[foaf-protocols] WebID distilled - was: PEM certificate- was cert:public_key

Dave Longley dlongley at digitalbazaar.com
Wed Oct 6 21:19:41 CEST 2010


On 10/06/2010 02:49 PM, Jiří Procházka wrote:
> Following todays #swig irc discussion about this [1], I would like to
> propose even more simplifying WebID - along with removing the
> requirement of RDF parsing, remove the requirement of content negotiation.
> How to achieve this?
>
> The most recent proposal was effectively to have the PEM file and the
> profile document share an URI.
> Instead of this I suggest adding not 1 but 2 additional pieces of
> information to the certificate:
> 1) the WebID profile document URI
> 2) a WebID certificate URI
>    

My only issue with this is that there needs to be a mechanism that 
ensures that the owner of #2 is also the owner of #1. Otherwise, you can 
specify a self-signed certificate with a PEM sitting at a URL that you 
own and a profile sitting at a URL that you don't. If the authenticating 
service identifies you according to that profile, then forgery would be 
quite easy.

-- 
Dave Longley
CTO
Digital Bazaar, Inc.
Phone: 540-961-4469



More information about the foaf-protocols mailing list