W3C home > Mailing lists > Public > semantic-web@w3.org > March 2008

Re: [foaf-dev] Re: RDFAuth: an initial sketch

From: Renato Golin <renato@ebi.ac.uk>
Date: Fri, 28 Mar 2008 12:52:15 +0000
Message-ID: <47ECE9FF.8010809@ebi.ac.uk>
To: bnowack@semsol.com
CC: Story Henry <henry.story@bblfish.net>, Semantic Web <semantic-web@w3.org>, foaf-dev of a Friend <foaf-dev@lists.foaf-project.org>

Benjamin Nowack wrote:
> Hmm, ok, but wouldn't users also have to upload a private key
> to my server? And my app would have to send the private key
> to the encryption service, which I guess isn't too cool either.

Hi Benjamin,

Absolutely not! That's not acceptable under any circumstances, 
especially when designing a (secure) authentication system... ;)

Your private key remains in your machine always because only you can 
start requests with your private key anyway. There are some key managers 
on KDE and Gnome and Thunderbird as well.

Because it's always you initiating the connection you can encrypt the 
text and send only C(text) instead of require the server to generate it 
for you.

You could easily transport those keys (under an even greater security) 
from one computer to the other but I'd never recommend anyone to upload 
private keys anywhere, even if the server says "it's safe and encrypted".

cheers,
--renato
Received on Friday, 28 March 2008 12:52:52 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 08:45:05 UTC