W3C home > Mailing lists > Public > public-rww@w3.org > June 2014

Re: Proof of Concept: Identity Credentials Login

From: cr <_@whats-your.name>
Date: Tue, 10 Jun 2014 18:38:26 +0000
To: public-rww@w3.org
Message-ID: <20140610183553.GA617@p.clearwire-wmx.net>
> http://manu.sporny.org/2014/credential-based-login/
> email address as your login ID, which is a proven approach to login on the Web

 depends on two (non-web) protocols email and Telehash. (elaboration on what needs to be added to where on browsers/webservers to eliminate the "stop-gap" usage of Telehash? is email stop-gap too?)

> Make sure that setting up your own credential-based identity provider is as simple as dropping a PHP file into your website

following a postfix tutorial isn't too hard, but all the DKIM/DMARC/RBL/SPF magic to be sure your mails are being delivered is nontrivial. what is the use of a verified email? a private channel to message the user? a whole generation has now grown up messaging eachother right on websites and in IM apps. sites wanted email addresses to spam with marketing + reminder/notification lures, and it provided semi-secure channel to email reset passwords to. 

dropbox/inbox/"incoming" on POSIX: chmod a directory writable but not listable. ACLs on a LDP container to POST to, readable only buy a specific foaf:agent, identified all by HTTP URIs, can subsume remaining email usage. 

> WebID puts too much of a burden onto websites adopting the technology

adding webID login that "works for me" took an hour maybe, reading the docs + ldphp/rww-play/gold's relevant source: http://src.whats-your.name/ww/ruby/WebID.rb.html 

x509 is already baked into clients and HTTPS-capable servers
1 fetch cert from request-environment, parse it with openSSL lib
2 lookup subjectAltName field (HTTP URI identifying user)
3 GET this URI, read the modulus value from pointed-to key, ensure it matches the one from the SSL session

now you can be reasonably sure only the user possessing the private-key could get the SSL layer to come up with the same modulus. and the user's URI might even point to their (web)-inbox too


and bonus everything's defined in terms of HTTP URIs and no depending on orthogonal non-web systems to be working, ie email + telehash. this is arguably as simple as it gets. obviously you may want multi-factor auth for added security in case of lost-phone facilitated private-key theft.. such as text-passwords or proven posession of an email box. but the base-case should be defined as much in terms of the web and the other options such as email an extension rather than prerequisite

passwords, most paranoid sysadmins won't let you login with password. they ask you to put up your ssh public-key somewhere (the web is fine for this) so they can authorize it. there is even a startup focused on becoming a sort of canonical URI-provider for this. https://keybase.io/ . git/sourcecode websites ask you to upload your SSH key to be auth'd to push. you can even use the same key for both webID and SSH:


part of it is the writing-style, can't tell if email and passwords are a requirement or stop-gap measure, but identus+loginhub just asked for both straight off


WebID is so simple, there is not much to do in making it simpler.
Received on Tuesday, 10 June 2014 18:38:57 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:10:46 UTC