Re: Question/idea: Self-contained WebID from Kingsley Idehen on 2014-05-27 (public-webid@w3.org from May 2014)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Tue, 27 May 2014 14:22:22 -0400
To: public-webid@w3.org
Message-ID: <5384D7DE.3070609@openlinksw.com>

On 5/27/14 1:08 PM, Brian Allen Vanderburg II wrote:
> As a person using many different accounts to different sites, having a
> lot of usernames and passwords can be a real pain.  As a result, I like
> the ideas I've seen with concepts like OpenID and WebID.  I do have one
> question/idea that I would like to know about that could improve it.
>
> OpenID requires third party identity providers.  That means that I don't
> really "own" my identity, instead another group owns my identity.  If,
> for some reason, that server is unavailable, I can't use that identity.
> Or if that server gets compromised, then my identity, along with others,
> may also become compromised.
>
> One idea I've had in the past would be a system similar to SSH private
> key logins.  With SSH, I own my identity by owning my private key file.
> I can put the same public key on multiple systems, and log in using that
> one private key file.  It doesn't depend on any external third party
> groups, only my client and the server I am connected to.
>
> I'm only vaguely familiar with WebID.  It seems like it works by storing
> a client certificate on the user's computer.  But it still seems to
> require a public server for access to the WebID foaf.rdf file. Would it
> not be possible for a client/browser to implement it's own way of
> storing that file and sending it to a server when attempting to use
> WebID for authentication and login, so that it would remove the need of
> some hosting provider or server from storing it.  The idea there would
> be to allow the user to own their identity entirely, without any need of
> an external provider or server to host the file, perhaps allowing for ID
> by the key fingerprint.
>
> Brian Vanderburg II

Welcome to WebID, the community.

To answer your fundamental question, the answer is yes. WebID, 
WebID-TLS, WebID-Profile, and WebACLs are all about loosely coupling the 
critical pieces that collectively facilitate identity controlled and 
managed by you.

You local digital identity card (x.509 cert) and you public profile data 
(wherever *you* choose to store that) are linked semantically. Thus, its 
the semantics of the association (between the aforementioned artifacts) 
that controls everything rather than the whims, worldviews, or biases of 
a specific service provider.

BTW -- There are even applications that showcase what's outlined above, 
today [1][2].


[1] http://bit.ly/SLEqjt -- YouID for Android devices

[2] http://bit.ly/17rnUpb -- YouID for iOS devices

-- 

Regards,

Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter Profile: https://twitter.com/kidehen
Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Tuesday, 27 May 2014 18:22:46 UTC