xdi message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: questions about link contracts
- From: Markus Sabadello <markus.sabadello@xdi.org>
- To: OASIS - XDI TC <xdi@lists.oasis-open.org>
- Date: Wed, 19 May 2010 08:15:08 -0700
Hello XDI TC,
The following question came up on the Higgins developer list:
The idea of link contracts is that they can grant permissions to a list of individuals and organizations identified by XRIs.
Senders of XDI messages are authenticated by an XDI endpoint through a signature on the XDI message.
Correct so far?
The question that has come up is, what if a user is talking to their own XDI endpoint (i.e. the one their i-name's XRD points to).
In that case, could a user also provide their i-name password instead of a signature?
And would the XDI endpoint then grant the user unrestricted access to their own subject (actually, maybe even to the entire XDI graph), without there being a link contract in place?
Example:
User =web*markus wants to talk to his own XDI endpoint at:
https://xdi.freexri.com/=!91F2.8153.F600.AE24!84f5.bc25.b7de.afd5
Could =web*markus send the following message that would "circumvent" link contracts because the password is correct?
=web*markus
$is$a
=
$password
"secret"
$get <-- or $add, $mod, $del -->
/
=web*markus
+city
+country
I think these are important questions that are relevant to projects such as PDX.
thanks
Markus
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]