[foaf-protocols] WebID breakthrough - pure Javascript+Flash implementation

Manu Sporny msporny at digitalbazaar.com
Sun Aug 8 06:24:24 CEST 2010

On 08/07/2010 06:26 PM, Henry Story wrote:
> There are a couple of your claims above that I think need a little
> tuning or explaining in more detail.
> First the claim that WebIDs cannot be created in Internet Explorer is
> not quite true. IE has an Active X component that comes with the
> operating system and that is available. Creating a WebID using IE from
> http://webid.myxwiki.org/ should work, though as I don't have Windows
> I don't test it that much to tell the truth. Bruno Harbulot wrote a
> piece of javascript to change the DOM to replace the HTML form with
> calls to that Active X component. The advantage of doing it that way
> is that it is going to be faster. Of course that requires Javascript
> to be enabled on IE, but so does your solution :-)
> Now the IE Active X solution may have some usability issues, but I
> think it needs clearly pointing out what those issues are, so that
> they can be understood clearly,

I've tried to fix the language in the blog post to state that IE needs
an ActiveX component to generate a proper certificate in IE.

> Secondly you say "you get the peace of mind that if you lose one of
> your WebIDs, you can always just deactivate it via your WebID provider
> and generate a new WebID". There is in fact a better way still: you
> can keep your WebID, and just remove the public key from your public
> profile. In fact you should be able to have any number of public keys
> associated with one WebID.

Hmm, that's what I meant to convey in the blog post, but failed to do
so. I've fixed up some of the language to make the point you make above,
and the one I was trying to make initially, more clear.

> Now when I log in to digital bazaar it asks me for the WebID I already
> have (I have a few in fact). 

We think that this is an Apache misconfiguration... we set client-side
certificate support to optional, so we'll look into this a bit more
early next week.

> My browser -- Chromium -- asks me for my
> client certificate, but then you don't use it! If this system should
> allow me to use either my flash certificate or my browser certificate
> this would be great -- if I have already submitted my browser
> certificate then it should use that. So hopefully we can get it to
> that point. Especially as me and many people have disabled flash - I
> just reinstalled it for your site.

Yes, I think that's quite do-able - shouldn't be difficult to
accomplish. I'll talk with our engineering team and see what they have
to say.

> What I think you have done is to have tied one more keychain into the
> WebID system: the flash keychain. Flash is really a browser in a
> browser. Now it would be even better if flash could use the browser
> keychain, because then the same keychains could be used for logging in
> from the browser and flash.

Unfortunately, we don't currently know of any way of retrieving the
browser keychain via Flash or Javascript in any sort of reliable fashion
across all browsers.

Our current thinking is to entirely abandon the native browser
client-side certificate generation and selection mechanism because it is
complicated and broken. The browser-based interfaces leave much to be
desired when viewed from a regular website usability perspective. Having
the mechanism live entirely in HTML+Javascript+Flash allows us to make
the usability story better when generating and selecting a WebID

Waiting on the browser manufacturers to improve their client-side
certificate management UIs will take years. That doesn't mean that
people wouldn't be able to use the browser-based certificate management
mechanism for WebID, just that we think that approach is a dead end.

-- manu

Manu Sporny (skype: msporny, twitter: manusporny)
President/CEO - Digital Bazaar, Inc.
blog: WebID - Universal Login for the Web

More information about the foaf-protocols mailing list