- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Thu, 24 Mar 2016 16:58:04 +1100
- To: Tim Berners-Lee <timbl@w3.org>
- Cc: GALINDO Virginie <Virginie.Galindo@gemalto.com>, Public TAG List <www-tag@w3.org>
On 24 March 2016 at 09:08, Tim Berners-Lee <timbl@w3.org> wrote: > So can we get this functionality using web crypto in the short term? The answer is yes, though it requires some work on the part of the entity hosting the "user's public ID". Other origins would have to ask it for permission to read the identity (the public key), probably using CORS, and they would also have to ask it (or a JS proxy it runs, probably in a service worker, maybe with foreign fetch) to sign things with that key to prove that the "user" really wants to authenticate. UX here is the interesting part. You could use notifications from the SW to get users to interact with the ID-provider origin in order to grant permission to authenticate and that sort of thing. This looks a like like OAuth, which isn't a coincidence. And the browser is not involved. Not fundamentally. That the keys are on the browser, and the browser only, is something between the user and the ID-provider. You might argue that's a bad thing, but that's how I understand modern web identity to work. Take away all the fancy new stuff and fancy interfaces and you essentially have the systems that all the big identity providers have been using for years.
Received on Thursday, 24 March 2016 05:58:32 UTC