Re: Proof of Concept: Identity Credentials Login

On 6/10/14 2:38 PM, cr wrote:
>> http://manu.sporny.org/2014/credential-based-login/
>> >email address as your login ID, which is a proven approach to login on the Web
>   depends on two (non-web) protocols email and Telehash. (elaboration on what needs to be added to where on browsers/webservers to eliminate the "stop-gap" usage of Telehash? is email stop-gap too?)
>
>> >Make sure that setting up your own credential-based identity provider is as simple as dropping a PHP file into your website
> following a postfix tutorial isn't too hard, but all the DKIM/DMARC/RBL/SPF magic to be sure your mails are being delivered is nontrivial. what is the use of a verified email? a private channel to message the user? a whole generation has now grown up messaging eachother right on websites and in IM apps. sites wanted email addresses to spam with marketing + reminder/notification lures, and it provided semi-secure channel to email reset passwords to.
>
> dropbox/inbox/"incoming" on POSIX: chmod a directory writable but not listable. ACLs on a LDP container to POST to, readable only buy a specific foaf:agent, identified all by HTTP URIs, can subsume remaining email usage.
>
>> >WebID puts too much of a burden onto websites adopting the technology
> adding webID login that "works for me" took an hour maybe, reading the docs + ldphp/rww-play/gold's relevant source:http://src.whats-your.name/ww/ruby/WebID.rb.html  
>
> x509 is already baked into clients and HTTPS-capable servers
> 1 fetch cert from request-environment, parse it with openSSL lib
> 2 lookup subjectAltName field (HTTP URI identifying user)
> 3 GET this URI, read the modulus value from pointed-to key, ensure it matches the one from the SSL session
>
> now you can be reasonably sure only the user possessing the private-key could get the SSL layer to come up with the same modulus. and the user's URI might even point to their (web)-inbox too
>
> http://www.w3.org/wiki/SemanticInbox
>
> and bonus everything's defined in terms of HTTP URIs and no depending on orthogonal non-web systems to be working, ie email + telehash. this is arguably as simple as it gets. obviously you may want multi-factor auth for added security in case of lost-phone facilitated private-key theft.. such as text-passwords or proven posession of an email box. but the base-case should be defined as much in terms of the web and the other options such as email an extension rather than prerequisite
>
> passwords, most paranoid sysadmins won't let you login with password. they ask you to put up your ssh public-key somewhere (the web is fine for this) so they can authorize it. there is even a startup focused on becoming a sort of canonical URI-provider for this.https://keybase.io/  . git/sourcecode websites ask you to upload your SSH key to be auth'd to push. you can even use the same key for both webID and SSH:
>
> https://trueg.wordpress.com/2012/09/06/use-an-x-509-certificate-for-ssh-login/
>
> part of it is the writing-style, can't tell if email and passwords are a requirement or stop-gap measure, but identus+loginhub just asked for both straight off
>
> https://github.com/WardCunningham/Smallest-Federated-Wiki/issues/415#issuecomment-45437747
>
> WebID is so simple, there is not much to do in making it simpler.
>
>
>
+1000

-- 

Regards,

Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter Profile: https://twitter.com/kidehen
Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen