W3C home > Mailing lists > Public > public-xg-webid@w3.org > December 2011

Re: Major Milestone: WebID over WebSockets

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 22 Dec 2011 11:37:16 +0100
Cc: WebID XG <public-xg-webid@w3.org>
Message-Id: <13930C15-8732-46AE-9FFB-E8D930FCB35A@bblfish.net>
To: Manu Sporny <msporny@digitalbazaar.com>
What I have initially had trouble understanding in Dave Longley's javascript implementation 
of WebID is how the keys generated in one server and save in a local datastore
get used from one server to another. That is never made clear  in any documentation I have
seen.

In a conversation some time ago with one of the developers, I learnt that essentially until
the browser supports javascript access to the local keystone there is a lot of jumping around
using perhaps even OAuth in the background. So that means that the protocols in the
background is in fact very complicated and probably very difficult to secure. Cryptography
is notoriously tricky to get right, and javascript comes itself with a huge number of security
issues.

But all is not lost

There is a group called the Web Crypto API that is being put in place
  http://www.w3.org/wiki/IdentityCharter

And they are just developing their charter. If browsers support apis to have
direct access to the crypto layer then of course those back end hacks won't be
needed and furthermore it will be secure, in which case one could use javascript
to do the WebID authentication perhaps to bring in web sites that don't have 
TLS (hopefully a slowly diminishing number with DNSsec deployment)

At the same time I think we can look at this work as a way to do proofs of concepts
to open a discussion with BrowserId which also needs such a web cryptography layer.

Is Dave participating in the Crypto API group? I think that would be very useful.

Henry


On 10 May 2011, at 02:15, Manu Sporny wrote:

> Our CTO, Dave Longley, has been busy over the past week attempting to
> get our pure JavaScript crypto/TLS library updated to remove the Flash
> requirement from our WebID demos. He was successful.
> 
> Using a WebSockets-enabled browser, such as Google Chrome - go here and
> create an account (accept the invalid, demo-only SSL certificate for now):
> 
> https://webid.digitalbazaar.com/manage/
> 
> Then go here:
> 
> https://payswarm.com/webid-demo/
> 
> Select "Digital Bazaar WebID" as the provider and then "Select
> (WebSocket)". You will be logged in and the login works faster than the
> Flash-based version of our WebID implementation.
> 
> Just to be clear - this is a complete, open-source implementation of
> x509, TLS, and WebID using pure JavaScript and standards-based browser
> technologies.
> 
> You can view the source for Forge (the JavaScript x509/TLS/WebSockets
> library) here:
> 
> https://github.com/digitalbazaar/forge
> 
> You can view the source for the WebID demo here:
> 
> https://github.com/digitalbazaar/webid-demo
> 
> -- manu
> 
> -- 
> Manu Sporny (skype: msporny, twitter: manusporny)
> President/CEO - Digital Bazaar, Inc.
> blog: PaySwarm Developer Tools and Demo Released
> http://digitalbazaar.com/2011/05/05/payswarm-sandbox/
> 
> 

Social Web Architect
http://bblfish.net/
Received on Thursday, 22 December 2011 10:37:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 22 December 2011 10:37:51 GMT