Re: Recovery of compromised WebID from Kingsley Idehen on 2019-03-04 (public-webid@w3.org from March 2019)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Mon, 4 Mar 2019 17:35:05 -0500
To: Jonas Smedegaard <jonas@jones.dk>, public-webid@w3.org
Message-ID: <ec7c928d-0cba-96fb-dfec-099931423f0d@openlinksw.com>
On 3/4/19 2:51 PM, Jonas Smedegaard wrote:
> Quoting Kingsley Idehen (2019-03-04 19:47:30)
>> On 3/4/19 12:26 PM, Jonas Smedegaard wrote:
>>> Quoting Kingsley Idehen (2019-03-04 16:58:02)
>>>> We have implemented the following in our YouID offering:
>>>>
>>>> 1. X.509 Cert and WebID-Profile doc relations setup for both 
>>>> WebID-TLS and WebID-TLS+Delegation
>>>>
>>>> 2. Delivered as a hosted App or Browser Extension.
> [...]
>
>>> At [assumed homepage] I see several links to _installing_ the 
>>> project, but no link to getting the _source_ for it.  I guess source 
>>> is available and freely licensed, just not as prominently promoted 
>>> as usage, right?  Can you help point me to its sources?
> [..]
>
>> The original YouID releases covered:
>>
>> 1. iOS -- secure
>>
>> 2. Android -- secure
> If freely licensed, I dearly recommend you to consider releasing the 
> Android App on F-droid: https://f-droid.org/


Actually, we haven't release the iOS and Android versions to github yet.
Those edition also lack the Solid binding that's implemented in the
Browser Extension.

Once those are up to date, we can revisit Open Source Releases. Thus,
for now they aren't Open Source.

The Browser Extensions are Open Source.

>
>
>> 3. Hosted Edition -- questionable since a hosted app is trying to 
>> offer privacy to a 3rd party (not possible).
>>
>> Assumption is that privacy is about self-calibration of one's 
>> vulnerability. Thus, a 3rd party cannot offer that to an individual 
>> (as per #3).
> I see a use case for the hosted edition: As part of a self-hosted 
> system, for situations where you want your authentication to be at your 
> personal server rather than inside your personal web browser - e.g. wnen 
> you use a web browser not supporting any of the formats provided.


The Browser Extension is ample in that it can save credentials to
wherever. Note by credentials I am referring to:

1. X.509 Cert with WebID in SAN

2. Relations written to WebID-Profile doc associated with WebID in SAN
that cross reference via cert:key relation

PKCS#12 bundling of X.509 Cert and Private Key is also included i.e.,
you can copy that file to your pod or simply open it for direct import
into your OS Keystore (e.g., Keychain on macOS or keystor on Windows
etc..).


>
> Concrete example: I am currently hired by Purism to help refine their 
> software stack.  Purism sell laptops and (soon) phones - their upcoming 
> phones will run a Debian-derived system (so cannot use iOS nor Android 
> apps) using a Webkit-based browser by default (so cannot use a WebExt 
> browser plugin).
>
> Is the hosted edition still available somewhere, and Freely licensed?


I think that you get what you need via our Node Solid Server which also
includes the capabilities in the Browser Extension re. credentials [1] .


[1] https://solid.openlinksw.com:8445 -- latest edition running Node
Solid Server 5.x

[2] https://solid.openlinksw.com:8444 -- latest edition running Node
Solid Server 4.x

[3] https://github.com/OpenLinkSoftware/node-solid-server  -- this might
be slight out of date, but it is Open Source


Kingsley

>
>
>> The chrome extension is an addition.
>>
>> Here is the chrome store browser extension page:
>> https://chrome.google.com/webstore/detail/openlink-youid/kbepkemknbihgdmdnfainhmiidoblhee?hl=en
>> .
>>
>> This extension localizes (everything is in your browser) the process 
>> of creating and saving your credentials. It's support of Solid Pods as 
>> WebID-Profile docs hosts fills in the missing gaps of yore re. 
>> bootstrap.
> Nice!
>
>
>> [1] https://github.com/OpenLinkSoftware/youid -- Open Source Edition 
>> of YouID Browser Extension (it might be a little out of date, but you 
>> can fork and track PRs etc..)
> Thanks!
>
> I now added that source repository to the list of things I may 
> eventually one day get around to package for Debian, for those like me 
> needing that for it to be trustworthy.


-- 
Regards,

Kingsley Idehen       
Founder & CEO 
OpenLink Software   
Home Page: http://www.openlinksw.com
Community Support: https://community.openlinksw.com
Weblogs (Blogs):
Company Blog: https://medium.com/openlink-software-blog
Virtuoso Blog: https://medium.com/virtuoso-blog
Data Access Drivers Blog: https://medium.com/openlink-odbc-jdbc-ado-net-data-access-drivers

Personal Weblogs (Blogs):
Medium Blog: https://medium.com/@kidehen
Legacy Blogs: http://www.openlinksw.com/blog/~kidehen/
              http://kidehen.blogspot.com

Profile Pages:
Pinterest: https://www.pinterest.com/kidehen/
Quora: https://www.quora.com/profile/Kingsley-Uyi-Idehen
Twitter: https://twitter.com/kidehen
Google+: https://plus.google.com/+KingsleyIdehen/about
LinkedIn: http://www.linkedin.com/in/kidehen

Web Identities (WebID):
Personal: http://kingsley.idehen.net/public_home/kidehen/profile.ttl#i
        : http://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/kingsley.ttl#this
Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Monday, 4 March 2019 22:35:46 UTC