On 05/16/2013 01:57 PM, Russ Allbery wrote: > If introduce Monkeysphere to do the URI endpoint verification, it seems to > me like you could just as easily introduce Monkeysphere to do the user > certificate verification directly, thus removing the need to introduce a > third party metadata provider.
I agree with Russ' assessment here, though i could see a (tangential)
argument for treating that embedded URI as a source of (e.g.) revocation
or corroboration information in a more complex authentication scheme, it
falls back to two choices:
0) you only rely on the URI, in which case you're back to (effectively)
relying on whatever subset of the CA cartel you decide is trustworthy
for this sort of thing, or
1) you rely on mechanisms other than the URI, in which case it sounds
like it's not "pure" Web ID.
--dkg
signature.asc
Description: OpenPGP digital signature
