Re: WebID proxy?

Excerpts from Melvin Carvalho's message of 2012-07-21 07:37:26 +0000:
> On 21 July 2012 09:32, Sebastian Trueg <trueg@openlinksw.com> wrote:
> 
> > On 07/20/2012 07:37 PM, elf Pavlik wrote:
> >
> >> Excerpts from Henry Story's message of 2012-07-20 16:15:14 +0000:
> >>
> >>> On 20 Jul 2012, at 18:06, elf Pavlik wrote:
> >>>
> >>>  Excerpts from elf Pavlik's message of 2012-07-20 15:39:35 +0000:
> >>>>
> >>>>> Excerpts from Melvin Carvalho's message of 2012-07-20 15:13:38 +0000:
> >>>>>
> >>>>>> On 20 July 2012 16:59, Henry Story<henry.story@bblfish.net>  wrote:
> >>>>>>
> >>>>>>  On 20 Jul 2012, at 15:26, elf Pavlik wrote:
> >>>>>>>
> >>>>>>>  Hello,
> >>>>>>>>
> >>>>>>>> Hearing lately some discussions on delegation and proxies, I started
> >>>>>>>>
> >>>>>>> thinking about proxy which would enable me to use WebID without need
> >>>>>>> to
> >>>>>>> have any private keys on client machine I may happen to use. One
> >>>>>>> could use
> >>>>>>> some other system - possibly pass phrase based - for authentication
> >>>>>>> and
> >>>>>>> than proxy would hold some secondary private key, which could also
> >>>>>>> have
> >>>>>>> more restricted permissions on chosen services.
> >>>>>>>
> >>>>>>>> I look here for more flexibility in case someone wants to use
> >>>>>>>> friends
> >>>>>>>>
> >>>>>>> computer just to RSVP to an event or similar cases with rather low
> >>>>>>> security
> >>>>>>> requirements...
> >>>>>>>
> >>>>>>> Use OpenId with one time passwords perhaps?
> >>>>>>>
> >>>>>>>  Sure WebID can fall back to OpenID, BrowserID, SAML,
> >>>>>> username/password etc.
> >>>>>>
> >>>>> I didn't mean 'fall back' to something other then WebID on a service
> >>>>> provider side. Service could offer WebID only authentication and access
> >>>>> control, while I would connect from a client machine without any client
> >>>>> certificates through this 'WebID proxy' which could hold my 'client certs'
> >>>>> and do WebID dances with service providers. I hope I express myself little
> >>>>> more clearly this time :)
> >>>>>
> >>>> reading following replies i still don't feel certain that others have
> >>>> understand me:
> >>>> 1. I want to access online service which ONLY accepts authenticating
> >>>> with WebID
> >>>> 2. I want to use 'random' computer which DOESN'T HAVE any client
> >>>> certificates and I don't want to install any client certificates on it at
> >>>> any point
> >>>>
> >>>> i think of accomplishing it by connecting over a 'proxy' which holds
> >>>> client certificates with private key matching public key published in my
> >>>> WebID profile and accepts for authentication some other password based
> >>>> method, lets say basic login/pass pair just for simplicity.
> >>>>
> >>> That is an interesting idea. It could be a real HTTP proxy and perhaps
> >>> you could connect to it with a one time, time limited password. 2 problems:
> >>>   - you would not be able to use it wherever systems were set up to
> >>> force you to use a specific proxy ( e.g. companies ) - I don't think there
> >>> is such a thing as proxy chaining protocol.
> >>>   - the proxy would have to authenticate to all sites with https and
> >>> probably the same id
> >>>   - you could only use it to authenticate to WebID sites - openid and
> >>> others have not been automatised
> >>>   - you'd have to connect to the proxy over https
> >>>   - setting up a browser proxy is not easy for most users
> >>>
> >>> Otherwise a good idea, that could be useful in some situations.
> >>>
> >> glad that i've finally managed to push this thought over wire -- idea
> >> still on stage of brainstorming :)
> >>
> >> thank you for your comments henry, at this moment i think not about using
> >> 'plain http proxy' one can configure in a browser, but possibly
> >> experimenting with some simple server app which could act as sort of
> >> 'gateway'? (maybe i used proxy term in confusing way?)
> >>
> >> person could just visit https://mygateway.xmpl which already stores cert
> >> matching webid private key, authenticate with some 'i know' kind of
> >> challenge, and maybe get a secondary address bar similar to let's say:
> >> http://translate.google.com/**translate?hl=en&sl=auto&tl=cy&**
> >> u=http%3A%2F%2Fwebid.info%2F<http://translate.google.com/translate?hl=en&sl=auto&tl=cy&u=http%3A%2F%2Fwebid.info%2F>
> >>
> >> this way it doesn't have most of problems you've raised but i guess it
> >> introduces other challenges... still i hope it could work without need for
> >> any magic tricks ;)
> >>
> >> and once more it doesn't need to work perfectly, just for cases one wants
> >> to use one's WebID (sub?)identity without having private key available
> >> locally... such 'gateway' app could have features like storing all browsing
> >> history, while on 'i know' challenge login, for further review and require
> >> logging in with WebID in case one wants to clear those traces.
> >>
> >> having such component could make easier later to depend on person using
> >> certain service having possibility to use WebID for ACL and other 'bundled
> >> goodies' ;)
> >>
> >> ~ elf pavlik ~
> >>
> >>
> >>  Actually I thought about the exact same problem before. While I love
> > WebID it has this one drawback: you need the certificate installed on the
> > client. So if you are in an internet cafe and do not want to put in your
> > USB key with your private key you cannot login. The most simple way to do
> > this is to use a system like ODS which supports all kinds of login
> > including plain old password and then use WebID delegation to authenticate
> > with the WebID-only service.
> >
> > I think this is pretty much what Elf was talking about.
> >
> 
> +1
> 
> I use a system where you can login with WebID primarily.  But if a cert is
> not detected you can login with Facebook, Google, BrowserID etc.

