- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Mon, 28 Nov 2016 07:59:53 +0100
- To: Kingsley Idehen <kidehen@openlinksw.com>, public-webid@w3.org, Gabriel Lucas <gabriel@medialab-prado.es>, Henry Story <henry.story@gmail.com>
Kingsley,
If we stick to browsers, WebID-TLS has gone from being "somewhat awkward" to
"downright impossible" with the deprecation of <keygen>. Importing PKCS #12
keys doesn't meet social network usability requirements.
Apparently OpenLink Software have addressed some or all issues aided by browser extensions.
This is great but represents a new solution which nobody else in this list has talked about.
If a revision project actually is in scope, I think you should begin untangling the
system from TLS CCA (Client Certificate Authentication), and follow the general
trend which is using application-level authentication rather than transport-level
authentication.
If you do that then you can safely dump the binding to X.509 client certificates
since a public key + signed assertion [1,2] does the same job as proven by FIDO.
The core idea behind WebID-TLS is actually quite cool but clinging on to the current
platform is not.
Best
Anders
1] like the following, here in JCS format:
{
"WebIdUrl": "https://myseserver.com/john.doe",
"target": "https://the-network.com/logon",
"nonce": "eYqbGYkHfAsOUTJiuqfU98Rou_mfn0etWUkvDVOF_Fw",
"timeStamp": "2016-11-28T20:37:06+01:00",
"signature": {
"algorithm": "ES256",
"publicKey": {
"type": "EC",
"curve": "P-256",
"x": "vlYxD4dtFJOp1_8_QUcieWCW-4KrLMmFL2rpkY1bQDs",
"y": "fxEF70yJenP3SPHM9hv-EnvhG6nXr3_S-fDqoj-F6yM"
},
"value": "TDKWQb9idTyPXgpOgIxXeogtl-P3e8oJPAKNZLVAYbQNSebV_CwSFOykR7llhC5_dG3uU6MPmqjQLc7jju4f0Q"
}
}
2] or if you prefer the IETF-JOSE notation:
{
"payload": "eyJAY29udGV4wMDUiLCJ0aW1lU3RhbXAiOiIyMDE2LTAyLTAyVDEwOjA3OjQyWiJ9",
"protected": "eyJhbGciOiJFUzI1NiIsIng1YyAvV2UvKzVUZGRobFRVTU5Qdnc9PSJdfQ",
"signature": "lBAFxpv2IQiuHmDBnBzOn8cd081ViLEoViAUS4Zkt9F-yI1-ajaUcnrfWtYy-QaHHkLkAKSRsnz_a2SFIdbPAg"
}
On 2016-11-27 20:19, Kingsley Idehen wrote:
> On 11/27/16 6:09 AM, Anders Rundgren wrote:
>> The question was really about actual usage, a question which is
>> typically answered with "I use it" which is somewhat less interesting
>> for people doing market research.
>
> Did I not explicitly state "we have customers using
> WebID+TLS+Delegation" , what else do you want to hear. There are paying
> customers using this technology on the basis of it being the only
> practical solution to their security challenges.
>
>>
>> Talking about the latter, the fact is that almost the entire "Web
>> authentication industry" are betting on FIDO alliance products and so
>> have the W3C.
>
> This has zilch to do with FIDO and everything to do with relationship
> semantics and existing open standards collectively solving a real problem.
>>
>> Fighting the industry giants may be fun, but without a concerted
>> action, you get absolutely nowhere.
>
> I am not fighting industry giants. I am only interested in real
> solutions to real problem, based on deep understanding of both the
> problem and the solutions that are possible.
>
>>
>> BTW, a core idea behind Web ID has always been to *NOT* invent (=only
>> rely on existing technology), which is a self-imposed limitation.
>
> Nonsense, sorry!
>
> Kingsley
>>
>> Anders
>>
>> On 2016-11-26 21:45, Kingsley Idehen wrote:
>>> On 11/26/16 3:54 AM, Anders Rundgren wrote:
>>>> On 2016-11-23 12:40, Gabriel Lucas wrote:
>>>>> Hello,
>>>>>
>>>>> We are designing the new website for a public cultural institution.
>>>>> For
>>>>> the logging system we are evaluating various options, one is Web-ID.
>>>>>
>>>>> The web would be based in Drupal 7, there is a module created 5 years
>>>>> ago, that has not been updated in the last 3 years.
>>>>> https://www.drupal.org/project/webid
>>>>>
>>>>> We are wondering how much Web-Id is being used around.
>>>>>
>>>>> Do you know of any good use case where it is being used?
>>>>> Could you give us some advice?
>>>>
>>>> Hello Gabriel,
>>>>
>>>> If you want ubiquitous access, the only recommendable solution would
>>>> be to accept
>>>> logins from third-party identity providers like Google, Facebook and
>>>> Twitter.
>>>>
>>>> Another option is the traditional "mail-roundtrip" registration and
>>>> a password.
>>>>
>>>> Both would be optimal.
>>>>
>>>> Anything else will be experienced as a hurdle.
>>>>
>>>> Anders
>>> Anders,
>>>
>>> The UI/UX hurdles that you reference in your comments above are
>>> solved via WebID+TLS+Delegation [1][2]. Fundamentally, you need a
>>> Identifiers and a Profile documents controlled by users for the Web
>>> to work. Failing to make this shift will simply continue to
>>> challenge the Web & Internet for the worse. The world is already in
>>> shock re. Brexit and recent US Elections (all real examples of how
>>> Web 2.0 has affected society as we know it).
>>>
>>> Issues of concern are building up rapidly and their effects on
>>> society are becoming more profound by the second:
>>>
>>> 1. Verifiable Identity controlled by users (rather than service
>>> providers) -- Privacy issue
>>>
>>> 2. Structured Metadata comprehensible to Search Engines -- SERPs
>>> issue which also affects "Fake News"
>>>
>>> Links:
>>>
>>> [1]
>>> https://medium.com/virtuoso-blog/web-logic-sentences-and-the-magic-of-being-you-e2a719d01f73#.aboqar22m
>>> -- Conceptual overview (with a working example) of WebID+TLS+Delegation
>>>
>>> [2]
>>> https://medium.com/openlink-software-blog/verifiable-identity-controlled-by-you-at-web-scale-3d66399cb114#.oiyf67k2v
>>> - Showcases a new WebID Extension for Chrome, Opera, Firefox etc..
>>>
>>> [3]
>>> https://medium.com/openlink-software-blog/semantic-search-engine-optimization-sseo-2a0ab8d17b00#.xtz068kta
>>>
>>>
>>> --
>>> Regards,
>>>
>>> Kingsley Idehen
>>> Founder & CEO
>>> OpenLink Software (Home Page: http://www.openlinksw.com)
>>>
>>> Weblogs (Blogs):
>>> Legacy Blog: http://www.openlinksw.com/blog/~kidehen/
>>> Blogspot Blog: http://kidehen.blogspot.com
>>> Medium Blog: https://medium.com/@kidehen
>>>
>>> Profile Pages:
>>> Pinterest: https://www.pinterest.com/kidehen/
>>> Quora: https://www.quora.com/profile/Kingsley-Uyi-Idehen
>>> Twitter: https://twitter.com/kidehen
>>> Google+: https://plus.google.com/+KingsleyIdehen/about
>>> LinkedIn: http://www.linkedin.com/in/kidehen
>>>
>>> Web Identities (WebID):
>>> Personal: http://kingsley.idehen.net/dataspace/person/kidehen#this
>>> :
>>> http://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/kingsley.ttl#this
>>>
>>
>>
>>
>
>
Received on Monday, 28 November 2016 07:00:33 UTC