a layered protocol, for instance the last thing I'd want is my bank authorizing access to my account via just WebID, it needs password / secret info transfer as well (thankfully encrypted over the wire thanks to tls) Best, Nathan srp: http://en.wikipedia.org/wiki/Secure_remote_password_protocol
Received on Wednesday, 2 February 2011 01:28:13 UTC