[foaf-protocols] WebID breakthrough - pure Javascript+Flash implementation

Henry Story henry.story at gmail.com
Sun Aug 8 00:26:58 CEST 2010

Hi Manu,

I added a comment to your blog. Great work. (Sorry for misspelling
your name there...)

Here is a copy of the comment:

It's good to see that one can do this with flash and javascript too.
This will certainly grow the number of places WebIDs can be applied,
which is certainly a revolutionary technology in its simplicity and
power. The list of supported tools is very long as described in detail
on http://esw.w3.org/foaf+ssl

There are a couple of your claims above that I think need a little
tuning or explaining in more detail.

First the claim that WebIDs cannot be created in Internet Explorer is
not quite true. IE has an Active X component that comes with the
operating system and that is available. Creating a WebID using IE from
http://webid.myxwiki.org/ should work, though as I don't have Windows
I don't test it that much to tell the truth. Bruno Harbulot wrote a
piece of javascript to change the DOM to replace the HTML form with
calls to that Active X component. The advantage of doing it that way
is that it is going to be faster. Of course that requires Javascript
to be enabled on IE, but so does your solution :-)
Now the IE Active X solution may have some usability issues, but I
think it needs clearly pointing out what those issues are, so that
they can be understood clearly,

Secondly you say "you get the peace of mind that if you lose one of
your WebIDs, you can always just deactivate it via your WebID provider
and generate a new WebID". There is in fact a better way still: you
can keep your WebID, and just remove the public key from your public
profile. In fact you should be able to have any number of public keys
associated with one WebID.

Now when I log in to digital bazaar it asks me for the WebID I already
have (I have a few in fact). My browser -- Chromium -- asks me for my
client certificate, but then you don't use it! If this system should
allow me to use either my flash certificate or my browser certificate
this would be great -- if I have already submitted my browser
certificate then it should use that. So hopefully we can get it to
that point. Especially as me and many people have disabled flash - I
just reinstalled it for your site.

What I think you have done is to have tied one more keychain into the
WebID system: the flash keychain. Flash is really a browser in a
browser. Now it would be even better if flash could use the browser
keychain, because then the same keychains could be used for logging in
from the browser and flash.

After this tweaking I think we should have something very useful here
that will interoperate nicely with the many other WebID


Hope that helps,


On Sat, Aug 7, 2010 at 11:11 PM, Manu Sporny <msporny at digitalbazaar.com> wrote:
> We've been able to make a fairly significant breakthrough re: WebID in
> the past several weeks.
> Our engineering team has put together a pure Javascript+Flash
> implementation of WebID (client and server). This includes everything
> from certificate generation (replacing <keygen>) to storage (via Flash
> object storage) and client-side certificate negotiation of TLS connections.
> WebID – Universal Login for the Web
> http://blog.digitalbazaar.com/2010/08/07/webid/2/
> This is a big deal because we think that we may be able to get this
> stuff to work in IE 7 and many of the older browsers. We may be able to
> achieve 90%+ penetration for WebID in the browser. The interface to
> select client-side certificates would be unified across all websites and
> all browsers, including IE, Firefox, Chrome, Opera and Safari (since
> it's all HTML+CSS+Javascript).
> If you want to skip the blog post explaining this stuff, you can go
> straight to the WebID management page here (you will have to accept the
> bogus SSL certificates for the time being, we haven't bought verified
> SSL certificates for either site, yet):
> https://webid.digitalbazaar.com/manage/
> Or a sample login page here:
> https://payswarm.com/webid-demo/
> Your current WebIDs won't work with the demo because they exist in the
> browser's certificate chain and not the Flash storage object. We'll want
> to discuss the ramifications of this new breakthrough on the call on
> Tuesday.
> I'll send out an agenda soon.
> -- manu
> --
> Manu Sporny (skype: msporny, twitter: manusporny)
> President/CEO - Digital Bazaar, Inc.
> blog: WebApp Security - A jQuery Javascript-native SSL/TLS library
> http://blog.digitalbazaar.com/2010/07/20/javascript-tls-1/
> http://blog.digitalbazaar.com/2010/07/20/javascript-tls-2/

More information about the foaf-protocols mailing list