Quoting Daniel Kahn Gillmor (2013-05-16 20:38:41) > On 05/16/2013 01:57 PM, Russ Allbery wrote: > > If introduce Monkeysphere to do the URI endpoint verification, it > > seems to me like you could just as easily introduce Monkeysphere to > > do the user certificate verification directly, thus removing the > > need to introduce a third party metadata provider. > > I agree with Russ' assessment here, though i could see a (tangential) > argument for treating that embedded URI as a source of (e.g.) > revocation or corroboration information in a more complex > authentication scheme, it falls back to two choices: > > 0) you only rely on the URI, in which case you're back to > (effectively) relying on whatever subset of the CA cartel you decide > is trustworthy for this sort of thing, or > > 1) you rely on mechanisms other than the URI, in which case it sounds > like it's not "pure" Web ID.
The term "WebID" is, according to newest draft definition, only identification, not authentication: https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html WebID allows for several authentification protocols, only one of which - "WebID+TLS" in recent draft - being well defined so far: https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html Above URLs are from WebID list thread directly reflecting thread here: http://lists.w3.org/Archives/Public/public-webid/2013May/0030.html - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130516193549.29499.43...@bastian.jones.dk
