HTTPSig authentication from Henry Story on 2023-06-13 (public-webid@w3.org from June 2023)

From: Henry Story <henry.story@bblfish.net>
Date: Tue, 13 Jun 2023 11:00:14 +0200
To: public-webid <public-webid@w3.org>
Message-Id: <BD195A68-3421-4BBE-911A-E058E2E498CC@bblfish.net>

Hi,

    I have been working on an Authentication mechanism working purely at
the HTTP layer by building just very lightly on the IETFs “Signing HTTP Messages”
Specification. 

I gave a demonstration about it at last Wednesday’s Solid CG meeting, which
I recorded and put online.

https://twitter.com/bblfish/status/1666547828506742788���
Today I presented the @ietf's upcoming HTTPSig protocol (@http_wg) at the @w3c Solid Community Group meeting. I illustrated it by running my #scala crawler on #BigData published as #LinkedData #EventStreams protected with #solidProject access control rules. This is about as…
 
The 🐠 BblFish
twitter.com

The in development spec, which I need to update is here:
https://github.com/bblfish/authentication-panel/blob/sigUpdate/proposals/HttpSignature.md

HTTP Sig requires a KeyID URL (which is compatible with the WebID URL and 
could be placed in the same document), eg as

<#me> 
    foaf:name “Alice”;
    cert:key <#k1> .

<#k1> ….

I am currently trying to tie this in with the security ontology.

Compared to WebID-TLS:

+ It is much more flexible than client certificate negotation, allowing 
  each resoruce and mode to have its own rules and authentication proof.
- it is not built into the browser (but we can do the signing via an intermediary cache 
  and I have some ideas on how to do that in the browser)

Henry

Attachments

text/html attachment: stored
image/jpeg attachment: M3fN2SQUcBQyhX6e.jpg

Received on Tuesday, 13 June 2023 09:00:33 UTC