Re: Web ID as passwordless authentication for debian web services

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: debian-devel@lists.debian.org
Subject: Re: Web ID as passwordless authentication for debian web services
From: Jonas Smedegaard <dr@jones.dk>
Date: Thu, 16 May 2013 21:35:49 +0200
Message-id: <[🔎] 20130516193549.29499.43832@bastian.jones.dk>
In-reply-to: <[🔎] 519527B1.3030207@fifthhorseman.net>
References: <[🔎] 87y5btehw3.fsf@gkar.ganneff.de> <[🔎] 20130514140321.23166.32356@bastian.jones.dk> <[🔎] 5193133C.7050506@fifthhorseman.net> <[🔎] 87li7fy6am.fsf@poker.hands.com> <[🔎] 51949F6F.3010700@debian.org> <[🔎] 20130516102031.29499.62330@bastian.jones.dk> <[🔎] 87r4h7kk2r.fsf@windlord.stanford.edu> <[🔎] 20130516174931.29499.3398@bastian.jones.dk> <[🔎] 87bo8azu1k.fsf@windlord.stanford.edu> <[🔎] 519527B1.3030207@fifthhorseman.net>

Quoting Daniel Kahn Gillmor (2013-05-16 20:38:41)
> On 05/16/2013 01:57 PM, Russ Allbery wrote:
> > If introduce Monkeysphere to do the URI endpoint verification, it 
> > seems to me like you could just as easily introduce Monkeysphere to 
> > do the user certificate verification directly, thus removing the 
> > need to introduce a third party metadata provider.
> 
> I agree with Russ' assessment here, though i could see a (tangential) 
> argument for treating that embedded URI as a source of (e.g.) 
> revocation or corroboration information in a more complex 
> authentication scheme, it falls back to two choices:
> 
>  0) you only rely on the URI, in which case you're back to 
> (effectively) relying on whatever subset of the CA cartel you decide 
> is trustworthy for this sort of thing, or
> 
>  1) you rely on mechanisms other than the URI, in which case it sounds 
> like it's not "pure" Web ID.

The term "WebID" is, according to newest draft definition, only 
identification, not authentication: 
https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html

WebID allows for several authentification protocols, only one of which - 
"WebID+TLS" in recent draft - being well defined so far: 
https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html

Above URLs are from WebID list thread directly reflecting thread here: 
http://lists.w3.org/Archives/Public/public-webid/2013May/0030.html


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Reply to:

References:
- Developer repositories for Debian
  - From: Joerg Jaspert <joerg@ganneff.de>
- Re: Developer repositories for Debian
  - From: Jonas Smedegaard <dr@jones.dk>
- Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Philip Hands <phil@hands.com>
- Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Stéphane Glondu <glondu@debian.org>
- Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Jonas Smedegaard <dr@jones.dk>
- Re: Web ID as passwordless authentication for debian web services
  - From: Russ Allbery <rra@debian.org>
- Re: Web ID as passwordless authentication for debian web services
  - From: Jonas Smedegaard <dr@jones.dk>
- Re: Web ID as passwordless authentication for debian web services
  - From: Russ Allbery <rra@debian.org>
- Re: Web ID as passwordless authentication for debian web services
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Prev by Date: Re: jessie release goals
Next by Date: Re: Web ID as passwordless authentication for debian web services
Previous by thread: Re: Web ID as passwordless authentication for debian web services
Next by thread: Re: Web ID as passwordless authentication for debian web services
Index(es):
- Date
- Thread