W3C home > Mailing lists > Public > public-identity@w3.org > December 2011

Re: Major Milestone: WebID over WebSockets

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 22 Dec 2011 11:48:55 +0100
Cc: WebID XG <public-xg-webid@w3.org>
Message-Id: <AFD67BB3-0E8F-456A-A934-21C168EBA4B4@bblfish.net>
To: Manu Sporny <msporny@digitalbazaar.com>, public-identity@w3.org

On 22 Dec 2011, at 11:37, Henry Story wrote:

> What I have initially had trouble understanding in Dave Longley's javascript implementation 
> of WebID is how the keys generated in one server and save in a local datastore
> get used from one server to another. That is never made clear  in any documentation I have
> seen.
> 
> In a conversation some time ago with one of the developers, I learnt that essentially until
> the browser supports javascript access to the local keystone there is a lot of jumping around
> using perhaps even OAuth in the background. So that means that the protocols in the
> background is in fact very complicated and probably very difficult to secure. Cryptography
> is notoriously tricky to get right, and javascript comes itself with a huge number of security
> issues.
> 
> But all is not lost
> 
> There is a group called the Web Crypto API that is being put in place
>  http://www.w3.org/wiki/IdentityCharter

Sorry the correct link is here now:
   http://www.w3.org/2011/11/webcryptography-charter.html
And they had/have their discussions on the public-identity@w3.org . They reduced their
aims from identity to cryptography and are in the final stages of building the charter.


> 
> And they are just developing their charter. If browsers support apis to have
> direct access to the crypto layer then of course those back end hacks won't be
> needed and furthermore it will be secure, in which case one could use javascript
> to do the WebID authentication perhaps to bring in web sites that don't have 
> TLS (hopefully a slowly diminishing number with DNSsec deployment)
> 
> At the same time I think we can look at this work as a way to do proofs of concepts
> to open a discussion with BrowserId which also needs such a web cryptography layer.
> 
> Is Dave participating in the Crypto API group? I think that would be very useful.
> 
> Henry
> 
> 
> On 10 May 2011, at 02:15, Manu Sporny wrote:
> 
>> Our CTO, Dave Longley, has been busy over the past week attempting to
>> get our pure JavaScript crypto/TLS library updated to remove the Flash
>> requirement from our WebID demos. He was successful.
>> 
>> Using a WebSockets-enabled browser, such as Google Chrome - go here and
>> create an account (accept the invalid, demo-only SSL certificate for now):
>> 
>> https://webid.digitalbazaar.com/manage/
>> 
>> Then go here:
>> 
>> https://payswarm.com/webid-demo/
>> 
>> Select "Digital Bazaar WebID" as the provider and then "Select
>> (WebSocket)". You will be logged in and the login works faster than the
>> Flash-based version of our WebID implementation.
>> 
>> Just to be clear - this is a complete, open-source implementation of
>> x509, TLS, and WebID using pure JavaScript and standards-based browser
>> technologies.
>> 
>> You can view the source for Forge (the JavaScript x509/TLS/WebSockets
>> library) here:
>> 
>> https://github.com/digitalbazaar/forge
>> 
>> You can view the source for the WebID demo here:
>> 
>> https://github.com/digitalbazaar/webid-demo
>> 
>> -- manu
>> 
>> -- 
>> Manu Sporny (skype: msporny, twitter: manusporny)
>> President/CEO - Digital Bazaar, Inc.
>> blog: PaySwarm Developer Tools and Demo Released
>> http://digitalbazaar.com/2011/05/05/payswarm-sandbox/
>> 
>> 
> 
> Social Web Architect
> http://bblfish.net/
> 

Social Web Architect
http://bblfish.net/
Received on Thursday, 22 December 2011 10:49:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 22 December 2011 10:49:36 GMT