[uf-discuss] Authenticity of Authoritative hCard
Derrick Lyndon Pallas
derrick at pallas.us
Fri Feb 9 08:19:12 PST 2007
> On 02/03/2007 Ara Pehlivanian <ara.pehlivanian at gmail.com> wrote:
>
>> So then that settles the issue of authentication. If a third party
>> consumer that reads the hCard wants to validate its authenticity, it
>> can simply use the key (if present). It could further match all linked
>> hCard keys to validate the chain's integrity. N'est pas?
>>
> Henrich C. Poehls wrote:
>
> But then we still need to verify (get some trust) that the public-key
> used to verify the digital signature actually belongs to the person we
> assumed (e.g. A public-key certificate issued/signed by VeriSign). Only
> then we have authenticated the hcard of that person via a digital signature.
>
How many people actually pay the VeriSign fee to have their key-pair
signed? Not anyone I know. And what does it give us that we don't
already have? If you're going to follow chains to hCards,
1.) anyone can copy the signature and insert it into an identical hCard
on another site, so you have to make sure that authoritative URL is
somewhere in the hCard and marked as authoritative
2.) anyone can link to an hCard pretending to be the owner, so you have
to check the XFN links to "me"; therefore, users have to update and
re-sign their signature every time a resource (they want to be in the
chain) links to their "authoritative" hCard; e.g. blog posts, which they
authored
So we do a lot of extra work for not much benefit, except a false sense
of security because a big company is convinced that the person we think
we're looking at is (they think) the person they think we're looking at.
More information about the microformats-discuss
mailing list