Skip to content
This repository has been archived by the owner on Aug 22, 2019. It is now read-only.

Assertion URL and issuer origin #496

Open
ghost opened this issue Feb 3, 2013 · 6 comments
Open

Assertion URL and issuer origin #496

ghost opened this issue Feb 3, 2013 · 6 comments

Comments

@ghost
Copy link

ghost commented Feb 3, 2013

I remember talking to Brian about this possible issue during January workshop.

Currently, it is possible to have issuer origin and assertion URL on different domains. Which means that users can create a badge and host assertion on their own web site while claiming that it was issued by some organization. Shouldn't assertion URLs always come from an issuer domain?
@threeqube
Copy link
Contributor

I'm including @brianloveswords so he can clarify.

@stenington
Copy link
Contributor

@ybozhko That's correct. While there's no way we can prevent people from hosting an assertion claiming to be from an issuer at another domain, we should probably be doing something about it when we see those badges hit the backpack.

@threeqube, another validation type thing to consider. This is the case of www.not-really-harvard.com hosting badges that have the issuer as www.harvard.edu or whatever. If the assertion isn't actually hosted on the issuer domain, you can't really trust the badge.

That said, BTWF hosts their badge assertions at a different url from their main http://bornthiswayfoundation.org/ but listed that url as the issuer domain, so a mismatch doesn't necessarily mean people are cheating.

@ghost
Copy link
Author

ghost commented Feb 8, 2013

@stenington Hmmm.. I see your point and agree, mismatch might not necessarily be a bad thing or a sign of cheating. However, I think that it might be a good idea to show users where assertions are coming from somewhere in the backpack or badge display (which is not there at the moment).

@threeqube
Copy link
Contributor

@stenington good point indeed.

@stenington
Copy link
Contributor

@ybozhko Yep, I agree. I think we have a lot of work to do around badge validation and levels of trust. The backpack could be a good place to help visualize all of that sort of stuff.

@moodler-zz
Copy link

Yes, this sort of thing is going to be very important if badges are to be taken seriously. I was a little surprised to see it was missing, actually.

It is just too easy to set up a domain that is confusingly similar to the one you want to fake badges for. If someone's using it for a CV or something then it only has to pass casual inspection.

One idea might be to ride on the back of the SSL certification process which is quite stringent. For example, if the URL for a badge is https://moodle.org you can actually verify our certificate there automatically, and display some sort of loud "Verified!" symbol in the Backpack with our organisation name and address.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stenington @moodler-zz @threeqube