Re: Web ID as passwordless authentication for debian web services
Quoting Daniel Kahn Gillmor (2013-05-16 20:38:41)
> On 05/16/2013 01:57 PM, Russ Allbery wrote:
> > If introduce Monkeysphere to do the URI endpoint verification, it
> > seems to me like you could just as easily introduce Monkeysphere to
> > do the user certificate verification directly, thus removing the
> > need to introduce a third party metadata provider.
>
> I agree with Russ' assessment here, though i could see a (tangential)
> argument for treating that embedded URI as a source of (e.g.)
> revocation or corroboration information in a more complex
> authentication scheme, it falls back to two choices:
>
> 0) you only rely on the URI, in which case you're back to
> (effectively) relying on whatever subset of the CA cartel you decide
> is trustworthy for this sort of thing, or
>
> 1) you rely on mechanisms other than the URI, in which case it sounds
> like it's not "pure" Web ID.
The term "WebID" is, according to newest draft definition, only
identification, not authentication:
https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html
WebID allows for several authentification protocols, only one of which -
"WebID+TLS" in recent draft - being well defined so far:
https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html
Above URLs are from WebID list thread directly reflecting thread here:
http://lists.w3.org/Archives/Public/public-webid/2013May/0030.html
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
Reply to: