- From: Peter Williams <home_pw@msn.com>
- Date: Wed, 11 Jan 2012 00:11:51 -0800
- To: <kidehen@openlinksw.com>, "public-xg-webid@w3.org" <public-xg-webid@w3.org>
- Message-ID: <SNT143-W3DEC39311016D4D535150929E0@phx.gbl>
I deployed a authorization guard at my idweb site. if an OAUTH token is sent to the webid endpoint, its evaluated using webid validation logic, assuming it contains a cert in the OAUTH claims. If I gave out the key, I dont see why an OAUTH v1 token could not be formualted directly, rather than doing what is now described. The scenario fits one of our products, that is a thick client (using web services, including rest-based web services). How would I make it apply the webid world (since its not a browser)? The UA has the users signing key, shared with the browser - since they are on the same windows machine typically. All apps on windows share keys (given security rules). A demo UA signs a SAML2 token targetting the my webid profile resource which the resource STS in the cloud converts into an OAUTH v1 token (signed using an hmac known between it and the profile's guard). This is returned to the UA, which installs the OAUTH token into the www-auth header accompanying the web request, which thereby forward the name and the cert (as signed by the cloud). This only happens if the cloud has verified the certificate and SAML assertion's signature classically (with no webid rules) The guard receiving the www-auth header then evaluates the additional webid rules (with no PKI rules), since it has a cert (much like SSL delivers a cert). Failed or happy verification returns an exception (403 or 200). Anyways got some kind of validator up in the cloud, using the cloud STS to do the heavy validation, leaving to the webid validator handling of the one particular extension (and modulus/exp) webid cares about. This allows the edge devices (i.e. the cloud STS) to be shielding mere resource servers from DOS - and enforcing proper cert handling, cert chain discovery etc. Not going anywhere, but its fun to see how webid will surely evolve - and work with all the othe security technology families. Seems to have a nice fit, once divorced from SSL. Ok. tomorrow, can try again at SSL. Lets finally see what Azure does with client certs, since there is load balancer in the way.
Received on Wednesday, 11 January 2012 08:12:18 UTC