On 02/03/2007 Ara Pehlivanian <[EMAIL PROTECTED]> wrote:
So then that settles the issue of authentication. If a third party
consumer that reads the hCard wants to validate its authenticity, it
can simply use the key (if present). It could further match all linked
hCard keys to validate the chain's integrity. N'est pas?
Henrich C. Poehls wrote:
But then we still need to verify (get some trust) that the public-key
used to verify the digital signature actually belongs to the person we
assumed (e.g. A public-key certificate issued/signed by VeriSign). Only
then we have authenticated the hcard of that person via a digital signature.
How many people actually pay the VeriSign fee to have their key-pair
signed? Not anyone I know. And what does it give us that we don't
already have? If you're going to follow chains to hCards,
1.) anyone can copy the signature and insert it into an identical hCard
on another site, so you have to make sure that authoritative URL is
somewhere in the hCard and marked as authoritative
2.) anyone can link to an hCard pretending to be the owner, so you have
to check the XFN links to "me"; therefore, users have to update and
re-sign their signature every time a resource (they want to be in the
chain) links to their "authoritative" hCard; e.g. blog posts, which they
authored
So we do a lot of extra work for not much benefit, except a false sense
of security because a big company is convinced that the person we think
we're looking at is (they think) the person they think we're looking at.
_______________________________________________
microformats-discuss mailing list
microformats-discuss@microformats.org
http://microformats.org/mailman/listinfo/microformats-discuss
