On 8 Jun 2010, at 23:07, John Kemp wrote: > Hi Henry, > > On Jun 8, 2010, at 4:30 PM, Story Henry wrote: > >> >> On 8 Jun 2010, at 22:18, Eddy Nigg (StartCom Ltd.) wrote: >> >>> >>> On 06/08/2010 08:47 PM, From Story Henry: >>>> You DON't need to export the certificate! You just create a new one: it's >>>> a one click procedure! >>> >>> Doesn't that defeat the purpose and protection of using digital >>> certificates in first place? >> >> No. >> >> That's the trick of foaf+ssl: we do not rely on Certificate Authorities to >> vouch for the client. The certificates can be either self signed, or signed >> by some unknown CA. >> >> The trick used is the same as the one used by OpenID. ( In fact OpenID >> inspired much of what is behind Web ID. ) The SSL connection lets the server >> know that the client has the private key of the public key sent in the X.509 >> certificate. Because the X.509 certificate also contains the Web ID (in the >> subject alternative name position), the server can do an HTTPS get on the >> WebID and if the public key matches there, Identity is proven. >> >> So we do change the server SSL/TLS proof method. I have put this past a lot >> of security experts in the past year, and we have implementations in most >> major languages. If you can see a problem > > I see only the same problem I saw (and reported to you) 2 years ago
I have improved the answers, and made them easier to understand since then. Perhaps this will help: http://esw.w3.org/Foaf%2Bssl/FAQ#How_does_Secure_Authentication_Work_with_FOAF.2BSSL.3F > - which is that for all the cryptography involved, it still seems possible > for an individual to self-assert that they have a WebID and that it is linked > to some certificate and private/public key. What is the problem here? What you get in return is a global identifier, one click authentication, browser integrated, with minimal communication, and security built in. Perhaps you mean that you could create a WebID and assert you are me, by using my public key? But that would never work, because you don't have the corresponding private key. I just added that as a FAQ http://esw.w3.org/Foaf%2Bssl/FAQ#Could_I_not_simply_copy_your_foaf_profile_onto_my_server_and_pretend_I_am_you.3F > Which is to say, why bother with all the crypto if a user can self-assert his > or her WebID and FOAF file anyway? Without the crypto you would not have authentication. You would just have a web page describing a person. The crypto allows the server to tie a description of a person to agent at the other end of the https connection. > OpenID relies on an OpenID provider "vouching" that a particular URI is > "owned" by some user for whom the OpenID provider has an account. We do the same, but we bypass the need for the Identity Provider. (Perhaps this is the sticking point, as people have developed businesses around that? I think there are many more businesses that can be built in this area.) > You could also run your own OpenID provider and self-assert that way. And the > question is whether that is a particularly interesting thing to do in a Web > context (as we self-assert all the time without any special protocols needed > and it works fine for many things without new techniques, systems or other > technology). yes, it is not that different from usual e-mail authentication login, which is what powers most of the web currently. Except that here 1. You don't have to create an account on every server 2. You don't have to give your email out 3. you can do it in one click, 4. you get linked data with it 5. you can bring your social network along with you 6. No need for limited Attribute Exchange And I think that's just the beginning. But I should be careful, or Dick Hardt will say I am overselling myself. The above is proven to work. And the social aspect is exactly how Facebook and LinkedIn increase the quality of the data: it is crowd sourcing of attribute validation. Your friends are the people who vouch for you. No need for big co, or big governments. (Though they too have a role to play) > > Regards, > > - johnk > >> it may be worth going over to the foaf-protocols mailing list >> >> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols >> >> Henry >> >> >>> >>> Regards >>> Signer: Eddy Nigg, COO/CTO >>> StartCom Ltd. <http://www.startcom.org> >>> XMPP: [email protected] <xmpp:[email protected]> >>> Blog: Join the Revolution! <http://blog.startcom.org> >>> Twitter: Follow Me <http://twitter.com/eddy_nigg> >>> >>> >>> _______________________________________________ >>> specs mailing list >>> [email protected] >>> http://lists.openid.net/mailman/listinfo/openid-specs >> >> _______________________________________________ >> specs mailing list >> [email protected] >> http://lists.openid.net/mailman/listinfo/openid-specs > _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
