Re: How To Handle WebIDs for (X)HTML based Claim Bearing Resources from Henry Story on 2012-01-03 (public-xg-webid@w3.org from January 2012)

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 4 Jan 2012 00:43:45 +0100
To: Kingsley Idehen <kidehen@openlinksw.com>
Cc: public-xg-webid@w3.org
Message-Id: <7F88A090-8A68-4916-81F2-AC4019D744ED@bblfish.net>

On 3 Jan 2012, at 23:08, Kingsley Idehen wrote:

> In response to Henry's comment:
> 
>  "yes. There is something there but it clearly needs to be fleshed out, as there are so many ways it can be done badly. For example say I loose my key, in at http://bblfish.net/ and remove it from there, but the thief of my private key goes and puts in onhttp://surpeticious.com/#me and signs the claim there. " .
> How is that different from losing any device that holds you key re. WebID? You fix the relation. 
There are new things to think about since you have introduced another way of verifying an identity.

> Remember, you are anticipating that the following happen in tandem:
> 
> 1. You lose control of a URI (booted out of some system)
> 2. You also lose your private key or a .p12 with your cert and key
> 3. Thief then imports .p12, masquerades as you. 
> 
> In the scenario above, your cost-benefit analysis will lead you to nuking the relations in your Idp space. 

You may know your IDP, but does a relying party? You are now allowing a signed statement of identity to be made anywhere on the web using your private key. Since you have lost your PersonalProfile page - and this is the case you wish to fix, which is why we are considering it - no Relying Party can access it. They therefore have to take at face value any WebId that claims to be you.

Or is it the thou think there should be well known Relying Parties that people trust above all? So that whenever I find a missing key I would go to virtuoso.org because it does a good job of caching keys? 

> Or making a new signed statement with your new key about equivalence. 
And where would that go?

> 	Remember, your Idp space should challenge you when making these claims. 

What is an IDP space? Google.com? Or any web site?

> Bottom line here, we either have a WebID exploit via owl:sameAs or powerful lock-down. I know we have powerful lock down when you leverage refification and WebID based verifications of claims made in idp space. Thus, it still ultimately boils down to a life cycle demo, one that will emerge from Peter's exploits or one I'll knock up myself in the very worst case. 
It is worth describing in precise detail what you wish to do using UML diagrams and precise stamens of what goes where before going to program it. We all need to look at owl reasoning and trust reasoning. It is an interesting field to explore. 

> 
> Yes, it needs to be fleshed out for broader clarity, which I guess is what Mo is seeking too. Thus, we have an action item along those lines re. effects of OWL reasoning, statement reification (which includes statement signing), and graph signing on the WebID verification protocol.
there is a lot to look into there.


Social Web Architect
http://bblfish.net/

Received on Tuesday, 3 January 2012 23:44:22 UTC