Re: WebID proxy? from Henry Story on 2015-10-19 (public-webid@w3.org from October 2015)

From: Henry Story <henry.story@gmail.com>
Date: Mon, 19 Oct 2015 11:47:33 +0100
To: Markus Sabadello <markus@projectdanube.org>
Cc: public-webid@w3.org
Message-Id: <15709C50-AA2C-4B49-A9C0-A9E8F1445115@gmail.com>

> On 19 Oct 2015, at 11:07, Markus Sabadello <markus@projectdanube.org> wrote:
> 
> Hello,
> 
> In July 2012, Elf Pavlik wrote about the idea of a WebID proxy that could be used without installing certificates on a client:
> https://lists.w3.org/Archives/Public/public-webid/2012Jul/0069.html <https://lists.w3.org/Archives/Public/public-webid/2012Jul/0069.html>
> 
> A few days ago at GET-D <http://get-d.net/home/events/getd-summit-hackathon-berlin-iii/> in Berlin, the Jolocom <http://jolocom.com/> team and others talked about this idea again.
> 
> So we wrote up the following pad with some initial thoughts and questions:
> http://piratepad.nl/eXd4UsVuaW <http://piratepad.nl/eXd4UsVuaW> (please re-try few times if not reachable)

I can't get that link to open.

On the whole this is a good idea. We used to have one online written in Java
https://github.com/bblfish/foafssl-java/blob/master/foafssl-identity-provider-webapp/src/main/webapp/login.jsp <https://github.com/bblfish/foafssl-java/blob/master/foafssl-identity-provider-webapp/src/main/webapp/login.jsp>
Now that I know a bit more about crypto, I guess in this protocol, we are missing the salt.

It is quite simple: a server can redirect to such a service, which authenticates the user using a
client certificate. If it succeeds the service then redirect the user to a URL indicated in the request, puts the URL in the header, adds a date, ( and should add the sale to avoid replays ), the server signs it
with its public key ( published at a URL ) and redirects the user back there. 

Perhaps someone can write this out nicely on a wiki, and we can have a little spec 
like that, so that people could use different providers easily. On the other hand the danger
is that this kind of spec quickly gets more and more complicated as people then ask for attribute
exchange and more features.  To keep it simple, one should require that the user of the service
at least haved an RDF parser so it can then GET the WebID and get the extra attributes.

> 
> Before developing this further and possibly duplicating efforts, we'd like to ask for feedback.
> Perhaps you could advise if this exists already, or if not, how to best approach it?
> 
> Markus
>

Received on Monday, 19 October 2015 10:48:07 UTC