[foaf-protocols] local password - was WebID pre-alpha specification (uses RDFa)

[Kingsley Idehen]

Bruno Harbulot wrote:
>
>
> On 16/07/10 19:08, Kingsley Idehen wrote:
>> Bruno Harbulot wrote:
>>>> At OpenLink we are committed to delivering painless PKI as part of our
>>>> WebID Protocol offerings, across all major platforms (Linux, UNIX, Mac
>>>> OS X, and Windows).
>>>
>>> Fair enough, but you can't really remove the pain of saving keys and
>>> the public terminal problem just like that, unless you've found a
>>> miracle solution :-) If you do so, that's probably by re-generating a
>>> certificate on the fly (by logging on to your WebID from the new
>>> browser), which is fine for the basic level of assurance, but may not
>>> be sufficient when you need trusted 3rd-parties to corroborate your
>>> public key. PKIs do that: the CA signs the association between your
>>> identifier (SubjectDN or SAN) and your public key.
>>> In addition, the mechanisms to choose a certificate are still not
>>> always great, depending on the browser.
>>
>> Bruno,
>>
>> Track my screenshots at:
>>
>> http://twitpic.com/photos/kidehen :-)
>
> Oh sure, you have tools to generate the certificates, etc (and they 
> look good indeed), but this doesn't solve the public terminal problem 
> (without changing the public key), unless I missed something?

I don't quite grok the public terminal scenario and public key concern, 
so you might need to clarify further. Worst case we get a nice problem 
scenario use case etc..

You can have many pubkeys per WebID.
> That doesn't solve the certificate selection problem from the browser 
> either as far as I'm aware.
>
> In terms of ease of use, I'm comparing this to clicking on one of the 
> pre-defined OpenID providers on something like the StackOverflow login 
> page, for example (e.g. Google).
> Of course, comparing solely on that aspect doesn't take into account 
> the other aspects of WebID.

Re. StackOverlow and Identi.ca, they are subjects of the WebID + OpenID 
hybrid protocol screencast I put out on YouTube last weekend.

I have one based on FF and the other based on Safari.

The Safari one followed FF, so I was able to log into identi.ca and 
StackOverflow (using their respective OpenID authentication routes) 
without performing any re-association between the local web app accounts 
and my OpenID. I use one URL for my FOAF Profile Doc and OpenID etc.. If 
something goes wrong (e.g. forget my private key on a foreign computer, 
I log into my data space and drop the pubkey and generate another).

>
> Unfortunately, if you change the public key and the certificate 
> whenever you need to use the certificate, the site's trusted 3rd 
> parties can't sign your key whenever you need, so you're back to the 
> basic level of assurance, again, no better than OpenID.
> Nothing wrong with that, but I'm not sure what the majority of users 
> would prefer: clicking on a well-known OpenID provider or creating 
> certificates.

Methinks, people would like to get rid of the username and password 
tedium with or without OpenID (hence the hybrid protocol importance). In 
addition, they want agents to traverse Linked Data meshes, naturally as 
per WebID's inner most virtue :-)

>
>
> Best wishes,
>
> Bruno.
>


-- 

Regards,

Kingsley Idehen	      
President & CEO 
OpenLink Software     
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen