kidehen at openlinksw.com
Sun Aug 8 15:57:16 CEST 2010
Manu Sporny wrote:
> We've been able to make a fairly significant breakthrough re: WebID in
> the past several weeks.
> implementation of WebID (client and server). This includes everything
> from certificate generation (replacing <keygen>) to storage (via Flash
> object storage) and client-side certificate negotiation of TLS connections.
> WebID – Universal Login for the Web
> This is a big deal because we think that we may be able to get this
> stuff to work in IE 7 and many of the older browsers.
> We may be able to
> achieve 90%+ penetration for WebID in the browser. The interface to
> select client-side certificates would be unified across all websites and
> all browsers, including IE, Firefox, Chrome, Opera and Safari (since
I assume you know that I demonstrated WebID (end to end support) using
Windows (across IE, Chrome, Firefox, and Safari) a few weeks ago via my
YouTube screenscasts and TwitPic screenshots.
On Windows we solve the problem by making a "one click" application
(sort of like a signed Java Applet). In addition, you need to be able to
create an register a Root CA Cert. on Windows otherwise you don't have a
solution that will work (Windows is very tight on security so it won't
simply work with self signed certs. you have to make a Root CA Cert
which can be for yourself and then regisgter with the Windows Cert.
What have right now is a solution that just works on Windows, you can
try it at: https://id.myopenlink.net . It covers browsers that support
It supports browsers that use keygen as front for the Windows Cert. Manager:
It support browsers that don't support keygen:
The user interaction is simple:
1. Go to: https://id.myopenlink.net
2. Register with your existing WebID or get a new account
3. Edit your Profile using the Profile Manager (at least add your email
address to your profile)
4. Use the "X.509" tab under "Security" to generate your X.509 Cert that
includes your WebID (remember once you have an account you have a WebID,
Profile Page URL, and an OpenID URL (all hooked together in conventional
Linked Data style)
5. Save the generated Cert. to your Profile (don't forget to hatch the
"enable WebID login" option)
6. Save and Exit Profile Manager
6. Visit a WebID or OpenID based space on the Web from Windows, Mac OS
X, Linux, or any other Unix Platform.
Re. Windows, there is no requirement for flash, we are simply using what
Windows offers re. PKI. Note, this isn't really that different from Mac
OS X (where Safari and Chrome simply use keygen as conduit to the
> If you want to skip the blog post explaining this stuff, you can go
> straight to the WebID management page here (you will have to accept the
> bogus SSL certificates for the time being, we haven't bought verified
> SSL certificates for either site, yet):
It didn't give me option to signup using my existing WebID.
> Or a sample login page here:
I couldn't use my existing WebID.
> Your current WebIDs won't work with the demo because they exist in the
> browser's certificate chain and not the Flash storage object. We'll want
> to discuss the ramifications of this new breakthrough on the call on
> I'll send out an agenda soon.
1. http://www.youtube.com/watch?v=Jro-Gzw1amM -- WebID user interaction
flow using Windows and IE
2. http://www.youtube.com/watch?v=gzqHVUb3qrw -- WebID user interaction
flow using Safari and Mac OS X
3. http://twitpic.com/photos/kidehen -- collection of screenshots
showing the Windows Cert. Manager (which exists as both a native and
remotely loadable "one click" application).
> -- manu
President & CEO
More information about the foaf-protocols