W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

RE: WebIDauth - authentication service written in PHP.

From: peter williams <home_pw@msn.com>
Date: Sat, 9 Apr 2011 05:42:40 -0700
Message-ID: <SNT143-ds116968EC927E6D172B0A6592A60@phx.gbl>
To: "'WebID XG'" <public-xg-webid@w3.org>
Opera has/had a nice feature, that one could look at the client cert in
effect at a site. It *is* nice (compared to IE), because at least I can see
some context during webid trials. Its *was* nice, because its no longer that
relevant - given...

Lets say I  go to google's home page site. (Ive been my own issued certs to
SSL MITM google's home page and openid/IDP service using my fiddlertool.com
proxy, and thus I've been inspecting their use of https and SSL
sessions/connections somewhat closely).

Being Google, the page loads lots of javascript, callbacks which make their
own https connections - to different endpoints (encrypted.google.com,
client.google.com,...). Thus, talking to the resource google.com with https
actually involves connection to several https endpoints. If I was doing
webid client authn, there would be n SSL connection statuses to show in the
browser, not just one (the one associated with the address bar).

We have to remember, https is hypermedia. This was part of its design, and
this design in https and nntps influenced SSL multiplexing and
session-resume features. If I, the page visitor, happen on a visit to
google.com to be prompted for a webid and I choose Wx, I may well get in the
resultant google page one or more https references to sites where I *already
have* an SSL session (with client authn already done, where I happened to
have chosen Wy, Wz webids, last week). My page context will have 2 or 3
webids. From 2 or 3, one rapidly gets to n, as more and more framing,
embedding and client-side rendering of data services delivering graphs then
happens

What I Do NOT want to do is use the service of an intermediating
"tunneling/portalizing/framing" website, to make sense of all this. I don't
want that site to be creating a single view of the web, that imposes a
discipline that makes sense of it all. Why not!? (doesn't that seem
sensible?) Because that site then becomes a centralization and governance
point. One has started on the openid path, where one is creating another
google IDP having sold openid as being about a million automous IDPs in
wordpress sites (that don't work...). It's only a small step (given the
evidence) that what starts out a user-centric (openid), just ends up a
monolithic portal, that orchestrates, disciplines, and governs. That is just
a CA in drag.

Now, remember I don't object to CAs (they are working fine for 2 billion
users, in practice, and are actualy minimall invasive, in reality). I'm
simply working in a project here that assumes that there is something
inherently unweb about CAs - an assumption which I take as an axiom, for
design purposes. And for me, that axiom includes any and all CAs, including
those in drag (giant IDPs). It's the controlling, governing, orchestrating
property of CAs/IDPs that folks object to - not that they happen to project
governance using linked data sets called X.509 cert chains. 



-----Original Message-----
From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of Henry Story
Sent: Saturday, April 09, 2011 4:25 AM
To: WebID XG
Cc: Andrei Sambra
Subject: Re: WebIDauth - authentication service written in PHP.


On 9 Apr 2011, at 13:05, Henry Story wrote:

> 
> 2. I think foafssl.org should be somewhat different from what it is now,
in particular it should  have a login landing page to show people what they
are logging in under, and if possible allow them  logout. The problem with
an immediate redirect is that people never see where they are logging into.
As a result they may automatically be logged into all sites with the same
id.

In fact this makes me think of a simple way we can get multiple logins with
the current browsers - broken because of their inability to make it easy to
see what certificate one is using on a page, and how to logout or change the
auth.
Received on Saturday, 9 April 2011 12:43:09 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:24 UTC