Melvin, I know your approach and I like it very much. In some services I work on, I would also like to have just 'Open Login' which accepts WebID, OpenID (+Connect), BrowserID and possibly other open systems (while I also respect your choice to support Faceboogle login family ;)

Still here I try to chew on how to make it possible for service providers to have option of just supporting WebID and find work around for cases when person may want to use a 'random machine' without storing private keys locally. It seams to me currently that it could simplify implementing on service side ACL (as Kingsley shared some interesting examples) as well as enabling signing messages and content.

Signing part I find very important as I would like to get into a habit of verifying online claims myself and encouraging other people to don't take something published as my expression unless it carries my digital signature. Which includes comments, messages, blog posts but also since I want to take advantage of the web for economical tools providing solid alternative to present finances, digital identities and signatures can help with implementing various systems not based on monetary currencies. Sorry for going off topic here but most of my 'use cases' will come from that aim. In September I should have possibility of presenting concepts I slowly started drafting at: http://polyeconomy.info at Open Knowledge Festival in Helsinki. Including also what with few other people we have started discussing in community-io community group. I hope to connect on that event with other people from Linked Data community and preferably have proof of concept demo of resources/services sharing system delegating accounting to 'pluggable' services. Than also have to play with few examples of such accounting services based on monetary and non monetary strategies. Funny how 'circle' closes in this super drifted away message since it can work in similar way as 'logging with OpenID, WebID, BrowserID etc.', 'account with socialKama system X, sharedBenefit system Y, monetaryCurrency system Z, etc.' Anyhow I better shift discussion about such applications of technologies we work on back to: http://www.w3.org/community/community-io/ (i need to rewrite description there to more precise one...)

Cheers!
~ elf Pavlik ~

Received on Saturday, 21 July 2012 10:23:32 UTC