OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xdi message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xdi] questions about link contracts

Hello Markus,

don't know so much about this architecture, however a simple thought.  
To me the main question to ask is how the user-agent (which is not the  
user) is authenticated. When you say

"User =web*markus wants to talk to his own XDI endpoint at..."

you refer to an user agent acting on behalf of =web*markus (the user).
Now, how sure you're that user agent is legitimate to act on behalf of  
=web*markus? If you use a signature, then you've the same level of  
security, but if you use a password you have a lower level and some  
out-of-band mechanisms should ensure that the user agent is legitimate  
to act as =web*markus.

Hope this makes sense in your context ;-)

Kind Regards,
Giovanni


Def. Quota "Markus Sabadello" <markus.sabadello@xdi.org>:

> Hello XDI TC,
>
> The following question came up on the Higgins developer list:
>
> The idea of link contracts is that they can grant permissions to a list of
> individuals and organizations identified by XRIs.
> Senders of XDI messages are authenticated by an XDI endpoint through a
> signature on the XDI message.
> Correct so far?
>
> The question that has come up is, what if a user is talking to their own XDI
> endpoint (i.e. the one their i-name's XRD points to).
> In that case, could a user also provide their i-name password instead of a
> signature?
> And would the XDI endpoint then grant the user unrestricted access to their
> own subject (actually, maybe even to the entire XDI graph), without there
> being a link contract in place?
>
> Example:
>
> User =web*markus wants to talk to his own XDI endpoint at:
> https://xdi.freexri.com/=!91F2.8153.F600.AE24!84f5.bc25.b7de.afd5
>
> Could =web*markus send the following message that would "circumvent" link
> contracts because the password is correct?
>
> =web*markus
> 	$is$a
> 		=
> 	$password
> 		"secret"
> 	$get  <-- or $add, $mod, $del -->
> 		/
> 			=web*markus
> 				+city
> 				+country
>
>
> I think these are important questions that are relevant to projects such as
> PDX.
>
> thanks
> Markus
>



----------------------------------------------------------------
Invito da parte dell'Ateneo:
Il tuo futuro e quello della Ricerca Scientifica hanno bisogno del
tuo aiuto. Dona il  5 x mille all'Universita' di Roma Tor Vergata
codice fiscale: 80213750583 http://5x1000.uniroma2.it

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]