W3C home > Mailing lists > Public > public-xg-webid@w3.org > July 2011

Re: Browser ID

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Fri, 15 Jul 2011 09:39:22 +0100
Message-ID: <4E1FFCBA.7030602@openlinksw.com>
To: public-xg-webid@w3.org
On 7/15/11 5:29 AM, Ben Adida wrote:
> Hi folks,
> We'll be posting more info on browserid in the next few days, keep an 
> eye on http://identity.mozilla.com.
> There are similarities to WebID for sure. There's one important 
> difference: our identifiers are email addresses,

Remember, WebID is URI rather than HTTP URI based. It too works fine 
with mailto: scheme URIs. Our implementation of WebID protocol supports 
mailto: scheme based WebIDs courtesy of WebFinger and Fingerpoint.

I assume WebFinger is still part of the email verification protocol that 
underlies BrowserID? I ask because this is the most important point of 
integration between WebID and BrowerID.

Also, does XRDS remain a critical part of BrowserID? If so, what the 
@rel based relation for public keys or URLs for DER based 
representations of X509 certs? Again, making these clear make WebID and 
BrowserID bridging quite trivial.

> and we're using JSON-based assertions and certs (JWS and JWT) to keep 
> things very simple.

Do you mean "simply simple" or "deceptively simple" ? Anyway, if you 
keep the bridge points to WebID (as outlined above) in place you inherit 
"deceptively simple". For the record, "simply simple" doesn't scale, 
never has, and won't break the mould now. Thus, please take this 
opportunity to lay down vital integration hooks re. WebID. You don't 
have to do anything bar leveraging URIs in a generic sense + make clear 
the relations used for associating a URI with a Public Key.

> (We don't actually want a hyper-generic certificate format, as that 
> tends to introduce complexity and grow the attack surface.)

Hmm. Don't agree, but not worth an argument or debate right now :-)
> This is, at this point, very much an experiment, so we look forward to 
> your feedback.

Feedback delivered.

> -Ben
> On 7/14/11 3:29 PM, Henry Story wrote:
>> I am CCing Ben Adida who posted some interesting information on 
>> Browser ID.
>>    For a general view:
>>     https://browserid.org/
>>   For detailed technical overview
>>     http://lloyd.io/how-browserid-works
>>    It is pretty close to what WebID does I think, except that they 
>> omit the TLS part, though they re-invent it using javascript - a bit 
>> like what Manu Sporny was working on. It removes the need for TLS but 
>> requires a browser extension to work - I gather on first reading. 
>> Since Mozilla is putting it forward I suppose that could work -- 
>> though it will take time for browsers to ship with all of this.
>>    If they could use the same keychain used by TLS and have both 
>> BrowserID use the same keys linked to the certificates WebID uses 
>> then the two could work nicely together perhaps. So if a Relying 
>> party could provide TLS - which I think more and more will with 
>> DNSsec and DANE rollout - then the certificate route could be used. 
>> For servers that did not have TLS, then this would be the better 
>> solution for a long time.
>>    In any case the UI remarks I made at the end of the video on 
>> http://webid.info/ are still needed in both cases.
>> Henry
>> Social Web Architect
>> http://bblfish.net/



Kingsley Idehen	
President&  CEO
OpenLink Software
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen
Received on Friday, 15 July 2011 08:39:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:45 UTC