[foaf-protocols] WebID breakthrough - pure Javascript+Flash implementation

Kingsley Idehen kidehen at openlinksw.com
Tue Aug 10 00:26:21 CEST 2010

Henry Story wrote:
> Hi Kingsley, I watched your video that shows you creating a certificate
> for Internet Explorer http://www.youtube.com/watch?v=gzqHVUb3qrw
> Looking at that I can only agree with Manu Sporny that this is geeky.
> Bruno Harbulot managed to make it as easy to use as keygen with his javascript
> code at http://webid.myxwiki.org/ 
> Perhaps someone with Internet Explorer can make a screen cast of creating a certificate there (no need to do the account creation bit).
> If there are issues we need to try to find out how we can reduce them there.
> Henry


I have just tested the service at: <http://webid.myxwiki.org>, it 
doesn't offer the degree of simplicity that our solution offers. I make 
this comment to strongly refute what you claim above re. how our system 
works. Basically, you should test this yourself when you have access to 

Go to https://id.myopenlink.net/ods .   It just works i.e., create an 
account (manually or via your existing WebID). Then go the profile edit 
and then go to the "Security" tab which has the X.509 sub menu for 
generating Certificates + associated private key (which are browser or 
OS hosted) and then persisting X.509 cert. to your profile.

We don't have display information such as what's presented below, 
because it isn't required, it just works.

Using Internet Explorer under Windows Vista or above or Windows Server 
2008, you need to configure the following for this to work:


* Add this site to the Trusted Sites list: in Internet Options -> 
Security -> Trusted Sites -> Sites -> Add ...

* You may need to configure the trust level (in this tab), using Custom 
Level...: enable Initialize and script ActiveX controls not marked as 
safe for scripting.

* If you are using Windows Vista without SP1 or above, you will probably 
need to install this certificate as a Trusted Root Certification 
Authority Certificate for your own certificate installation to succeed. 
You should probably remove that trusted root CA certificate afterwards.


Our Wizard  (a signed "one click app or service* ) lets you create the 
root CA that is then used to sign the Personal Certificates.

One thing that we may have to add is the ability to force the root CA 
cert creation if we determine that this critical component isn't in 
place. Thus, when the Wizard is used for the first time we assume the 
root CA cert is being created and then at the end of the process 
commence Personal Cert. generation. Or just find a way to deliver the 
whole thing via one series of Wizard interactions.


> On 8 Aug 2010, at 15:57, Kingsley Idehen wrote:
>> It support browsers that don't support keygen:
>> 1. IE.
>> The user interaction is simple:
>> 1. Go to: https://id.myopenlink.net
>> 2. Register with your existing WebID or get a new account
>> 3. Edit your Profile using the Profile Manager (at least add your email 
>> address to your profile)
>> 4. Use the "X.509" tab under "Security" to generate your X.509 Cert that 
>> includes your WebID (remember once you have an account you have a WebID, 
>> Profile Page URL, and an OpenID URL (all hooked together in conventional 
>> Linked Data style)
>> 5. Save the generated Cert. to your Profile (don't forget to hatch the 
>> "enable WebID login" option)
>> 6. Save and Exit Profile Manager
>> 6. Visit a WebID or OpenID based space on the Web from Windows, Mac OS 
>> X, Linux, or any other Unix Platform.
>> Re. Windows, there is no requirement for flash, we are simply using what 
>> Windows offers re. PKI. Note, this isn't really that different from Mac 
>> OS X (where Safari and Chrome simply use keygen as conduit to the 
>> Keyring Manager).



Kingsley Idehen	      
President & CEO 
OpenLink Software     
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen 

More information about the foaf-protocols mailing list