Re: WebID proxy? from elf Pavlik on 2012-07-20 (public-webid@w3.org from July 2012)

From: elf Pavlik <perpetual-tripper@wwelves.org>
Date: Fri, 20 Jul 2012 17:37:46 +0000
To: Henry Story <henry.story@bblfish.net>
Cc: Melvin Carvalho <melvincarvalho@gmail.com>, public-webid <public-webid@w3.org>
Message-Id: <1342804028-sup-9593@heahdk.net>
Excerpts from Henry Story's message of 2012-07-20 16:15:14 +0000:
> 
> On 20 Jul 2012, at 18:06, elf Pavlik wrote:
> 
> > Excerpts from elf Pavlik's message of 2012-07-20 15:39:35 +0000:
> >> Excerpts from Melvin Carvalho's message of 2012-07-20 15:13:38 +0000:
> >>> On 20 July 2012 16:59, Henry Story <henry.story@bblfish.net> wrote:
> >>> 
> >>>> 
> >>>> On 20 Jul 2012, at 15:26, elf Pavlik wrote:
> >>>> 
> >>>>> Hello,
> >>>>> 
> >>>>> Hearing lately some discussions on delegation and proxies, I started
> >>>> thinking about proxy which would enable me to use WebID without need to
> >>>> have any private keys on client machine I may happen to use. One could use
> >>>> some other system - possibly pass phrase based - for authentication and
> >>>> than proxy would hold some secondary private key, which could also have
> >>>> more restricted permissions on chosen services.
> >>>>> 
> >>>>> I look here for more flexibility in case someone wants to use friends
> >>>> computer just to RSVP to an event or similar cases with rather low security
> >>>> requirements...
> >>>> 
> >>>> Use OpenId with one time passwords perhaps?
> >>>> 
> >>> 
> >>> Sure WebID can fall back to OpenID, BrowserID, SAML, username/password etc.
> >> I didn't mean 'fall back' to something other then WebID on a service provider side. Service could offer WebID only authentication and access control, while I would connect from a client machine without any client certificates through this 'WebID proxy' which could hold my 'client certs' and do WebID dances with service providers. I hope I express myself little more clearly this time :)
> > 
> > reading following replies i still don't feel certain that others have understand me:
> > 1. I want to access online service which ONLY accepts authenticating with WebID
> > 2. I want to use 'random' computer which DOESN'T HAVE any client certificates and I don't want to install any client certificates on it at any point
> > 
> > i think of accomplishing it by connecting over a 'proxy' which holds client certificates with private key matching public key published in my WebID profile and accepts for authentication some other password based method, lets say basic login/pass pair just for simplicity.
> 
> That is an interesting idea. It could be a real HTTP proxy and perhaps you could connect to it with a one time, time limited password. 2 problems:
>  - you would not be able to use it wherever systems were set up to force you to use a specific proxy ( e.g. companies ) - I don't think there is such a thing as proxy chaining protocol.
>  - the proxy would have to authenticate to all sites with https and probably the same id
>  - you could only use it to authenticate to WebID sites - openid and others have not been automatised
>  - you'd have to connect to the proxy over https
>  - setting up a browser proxy is not easy for most users
> 
> Otherwise a good idea, that could be useful in some situations.
glad that i've finally managed to push this thought over wire -- idea still on stage of brainstorming :)

thank you for your comments henry, at this moment i think not about using 'plain http proxy' one can configure in a browser, but possibly experimenting with some simple server app which could act as sort of 'gateway'? (maybe i used proxy term in confusing way?)

person could just visit https://mygateway.xmpl which already stores cert matching webid private key, authenticate with some 'i know' kind of challenge, and maybe get a secondary address bar similar to let's say: http://translate.google.com/translate?hl=en&sl=auto&tl=cy&u=http%3A%2F%2Fwebid.info%2F

this way it doesn't have most of problems you've raised but i guess it introduces other challenges... still i hope it could work without need for any magic tricks ;)

and once more it doesn't need to work perfectly, just for cases one wants to use one's WebID (sub?)identity without having private key available locally... such 'gateway' app could have features like storing all browsing history, while on 'i know' challenge login, for further review and require logging in with WebID in case one wants to clear those traces.

having such component could make easier later to depend on person using certain service having possibility to use WebID for ACL and other 'bundled goodies' ;) 

~ elf pavlik ~
Received on Friday, 20 July 2012 17:38:11 UTC