[foaf-protocols] WebID breakthrough - pure Javascript+Flash implementation

Bruno Harbulot Bruno.Harbulot at manchester.ac.uk
Tue Aug 10 18:06:21 CEST 2010


Hi Kingsley,

On 09/08/10 21:03, Kingsley Idehen wrote:

>
> What do you mean by as easy to use as keygen? I don't believe there is a
> fundamental difference here since I have a single button for making the
> Cert. and another button for saving the Cert. to ones data space and
> then a check-box to enable WebID protocol based authentication. Can't be
> any simpler that than as long as the user interaction delivers context
> to the user.
>
>> Perhaps someone with Internet Explorer can make a screen cast of creating a certificate there (no need to do the account creation bit).
>>
>
> What do you think I did?
>
> My next screencast will simply use Internet Explorer in exactly the same
> way I did Safari. In both cases you click a single button and a Cert. if
> produced and persisted to the Windows OS Cert Manager.
>> If there are issues we need to try to find out how we can reduce them there.
>>
>
> You need to understand Windows security and PKI to get this to work. If
> it was easy there would be a boat load of implementations.
>
> Bruno: I run IE and every other known browser across a cocktail of
> platforms. Can I use your system to product a Cert. that works with IE?
> I am going to try your link anyhow.

You can check out the code at 
<http://github.com/harbulot/keygenapp/tree/71e30f7e4e79e170cf52b839078bdb48b58de0a0/samplewebapp/src/main/webapp>. 
(I think Henry has made a few tweaks in his GitHub repository.)

The JS could be modified a bit to be less dependent on the HTML page 
from which it's loaded (it replaces the keygen tag in the DOM when it's 
IE) (see 'configurePage()' function).
Apart from this, these are JavaScript/ActiveX calls to the OS API, so 
it's using the OS certificate store (which IE uses).

The main problem was that this is not dependent on the version of IE, 
but on the version of the OS (mainly XP/2003 and Vista/2008/7), but this 
script supports both CertEnroll and XEnroll.
It's meant to behave as closely as possible to the keygen behaviour.


I'm curious to know how you got around this:
>
> * Add this site to the Trusted Sites list: in Internet Options -> Security -> Trusted Sites -> Sites -> Add ...
>
> * You may need to configure the trust level (in this tab), using Custom Level...: enable Initialize and script ActiveX controls not marked as safe for scripting.
>
> * If you are using Windows Vista without SP1 or above, you will probably need to install this certificate as a Trusted Root Certification Authority Certificate for your own certificate installation to succeed. You should probably remove that trusted root CA certificate afterwards.

What's your one-click wizard written in and how is it launched?


Best wishes,

Bruno.


More information about the foaf-protocols mailing list