[uf-discuss] Authenticity of Authoritative hCard (was: Re: Vote on this: rel="me self" to indicate an authoritative hCard)

David Janes davidjanes at blogmatrix.com
Wed Jan 31 08:32:08 PST 2007

On 1/31/07, Scott Reynen <scott at randomchaos.com> wrote:
> On Jan 31, 2007, at 9:18 AM, David Janes wrote:
> > Open ID spells this out up front: authentication is not trust [1].
> Nonetheless, people are trying to build trust systems on top of Open ID:
> http://simonwillison.net/2007/Jan/22/whitelisting/
> This is another topic entirely, but it occurs to me that adding
> something like rel="trust" to the linked names in moderated comments
> would remove the need for a separate whitelist.
> Peace,
> Scott

Note that this just backs up the problem one step. I.e. we had

URI-A claims (via "rel me self") that URI-B is it's authoriative hCard

now we have (via a whitelist) additionally:

URI-C claims URI-A is who he says he is.

Whitelist additions to XFN may be an interested topic to explore!

It occurs to me that one form of hijacking can be prevented

URI-A: "ben-ward.co.uk": links to "ben-ward.co.uk/about"
URI-B: "ben-ward.co.uk/about". Ben's authorative hCard
URI-X: "BenWardSucks.com": links to "ben-ward.co.uk/about"

Now, if URI-B uses "url" to point back to URI-A, i.e. Ben's home page,
then we have validatation that URI-A is making a claim that URI-B is
agreeing with. On the other hand, URI-X is making an unsubstantiated


David Janes
Founder, BlogMatrix

More information about the microformats-discuss mailing list