Re: Webkeys, OpenID, WebID, OAuth etc..

On 22 Apr 2013, at 05:27, Manu Sporny <msporny@digitalbazaar.com> wrote:

> On 04/21/2013 10:53 PM, Dave Longley wrote:
>> On 04/21/2013 05:26 PM, Henry Story wrote:
>>>> In other words, your false claim about a "very complicated 
>>>> non-decentralized protocol" is still rooted in your continued 
>>>> disinterest in understanding what we implemented.
>>>> 
>>> Can you find a mail where you publically explained how this 
>>> worked?
>> 
>> Yes, I can find those and so can you. Search the foaf-protocols
>> list, for instance.
> 
> August 10th, 2010 - Dave Longley explains the JavaScript+Flash-based
> WebID+TLS protocol:
> http://lists.foaf-project.org/pipermail/foaf-protocols/2010-August/003249.html
> 
> August 13th, 2010 - Henry Story responds to the thread:
> http://lists.foaf-project.org/pipermail/foaf-protocols/2010-August/003287.html

Good so I suppose with hindsight the idea of a Flash WebID+TLS 
protocol did not sound like such a good idea. As you see

> 
> May 10th, 2011 - Dave Longley explains the JavaScript+Websockets-based
> WebID+TLS protocol:
> http://lists.foaf-project.org/pipermail/foaf-protocols/2011-May/004942.html
> 
> There are at least 55 e-mails where Dave Longley took the time to
> explain the protocol publicly. You were involved in many of those
> conversations, but never did we get the impression that you were
> actually looking at or fully grasped the implementations:
> 
> https://www.google.com/search?q=site%3Alists.foaf-project.org+longley
> 
> In the end, we gave up on WebID specification because, after a year of
> us working on spec development and implementations, the community wasn't
> receptive to our concerns about the usability issues behind client-side
> certs. It was a deal-killer for us.

I never really saw a clear explanation of where the key material was to be
found, and how it was not going to end up centralised.

> 
> Luckily, the Mozilla Persona team seems to be well on their way to
> solving the usability problem.
> We'd much rather work with a group that
> understands that solving the login on the Web problem starts with
> usability. It is our opinion that getting Linked Data and public key
> cryptography into Persona is going to be easier than trying to fix WebID
> at this point in time.

BrowserId - now mozilla persona - is indeed at some level quite compatible
with WebID. I studied that in more detail and wrote up a review here
http://security.stackexchange.com/questions/5406/what-are-the-main-advantages-and-disadvantages-of-webid-compared-to-browserid

At the point of writing that it still had centralisation issues, that they could only 
overcome by changing the browser. 

Also doing all this in JavaScript a Turing Complete language, when you can
do it all in an efficient TLS is of course really bad practice, and opens
a huge can of worms, if not a bathtub of them. 


But 

> 
> -- manu
> 
> -- 
> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: Meritora - Web payments commercial launch
> http://blog.meritora.com/launch/

Social Web Architect
http://bblfish.net/