Fedwiki Security

Here are early some explorations on how to provide better login experience for wiki farms, and for users developing mobile apps. The aim is to provide backward compatibility with Persona, while moving over to a better security model.

Fedwiki currently has a pull-only, one domain-one author philosophy which cuts down on spam. We use Mozilla Persona to authenticate users.

This is work in progress, but a suggestion here is to use Capability URLs, and also separate authoring from viewing interfaces somewhat.

Given you know the url you have access to the ability to write to that domain. If you are concerned that other people may have a copy of the url, or you just want to renew / refresh your "password" - you can revoke the old url, and get issued with a new one.

These url's are impossible to guess, and are not crawled. It should be possible to set up a domain that generates and manages these Capability URL's and enables Fedwiki users to use them to gain the ability to author their sites in a way that does not have the problems abaove.

it should be possible to set up a web site which will automatically generate an updated Persona certificate for your sites - without the need for anything other than the knowledge of the URL.

Visiting this URL would then automatically renew your persona certificate - and redirect you to your site. You would bookmark this url on your local machine in order to be able to visit it later. You could share it with other people you want to have access to your site.

A second Persona based url - would enable access to revoking, or changing the durations of the certificates that were issued via the url. This service could be developed in a way which is compatible with modern decentralised blockchain and IPFS technologies - allowing users to choose this way to renew there certificates, or the web service.

Using the existing Persona Login would still be available.

Below we list some links that are related to this line of enquiry: