W3C home > Mailing lists > Public > public-xg-webid@w3.org > January 2012

changing WebIDs

From: Henry Story <henry.story@bblfish.net>
Date: Mon, 2 Jan 2012 11:19:20 +0100
Message-Id: <462B2BB4-6671-4971-BB71-310EB7FFE2E8@bblfish.net>
To: "Kingsley (Uyi) Idehen" <kidehen@openlinksw.com>, "public-xg-webid@w3.org XG" <public-xg-webid@w3.org>

On 31 Dec 2011, at 18:24, Kingsley Idehen wrote:

> On 12/30/11 7:21 PM, Mo McRoberts wrote:
>> On 30 Dec 2011, at 22:28, Peter Williams wrote:
>>> The foreseeable future is the caveat - and is fine (and traditional) in identity for content class resources
>> Ah, perhaps, but the semantics of “your WebID URI changing” haven't really been defined yet — if your key persists but your URI changes, what happens?
> They key is useless. The net effect is the same as your keystore computer (desktop, notebook, tablet, phone, USB cryto device) being stolen. A URI changing in manner that breaks its relation with a Public Key is implicitly handled by the semantics of the WebID protocol.
> Peter gave an example a while back where he loses his Blog space URIs (since he doesn't control Blogspot or WordPress) but still needs to be able access resources where his old Blog space (the IdP)  URI is remains the focus of  ACL list by those granting him access to resources (e.g., photos). In this case, he can present a Cert. that has his old URI and his new URI in the certs. SAN. The ACLs don't have to change, assuming the verifiers comprehend coreference claims.

That does not work according to the current spec. The current spec says that a claim is verified only if the verification procedure has been followed up on. If you have two web-ids and one of them verifies but the other old one no longer exists, then that would enable everyone to pretend to be owl:sameAs your old WebID if your site went down. 

For this to work you would need the confidence in your identity to be based in your knowledge of the private key above all. Ok, so if you move to knowledge of private key as being the long term determinant of your identity, then your problem will be how do you make a statement that you have lost control of it. (apart from problems relating to ease of use that such as system brings with it). This should not require control of the WebID profile of course. 

But I don't see this as such a problem at present. All consumer identity systems in existence today that I know of have this problem. Just think of 100 of millions of people on Facebook or G+. Your identity is currently built up via the domain on which it is hosted. So though a solution to this is nice to have, it is not even on most people's radar screen. 

But that is just one aspect of how people trust you. The other part is the people who link to that identity. If those people start to unlink to your WebID then the value of that for many services will go down. So one can see that more serious services in the longer term could build up pictures of who someone is that though initially it is based on a WebID, is also then supported by the social network. For example your hoster abandons his service, or your domain lapses, or in a future private key based DNS you loose your private key, then you could create a new profile somewhere saying you were the old Id, and if all your friends link to your new id, then that could be a good way for services to follow up. So I think this is again mostly in trust authorisation step that we are not going into at this point so much, but that we will do as we get our social networks working.


Social Web Architect
Received on Monday, 2 January 2012 11:21:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:54 UTC