[foaf-protocols] local password - was WebID pre-alpha specification (uses RDFa)
kidehen at openlinksw.com
Fri Jul 16 21:02:57 CEST 2010
Bruno Harbulot wrote:
> On 16/07/10 19:08, Kingsley Idehen wrote:
>> Bruno Harbulot wrote:
>>>> At OpenLink we are committed to delivering painless PKI as part of our
>>>> WebID Protocol offerings, across all major platforms (Linux, UNIX, Mac
>>>> OS X, and Windows).
>>> Fair enough, but you can't really remove the pain of saving keys and
>>> the public terminal problem just like that, unless you've found a
>>> miracle solution :-) If you do so, that's probably by re-generating a
>>> certificate on the fly (by logging on to your WebID from the new
>>> browser), which is fine for the basic level of assurance, but may not
>>> be sufficient when you need trusted 3rd-parties to corroborate your
>>> public key. PKIs do that: the CA signs the association between your
>>> identifier (SubjectDN or SAN) and your public key.
>>> In addition, the mechanisms to choose a certificate are still not
>>> always great, depending on the browser.
>> Track my screenshots at:
>> http://twitpic.com/photos/kidehen :-)
> Oh sure, you have tools to generate the certificates, etc (and they
> look good indeed), but this doesn't solve the public terminal problem
> (without changing the public key), unless I missed something?
I don't quite grok the public terminal scenario and public key concern,
so you might need to clarify further. Worst case we get a nice problem
scenario use case etc..
You can have many pubkeys per WebID.
> That doesn't solve the certificate selection problem from the browser
> either as far as I'm aware.
> In terms of ease of use, I'm comparing this to clicking on one of the
> pre-defined OpenID providers on something like the StackOverflow login
> page, for example (e.g. Google).
> Of course, comparing solely on that aspect doesn't take into account
> the other aspects of WebID.
Re. StackOverlow and Identi.ca, they are subjects of the WebID + OpenID
hybrid protocol screencast I put out on YouTube last weekend.
I have one based on FF and the other based on Safari.
The Safari one followed FF, so I was able to log into identi.ca and
StackOverflow (using their respective OpenID authentication routes)
without performing any re-association between the local web app accounts
and my OpenID. I use one URL for my FOAF Profile Doc and OpenID etc.. If
something goes wrong (e.g. forget my private key on a foreign computer,
I log into my data space and drop the pubkey and generate another).
> Unfortunately, if you change the public key and the certificate
> whenever you need to use the certificate, the site's trusted 3rd
> parties can't sign your key whenever you need, so you're back to the
> basic level of assurance, again, no better than OpenID.
> Nothing wrong with that, but I'm not sure what the majority of users
> would prefer: clicking on a well-known OpenID provider or creating
Methinks, people would like to get rid of the username and password
tedium with or without OpenID (hence the hybrid protocol importance). In
addition, they want agents to traverse Linked Data meshes, naturally as
per WebID's inner most virtue :-)
> Best wishes,
President & CEO
More information about the foaf-protocols