[foaf-protocols] local password - was WebID pre-alpha specification (uses RDFa)
henry.story at gmail.com
Fri Jul 16 22:55:42 CEST 2010
On 16 Jul 2010, at 20:30, Bruno Harbulot wrote:
>> I don't quite grok the public terminal scenario and public key concern,
>> so you might need to clarify further. Worst case we get a nice problem
>> scenario use case etc..
>> You can have many pubkeys per WebID.
> I'm talking of the problem of using a machine/browser that you haven't
> used before and that isn't necessarily yours. For example, you use a
> friend's computer to log on to some website.
More and more people will browse the web on their cell phones, if they don't
allready do. Longer term the solution for people that need to use public
terminals - which by default are insecure anyway - would be to give them USB crypto keys.
I don't have the feeling how big the problem is really or if it is on the rise. Nor is it clear how problematic people will really find the WebId solution. Nor is it said that for those issues people could not use OpenId anyway: A WebID could by default come with an openid too.
Finally it is clear that WebID is more secure than OpenID, as far as authentication goes, due to:
- the simplification of the protocol
- no possible typing mistakes
- no password being typed (for public terminals that is an issue)
That is all both specs deal with. Trust is a different issue and neither OpenId nor WebId as we are specifying. WebId clearly makes it easier to specify trust in the web manner.
You have an idea of using public keys to sign documents to get more distributed security. That is not a problem really. We could create a special public key that people use to identify someone for signing purposes.
More information about the foaf-protocols