[Freedombox-discuss] Friendika

[Henry Story]

On 13 Jul 2011, at 20:50, Boaz wrote:

>> You dont need to give your key on a slip of paper (you can if you want
>> of course), it's on your home page.
>> 
>> Hopefully your freedom box also hosts a web server too, preferably with https
> 
> Okay, so you have a home page, and on this home page is your key.  And
> you know the home page is authentic, because it uses https, which is
> protected using - using what now?  Oh, that's right, that same key.

If your web site had a self signed certificate then you would be no further than if you used only http as far as security goes - which is what people have been doing in the past 15 years... I suppose you'd be better off then just with http in order to avoid client error messages. And if you have been happy with signing into sites using e-mail authentication then you are not going to be loosing anything having an http WebID. 

If you want your profile secured then it is currently easiest to use a CA to certify your Web Server. There are free CAs out there that work btw. (see the http://webid.info/ wiki) But we need to put pressure on Browsers to implement IETF Dane so that we no longer need to rely on that either. 

In any case this problem is going to be a problem with all services: without https you won't know that you have reached the right server, be it your search engine, your identity provider, or others...

> This is all well and good, it just doesn't provide any protection
> against a MITM attack.  If you're okay with that, this is a fine
> arrangement.

The Relying party with WebID still TLS to get the client's certificate. CA signed ones make currently for a better user experience with the browsers.

Henry

> 
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss

Social Web Architect
http://bblfish.net/