- From: Henry Story <henry.story@bblfish.net>
- Date: Thu, 22 Dec 2011 11:48:55 +0100
- To: Manu Sporny <msporny@digitalbazaar.com>, public-identity@w3.org
- Cc: WebID XG <public-xg-webid@w3.org>
On 22 Dec 2011, at 11:37, Henry Story wrote: > What I have initially had trouble understanding in Dave Longley's javascript implementation > of WebID is how the keys generated in one server and save in a local datastore > get used from one server to another. That is never made clear in any documentation I have > seen. > > In a conversation some time ago with one of the developers, I learnt that essentially until > the browser supports javascript access to the local keystone there is a lot of jumping around > using perhaps even OAuth in the background. So that means that the protocols in the > background is in fact very complicated and probably very difficult to secure. Cryptography > is notoriously tricky to get right, and javascript comes itself with a huge number of security > issues. > > But all is not lost > > There is a group called the Web Crypto API that is being put in place > http://www.w3.org/wiki/IdentityCharter Sorry the correct link is here now: http://www.w3.org/2011/11/webcryptography-charter.html And they had/have their discussions on the public-identity@w3.org . They reduced their aims from identity to cryptography and are in the final stages of building the charter. > > And they are just developing their charter. If browsers support apis to have > direct access to the crypto layer then of course those back end hacks won't be > needed and furthermore it will be secure, in which case one could use javascript > to do the WebID authentication perhaps to bring in web sites that don't have > TLS (hopefully a slowly diminishing number with DNSsec deployment) > > At the same time I think we can look at this work as a way to do proofs of concepts > to open a discussion with BrowserId which also needs such a web cryptography layer. > > Is Dave participating in the Crypto API group? I think that would be very useful. > > Henry > > > On 10 May 2011, at 02:15, Manu Sporny wrote: > >> Our CTO, Dave Longley, has been busy over the past week attempting to >> get our pure JavaScript crypto/TLS library updated to remove the Flash >> requirement from our WebID demos. He was successful. >> >> Using a WebSockets-enabled browser, such as Google Chrome - go here and >> create an account (accept the invalid, demo-only SSL certificate for now): >> >> https://webid.digitalbazaar.com/manage/ >> >> Then go here: >> >> https://payswarm.com/webid-demo/ >> >> Select "Digital Bazaar WebID" as the provider and then "Select >> (WebSocket)". You will be logged in and the login works faster than the >> Flash-based version of our WebID implementation. >> >> Just to be clear - this is a complete, open-source implementation of >> x509, TLS, and WebID using pure JavaScript and standards-based browser >> technologies. >> >> You can view the source for Forge (the JavaScript x509/TLS/WebSockets >> library) here: >> >> https://github.com/digitalbazaar/forge >> >> You can view the source for the WebID demo here: >> >> https://github.com/digitalbazaar/webid-demo >> >> -- manu >> >> -- >> Manu Sporny (skype: msporny, twitter: manusporny) >> President/CEO - Digital Bazaar, Inc. >> blog: PaySwarm Developer Tools and Demo Released >> http://digitalbazaar.com/2011/05/05/payswarm-sandbox/ >> >> > > Social Web Architect > http://bblfish.net/ > Social Web Architect http://bblfish.net/
Received on Thursday, 22 December 2011 10:49:36 UTC