W3C home > Mailing lists > Public > public-webid@w3.org > October 2015

Re: WebID proxy?

From: Markus Sabadello <markus@projectdanube.org>
Date: Tue, 20 Oct 2015 09:36:16 +0200
Message-ID: <5625EEF0.2080604@projectdanube.org>
To: public-webid@w3.org
Thanks Henry. I think the redirect part of what you describe makes sense
to me.
But you say "a server can redirect to such a service, which
authenticates the user using a client certificate".
This is actually what we want to avoid, i.e. we want to authenticate the
user in some other way, and have only the web service deal with WebID.

Sorry for the unstable Piratepad link. Since pads also expire at some
point, I'll paste the contents here to make sure they are not lost:

[[NOTE: This is an Etherpad originally written at
http://piratepad.nl/eXd4UsVuaWon Oct 19th 2015 by Markus S., Justas A.,
Eelco W., Joachim L. In the "Questions" section, answers are by Andrei S.)]]

A WebID proxy for restricted browsers
==========================

In July 2012, Elf Pavlik wrote about the idea of a "WebID proxy", which
could enable non-WebID-capable browsers to use WebID via a hosted service:
https://lists.w3.org/Archives/Public/public-webid/2012Jul/0069.html

This assumes that a session is somehow established between the browser
and the WebID proxy. This can happen using any identity protocol, e.g.
OpenID, Mozilla Persona, or even username/password or Facebook Connect.

We also assume that the browser's configuration cannot be changed. This
rules out using traditional HTTP proxies (SOCKS, ...).

The WebID proxy holds the user's client certificate(s) and exposes an
interface that a browser app can use for accessing LDP and other
WebID-enabled resources.

Could also be called WebID agent instead of WebID proxy. Could also be
called SoLiD proxy/agent.


Questions:
---------------
- could be a part of CORS proxy on gold-- Yes, we are considering adding
this feature to Solid servers). In fact, we are thinking of routing all
requests through such a proxy, which would enable us to cache resources
on the server. Also, one possible alternative is to use the delegation
feature of WebID-TLS, in which the server (an agent with its own WebID)
will run requests *on behalf* of the user (gold supports this feature
already).
- what exactly is the interface between the client and the WebID
proxy?-- HTTP? (maybe using basic auth)
- how generic/specific to LDP/SoLiD protocols should this interface
be?-- TBD
- if a one-to-many mapping between user account and WebID is desired,
how does the client "choose" a WebID?-- One would assume the mapping is
handled by the server. The proxy resource (URI) can also be ACL'd.
- is the WebID proxy hard-coded in the browser app, or is
decoupled/discoverable?-- Should always be discoverable. (in a Link
header maybe?)
- can an app support both native WebID and WebID proxy?-- Definitely.
Solid apps already do (this feature is built into rdflib.js).
- would such construction pose any security threats?-- My (Andrei) main
concern revolves around transparency. I would like to avoid having
agents use my personal credentials. Instead, agents should use their own
credentials and allow me to delegate some work to them.  This helps
servers take informed decisions as to who is really authenticating and how.
- should we use WebID-RSA instead of WebID-TLS in such construction?-- I
don't think WebID-RSA is relevant in this discussion, since the reason
for having this proxy is based on lack of support for client certs.


People to talk to:
-------
- Melvin
- Pavlik
- Andrei

Places/Forums to post:
-------
public-webid@w3.org mailing list
https://gitter.im/solid/solid-spec


On 10/19/2015 12:47 PM, Henry Story wrote:
>
>> On 19 Oct 2015, at 11:07, Markus Sabadello <markus@projectdanube.org
>> <mailto:markus@projectdanube.org>> wrote:
>>
>> Hello,
>>
>> In July 2012, Elf Pavlik wrote about the idea of a WebID proxy that
>> could be used without installing certificates on a client:
>> https://lists.w3.org/Archives/Public/public-webid/2012Jul/0069.html
>>
>> A few days ago at GET-D
>> <http://get-d.net/home/events/getd-summit-hackathon-berlin-iii/> in
>> Berlin, the Jolocom <http://jolocom.com/> team and others talked
>> about this idea again.
>>
>> So we wrote up the following pad with some initial thoughts and
>> questions:
>> http://piratepad.nl/eXd4UsVuaW (please re-try few times if not reachable)
>
> I can't get that link to open.
>
> On the whole this is a good idea. We used to have one online written
> in Java
> https://github.com/bblfish/foafssl-java/blob/master/foafssl-identity-provider-webapp/src/main/webapp/login.jsp
> Now that I know a bit more about crypto, I guess in this protocol, we
> are missing the salt.
>
> It is quite simple: a server can redirect to such a service, which
> authenticates the user using a
> client certificate. If it succeeds the service then redirect the user
> to a URL indicated in the request, puts the URL in the header, adds a
> date, ( and should add the sale to avoid replays ), the server signs it
> with its public key ( published at a URL ) and redirects the user back
> there. 
>
> Perhaps someone can write this out nicely on a wiki, and we can have a
> little spec 
> like that, so that people could use different providers easily. On the
> other hand the danger
> is that this kind of spec quickly gets more and more complicated as
> people then ask for attribute
> exchange and more features.  To keep it simple, one should require
> that the user of the service
> at least haved an RDF parser so it can then GET the WebID and get the
> extra attributes.
>
>
>
>
>>
>> Before developing this further and possibly duplicating efforts, we'd
>> like to ask for feedback.
>> Perhaps you could advise if this exists already, or if not, how to
>> best approach it?
>>
>> Markus
>>
>
Received on Tuesday, 20 October 2015 07:36:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:59 UTC