[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xdi] questions about link contracts
Hello Markus, don't know so much about this architecture, however a simple thought. To me the main question to ask is how the user-agent (which is not the user) is authenticated. When you say "User =web*markus wants to talk to his own XDI endpoint at..." you refer to an user agent acting on behalf of =web*markus (the user). Now, how sure you're that user agent is legitimate to act on behalf of =web*markus? If you use a signature, then you've the same level of security, but if you use a password you have a lower level and some out-of-band mechanisms should ensure that the user agent is legitimate to act as =web*markus. Hope this makes sense in your context ;-) Kind Regards, Giovanni Def. Quota "Markus Sabadello" <markus.sabadello@xdi.org>: > Hello XDI TC, > > The following question came up on the Higgins developer list: > > The idea of link contracts is that they can grant permissions to a list of > individuals and organizations identified by XRIs. > Senders of XDI messages are authenticated by an XDI endpoint through a > signature on the XDI message. > Correct so far? > > The question that has come up is, what if a user is talking to their own XDI > endpoint (i.e. the one their i-name's XRD points to). > In that case, could a user also provide their i-name password instead of a > signature? > And would the XDI endpoint then grant the user unrestricted access to their > own subject (actually, maybe even to the entire XDI graph), without there > being a link contract in place? > > Example: > > User =web*markus wants to talk to his own XDI endpoint at: > https://xdi.freexri.com/=!91F2.8153.F600.AE24!84f5.bc25.b7de.afd5 > > Could =web*markus send the following message that would "circumvent" link > contracts because the password is correct? > > =web*markus > $is$a > = > $password > "secret" > $get <-- or $add, $mod, $del --> > / > =web*markus > +city > +country > > > I think these are important questions that are relevant to projects such as > PDX. > > thanks > Markus > ---------------------------------------------------------------- Invito da parte dell'Ateneo: Il tuo futuro e quello della Ricerca Scientifica hanno bisogno del tuo aiuto. Dona il 5 x mille all'Universita' di Roma Tor Vergata codice fiscale: 80213750583 http://5x1000.uniroma2.it
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]