W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: Question/idea: Self-contained WebID

From: Daniël Bos <corani@gmail.com>
Date: Wed, 28 May 2014 13:20:11 +0800
To: Kingsley Idehen <kidehen@openlinksw.com>,public-webid@w3.org
Message-ID: <8597b08f-88f4-409d-b1a1-718572b582a9@email.android.com>
Hash: SHA512

On May 28, 2014 2:22:22 AM GMT+08:00, Kingsley Idehen <kidehen@openlinksw.com> wrote:
>On 5/27/14 1:08 PM, Brian Allen Vanderburg II wrote:
>> As a person using many different accounts to different sites, having
>> lot of usernames and passwords can be a real pain.  As a result, I
>> the ideas I've seen with concepts like OpenID and WebID.  I do have
>> question/idea that I would like to know about that could improve it.
>> OpenID requires third party identity providers.  That means that I
>> really "own" my identity, instead another group owns my identity.
>> for some reason, that server is unavailable, I can't use that
>> Or if that server gets compromised, then my identity, along with
>> may also become compromised.
>> One idea I've had in the past would be a system similar to SSH
>> key logins.  With SSH, I own my identity by owning my private key
>> I can put the same public key on multiple systems, and log in using
>> one private key file.  It doesn't depend on any external third party
>> groups, only my client and the server I am connected to.
>> I'm only vaguely familiar with WebID.  It seems like it works by
>> a client certificate on the user's computer.  But it still seems to
>> require a public server for access to the WebID foaf.rdf file. Would
>> not be possible for a client/browser to implement it's own way of
>> storing that file and sending it to a server when attempting to use
>> WebID for authentication and login, so that it would remove the need
>> some hosting provider or server from storing it.  The idea there
>> be to allow the user to own their identity entirely, without any need
>> an external provider or server to host the file, perhaps allowing for
>> by the key fingerprint.
>> Brian Vanderburg II
>Welcome to WebID, the community.
>To answer your fundamental question, the answer is yes. WebID,
>WebID-TLS, WebID-Profile, and WebACLs are all about loosely coupling
>critical pieces that collectively facilitate identity controlled and
>managed by you.
>You local digital identity card (x.509 cert) and you public profile
>(wherever *you* choose to store that) are linked semantically. Thus,
>the semantics of the association (between the aforementioned artifacts)
>that controls everything rather than the whims, worldviews, or biases
>a specific service provider.
>BTW -- There are even applications that showcase what's outlined above,
>today [1][2].
>[1] http://bit.ly/SLEqjt -- YouID for Android devices
>[2] http://bit.ly/17rnUpb -- YouID for iOS devices
>Kingsley Idehen
>Founder & CEO
>OpenLink Software
>Company Web: http://www.openlinksw.com
>Personal Weblog: http://www.openlinksw.com/blog/~kidehen
>Twitter Profile: https://twitter.com/kidehen
>Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
>LinkedIn Profile: http://www.linkedin.com/in/kidehen

OpenID can actually run locally, since the browser handles all the redirects. In the past I've used an OpenID provider running on localhost. This could just as easily have been baked into the browser.
- --
Best regards,
Daniël Bos

Your government is reading your email. Slow them down with encryption.

My public key: http://goo.gl/gms497 (4096 bit RSA, id EF2D5D91)
Fingerprint  : D8D0 9FBE F075 F709 7B52  2F73 326C 2123 EF2D 5D91
Version: OpenPGP Keychain v2.7

Received on Wednesday, 28 May 2014 05:20:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC