Re: Redirects continued -- was: Problem with certificate on home-grown WebID from Henry Story on 2011-12-21 (public-xg-webid@w3.org from December 2011)

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 21 Dec 2011 18:46:31 +0100
To: Mo McRoberts <mo.mcroberts@bbc.co.uk>
Cc: Pierre-Antoine Champin <pierre-antoine.champin@liris.cnrs.fr>, Sebastian Trüg <sebastian@trueg.de>, public-xg-webid XG <public-xg-webid@w3.org>, Carvalho Melvin <melvincarvalho@gmail.com>, "foaf-protocols@lists.foaf-project.org" <foaf-protocols@lists.foaf-project.org>
Message-Id: <81F54DF0-A99D-4D38-9692-C16071C97E2D@bblfish.net>

On 21 Dec 2011, at 18:27, Mo McRoberts wrote:

> 
> On 21 Dec 2011, at 16:19, Henry Story wrote:
> 
>> Since we are looking for use case for webids that redirect, let me ask you: why did you find
>> it important to have your webid redirect?
> 
> Off the top of my head, I can think of a few reasons why people would:
> 
> - because changing the WebID profile URI without being able to use redirects would involve re-issuing the WebID certificate
> 
> - because the WebID URI is used by other things and I don't want inconsistency between them (and the associated management headaches)
> 
> - because I use conneg and the particular implementation sends a 303 to point to the specific representation negotiated with the client (I actually hate this pattern, but, meh, there are fairly valid reasons to do it)
> 
> - because it's not clear from the spec what happens to my account on various sites when the WebID URI changes… (if the WebID URI is used by relying parties to identify me, and that URI changes in the certificate that I'm presenting, do I effectively become a new person?)
> 
> M.

Ok. Lots of good reasons for redirects then in ISSUE-64 :-)  Now we just should look at security issues.

I remember Peter Williams bringing up infinite redirects, max number of redirects, ... But perhaps there are also other scenarios which evil characters can use to waylay people. 



> 
> -- 
> Mo McRoberts - Technical Lead - The Space,
> 0141 422 6036 (Internal: 01-26036) - PGP key CEBCF03E,
> Project Office: Room 7083, BBC Television Centre, London W12 7RJ
> 
> 
> 
> http://www.bbc.co.uk/
> This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
> If you have received it in error, please delete it from your system.
> Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
> Please note that the BBC monitors e-mails sent or received.
> Further communication will signify your consent to this.
> 					

Social Web Architect
http://bblfish.net/

Received on Wednesday, 21 December 2011 17:47:04 UTC