Re: Webkeys, OpenID, WebID, OAuth etc.. from Dave Longley on 2013-04-23 (public-webpayments@w3.org from April 2013)

From: Dave Longley <dlongley@digitalbazaar.com>
Date: Tue, 23 Apr 2013 09:55:59 -0400
To: Melvin Carvalho <melvincarvalho@gmail.com>
CC: public-webpayments@w3.org
Message-ID: <517692EF.2040609@digitalbazaar.com>

On 04/23/2013 09:10 AM, Melvin Carvalho wrote:
>
>
>
> On 21 April 2013 21:15, Henry Story <henry.story@bblfish.net 
> <mailto:henry.story@bblfish.net>> wrote:
>
>
>     On 21 Apr 2013, at 20:17, Dave Longley <dlongley@digitalbazaar.com
>     <mailto:dlongley@digitalbazaar.com>> wrote:
>
>     > On 04/21/2013 09:18 AM, Henry Story wrote:
>     >>
>     >> ... your initial implementation was not a
>     >> WebID over TLS implementation at all.
>     >
>     > This is false and perhaps even inflammatory at this point. We've
>     had this discussion many times; each time you were disinterested
>     in understanding the implementation we did. However, your
>     disinterest had nothing to do with the technical merits of the
>     implementation or its adherence to how WebID over TLS was
>     described at the time.
>     >
>     > Our implementation was of a TLS client that used a TLS
>     client-side certificate with an alternate name that was a URL that
>     the authentication server accessed to obtain the same public key
>     in the client-side certificate given during the TLS handshake.
>
>     Ah I remeber. One part of it was WebID over TLS, with javascropt
>     implementation of TLS. But not having access to the X509
>     certificates you had to build a very complicated non decentralised
>     protocol around it. I am not sure where the crypto in
>     the browser stuff is going, but that's the only hope for that type
>     of approach. And since that was not finished, we did
>     not make it our priority.
>
>     Of course you have a different use case. But for that the
>     certificate ontology could still be useful.
>
>
> By the way if you want to see key provisioning in the browser that 
> works without crypto API, take a look at the open source client at
>
> https://ripple.com/
>
> This is a client that needs to be as strong, if not stronger, than 
> online banking.  So it shows that it can be done.

Yeah, if I recall correctly, they do essentially the same thing that the 
JavaScript WebID demo did two years ago: use JavaScript to do 
cryptography and HTML5 local storage to store credentials, etc. There 
are several significant services doing this now, including those that 
provide web apps for voting in elections.

>
>     > -Dave
>     >
>     > --
>     > Dave Longley
>     > CTO
>     > Digital Bazaar, Inc.
>     >
>
>     Social Web Architect
>     http://bblfish.net/
>
>


-- 
Dave Longley
CTO
Digital Bazaar, Inc.

Received on Tuesday, 23 April 2013 13:55:01 UTC