- From: Henry Story <henry.story@bblfish.net>
- Date: Wed, 2 Feb 2011 10:50:33 +0100
- To: nathan@webr3.org
- Cc: Manu Sporny <msporny@digitalbazaar.com>, WebID XG <public-xg-webid@w3.org>
On 2 Feb 2011, at 02:27, Nathan wrote: > Manu Sporny wrote: >>>> the notion of public key holder owns to webid uri (on which the protocol >>>> is currently predicated) is temporally weak, that is to say, the >>>> public/private key holder is not proven to still own / have write >>>> permissions to the webid resource. >> Control of the profile page is also a vital point in openID : spammers >> gaining access to any google/yahoo account can use my openID to login >> everywhere on my behalf. >> In fact, if classic login can be disabled on the profile hosting site, >> WebID can be more secure as it requires an access to one of your >> browser certificate to gain control on the profile page. > > combined with (optional) SRP it'd be rather wonderful.. I always see WebID as a layered protocol, for instance the last thing I'd want is my bank authorizing access to my account via just WebID, it needs password / secret info transfer as well (thankfully encrypted over the wire thanks to tls) +1 > > Best, > > Nathan > > srp: http://en.wikipedia.org/wiki/Secure_remote_password_protocol > Social Web Architect http://bblfish.net/
Received on Wednesday, 2 February 2011 09:51:11 UTC