W3C home > Mailing lists > Public > public-webpayments@w3.org > April 2013

Re: Webkeys, OpenID, WebID, OAuth etc..

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Wed, 17 Apr 2013 15:20:14 -0400
Message-ID: <516EF5EE.90607@digitalbazaar.com>
To: "public-rww@w3.org" <public-rww@w3.org>
CC: Web Payments CG <public-webpayments@w3.org>
On 04/16/2013 02:41 PM, Melvin Carvalho wrote:
> I just read: 
> https://hacks.mozilla.org/2013/04/web-payments-with-payswarm-identity-part-1-of-3/.
>  Of the four points listed below, where does WebID+TLS fall short?
> 1. It must be decentralized. 2. It must support discoverability by
> using a resolvable address, like a URL or email address. 3. It must
> support, with authorization, arbitrary machine-readable information
> being attached to the identity by 3rd parties. 4. It must be able to
> provide both public and private data to external sites, based on who
> is accessing the resource. 5. It must provide a secure digital
> signature and encryption mechanism.
> I think it's perhaps (5)
> Also iirc (and I could be wrong on this) the UX for WebID + TLS
> using client certs was not considered optimal for users with limited
> technical knowledge ...

Hi Kingsley, Jürgen, Melvin,

You will notice that the Web Keys spec builds on a number of the good
parts of WebID while stripping out the bad parts of WebID.

The good parts of WebID that also exist in Web Keys:

1. Decentralized design.
2. Uses URLs to identify things.
3. Uses Linked Data to express information.
4. Access Control Lists via public/private crypto.

The bad parts of WebID:

1. No explanation of how to do digitally signed messages.
2. No explanation of how to encrypt messages, deferring to TLS
   instead (which may not always be available).
3. No URLs for keys, making it non-trivial to figure out which key
   signed a message.
4. Expression of modulus and exponent in raw form, making it difficult
   for developers to feed those values to common encryption libraries.
5. Key registration is not covered in the specification.
6. Unnecessarily coupled with TLS client-cert protocol.
7. Bad UX using client certs with browser makers not committed to making
   the experience better.

The parts that don't exist in WebID, but do exist in Web Keys:

1. Creating digital signatures for JSON-LD-based messages is covered.
2. Encrypting JSON-LD-based messages is covered.
3. Using a Web Key to do digital signatures for HTTP requests is
   covered (HTTP Signatures), allowing you to do digitally signed
   GETs on resources.
4. Keys can have URLs, and owners - for example:
   https://dev.payswarm.com/i/manu/keys/1 is owned by
6. Key generation and registration is covered in the specification.
7. TLS is never required for Web Keys clients (but is required for Web
   Keys servers). No dependence on client-side certs (which are hard to
   install and manage for beginners).
8. Keys are expressed using PEM-encoded form, making them easy to
   drop into most common cryptography libraries.

We did try to build PaySwarm on top of WebID in the beginning. When it
became apparent that there were issues with the WebID protocol that made
it impossible to build a payment solution on top of it, we came back to
the community with several change requests that were eventually rejected.

Since we needed a solid identity solution for the Web Payments work, we
decided to take the good parts of WebID and use it as a basis for what
eventually became Web Keys.

The Mozilla Hacks post on identity only covered the requirements at a
high-level. The items above are really what we needed from an identity
solution for Web Payments. Hope that explains it in a bit more detail,
if you'd like me to elaborate on any of the points above, please let me
know and I'd be happy to do so.

-- manu

Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
Received on Wednesday, 17 April 2013 19:20:37 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:23 UTC