- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Sat, 21 Jul 2012 09:37:26 +0200
- To: Sebastian Trueg <trueg@openlinksw.com>
- Cc: public-webid@w3.org
- Message-ID: <CAKaEYhJk3RKLhu+rWjyY3Ty4uB5eg4jXt3D=X-py9hGiLi9rdw@mail.gmail.com>
On 21 July 2012 09:32, Sebastian Trueg <trueg@openlinksw.com> wrote: > On 07/20/2012 07:37 PM, elf Pavlik wrote: > >> Excerpts from Henry Story's message of 2012-07-20 16:15:14 +0000: >> >>> On 20 Jul 2012, at 18:06, elf Pavlik wrote: >>> >>> Excerpts from elf Pavlik's message of 2012-07-20 15:39:35 +0000: >>>> >>>>> Excerpts from Melvin Carvalho's message of 2012-07-20 15:13:38 +0000: >>>>> >>>>>> On 20 July 2012 16:59, Henry Story<henry.story@bblfish.net> wrote: >>>>>> >>>>>> On 20 Jul 2012, at 15:26, elf Pavlik wrote: >>>>>>> >>>>>>> Hello, >>>>>>>> >>>>>>>> Hearing lately some discussions on delegation and proxies, I started >>>>>>>> >>>>>>> thinking about proxy which would enable me to use WebID without need >>>>>>> to >>>>>>> have any private keys on client machine I may happen to use. One >>>>>>> could use >>>>>>> some other system - possibly pass phrase based - for authentication >>>>>>> and >>>>>>> than proxy would hold some secondary private key, which could also >>>>>>> have >>>>>>> more restricted permissions on chosen services. >>>>>>> >>>>>>>> I look here for more flexibility in case someone wants to use >>>>>>>> friends >>>>>>>> >>>>>>> computer just to RSVP to an event or similar cases with rather low >>>>>>> security >>>>>>> requirements... >>>>>>> >>>>>>> Use OpenId with one time passwords perhaps? >>>>>>> >>>>>>> Sure WebID can fall back to OpenID, BrowserID, SAML, >>>>>> username/password etc. >>>>>> >>>>> I didn't mean 'fall back' to something other then WebID on a service >>>>> provider side. Service could offer WebID only authentication and access >>>>> control, while I would connect from a client machine without any client >>>>> certificates through this 'WebID proxy' which could hold my 'client certs' >>>>> and do WebID dances with service providers. I hope I express myself little >>>>> more clearly this time :) >>>>> >>>> reading following replies i still don't feel certain that others have >>>> understand me: >>>> 1. I want to access online service which ONLY accepts authenticating >>>> with WebID >>>> 2. I want to use 'random' computer which DOESN'T HAVE any client >>>> certificates and I don't want to install any client certificates on it at >>>> any point >>>> >>>> i think of accomplishing it by connecting over a 'proxy' which holds >>>> client certificates with private key matching public key published in my >>>> WebID profile and accepts for authentication some other password based >>>> method, lets say basic login/pass pair just for simplicity. >>>> >>> That is an interesting idea. It could be a real HTTP proxy and perhaps >>> you could connect to it with a one time, time limited password. 2 problems: >>> - you would not be able to use it wherever systems were set up to >>> force you to use a specific proxy ( e.g. companies ) - I don't think there >>> is such a thing as proxy chaining protocol. >>> - the proxy would have to authenticate to all sites with https and >>> probably the same id >>> - you could only use it to authenticate to WebID sites - openid and >>> others have not been automatised >>> - you'd have to connect to the proxy over https >>> - setting up a browser proxy is not easy for most users >>> >>> Otherwise a good idea, that could be useful in some situations. >>> >> glad that i've finally managed to push this thought over wire -- idea >> still on stage of brainstorming :) >> >> thank you for your comments henry, at this moment i think not about using >> 'plain http proxy' one can configure in a browser, but possibly >> experimenting with some simple server app which could act as sort of >> 'gateway'? (maybe i used proxy term in confusing way?) >> >> person could just visit https://mygateway.xmpl which already stores cert >> matching webid private key, authenticate with some 'i know' kind of >> challenge, and maybe get a secondary address bar similar to let's say: >> http://translate.google.com/**translate?hl=en&sl=auto&tl=cy&** >> u=http%3A%2F%2Fwebid.info%2F<http://translate.google.com/translate?hl=en&sl=auto&tl=cy&u=http%3A%2F%2Fwebid.info%2F> >> >> this way it doesn't have most of problems you've raised but i guess it >> introduces other challenges... still i hope it could work without need for >> any magic tricks ;) >> >> and once more it doesn't need to work perfectly, just for cases one wants >> to use one's WebID (sub?)identity without having private key available >> locally... such 'gateway' app could have features like storing all browsing >> history, while on 'i know' challenge login, for further review and require >> logging in with WebID in case one wants to clear those traces. >> >> having such component could make easier later to depend on person using >> certain service having possibility to use WebID for ACL and other 'bundled >> goodies' ;) >> >> ~ elf pavlik ~ >> >> >> Actually I thought about the exact same problem before. While I love > WebID it has this one drawback: you need the certificate installed on the > client. So if you are in an internet cafe and do not want to put in your > USB key with your private key you cannot login. The most simple way to do > this is to use a system like ODS which supports all kinds of login > including plain old password and then use WebID delegation to authenticate > with the WebID-only service. > > I think this is pretty much what Elf was talking about. > +1 I use a system where you can login with WebID primarily. But if a cert is not detected you can login with Facebook, Google, BrowserID etc. > > Cheers, > Sebastian > >
Received on Saturday, 21 July 2012 07:37:54 UTC