Re: interesting approach to authentication in JavaScript from Henry Story on 2011-08-31 (public-xg-webid@w3.org from August 2011)

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 31 Aug 2011 15:31:15 +0200
To: Andrei Sambra <andrei@fcns.eu>
Cc: public-xg-webid@w3.org
Message-Id: <74374424-7DE4-4996-B16D-5EEECAAB8BE4@bblfish.net>

On 31 Aug 2011, at 15:23, Andrei Sambra wrote:

> 
> 
> On 08/31/2011 03:16 PM, Henry Story wrote:
>> 
>> On 31 Aug 2011, at 12:35, Dan Brickley wrote:
>> 
>>> On 29 August 2011 10:13, Dominik Tomaszuk<ddooss@wp.pl>  wrote:
>>>> Hi all,
>>>> 
>>>> It might be interesting:
>>>> http://html5.creation.net/webcrypto-api/
>>> 
>>> Meanwhile, http://www.matasano.com/articles/javascript-cryptography/
>>> has some criticism of browser-based .js crypto...
>> 
>> Thanks for the link. I was expecting some criticism of this type to surface sooner or later.
>> 
>> I have argued on the identity group that one thing that could be very useful would be client side logout javascript apis to standardise what Firefox and Internet Explorer are doing. That would be secure and simple to implement.

The code I am speaking of is the following

  function logout(elem) {
  if (document.all == null) {
     if (window.crypto) {
         try{
             window.crypto.logout();
             return false; //firefox ok -- no need to follow the link
         } catch (err) {//Safari, Opera, Chrome -- try with tis session breaking
         }
     } else { //also try with session breaking
     }
  } else { // MSIE 6+
     document.execCommand('ClearAuthenticationCache');
     return false;
  };
  return true
  }

  It is used like this

  <a href={"/user/joe/control-panel"}>Joe</a>|<a href="/logout" onclick="return logout();">logout</a>


> 
> Wouldn't it be simpler to let each service manage the login/logout process? As far as I can tell, once you finish the initial verification (when you ask for the browser certificate) you can save the result into a session and leave the rest to the service.

yes, that is if you use a TLS server to do the initial authentication on an https url, and then jump back to http using a cookie. Still the problem remains that the user can log-out using the cookie, but if he uses the same TLS endpoint he will inevitably be logged back in using the same identity. So he can semi logout, but he can't really change identity. 

The above code works for Firefox and IE (Please verify for IE). You can try it out on https://foafssl.org/srv/idp which implements it.

That server tries a few other tricks to logout using lower level TLS tricks, but those are not satisfactory. I am searching for some more clever tricks still to see if those can be made to work.

> Otherwise you'd have to repeat the same process for each html request, which is what currently happens, forcing us to click that "remember my choice" checkbox.

I am considering the case of a server entirely behind https. But still the problem remains as explained above.

Henry

> 
> Andrei
> 
>> Henry
>> 
>> 
>>> 
>>> Dan
>>> 
>> 
>> Social Web Architect
>> http://bblfish.net/
>> 
>> 
> 

Social Web Architect
http://bblfish.net/

Received on Wednesday, 31 August 2011 13:31:49 UTC