WebID and unsigned profiles

I’ve been following WebID for a long time and have always had an issue with one aspect of the protocol that has always bothered me. Hopefully someone can allay my fears. The spec goes to great pains to make sure the private key never leaves the browser. This has caused tons of implementation headaches working with keygen, embedded flash, etc for solutions. I don’t have any problem with that part but then relies on the information published at profile document published in the altSubjName. But that document isn’t signed. So Alice publishes her profile at AcmeSuperHost and any admin at AcmeSuperHost can diddle around with my profile and no one has any idea. Why not just trust them to generate the keys as well. Sure I could move my profile to a new provider while keeping my keys but I was never concerned about the specific keys anyway, just the association between the key and my profile.

Would signing the profile document be that big of a deal? I don’t know why it isn’t done. I asked on the WebID users list years ago and only got a shrug.


So we’re going to change the way the web is done, taking on the big bad Google and Facebooks of the world with this big gaping security hole? I’d be more happy with a response that says, “You’re an idiot and here’s why” than nothing. This is the same thing that happened last time I brought this up.