[OpenID] Windows Live ID OpenID CTP Status Update (August 2009)

Peter Williams pwilliams at rapattoni.com
Sun Aug 30 02:39:57 UTC 2009 

Can we make the webid that we put in the self-signed cert have the form

http://foaf.com/peter.rdf#me#<hash> ?


Let's assume that the webid in the (self-signed) client cert's extended subject name (uri variety) has such a hash fragment - and that acts in addition to the fragment label (#me) that more typically denotes the asserted subject.

Lets assume now that the value of the fragment is hash(foaffile).

Could we make an SSL server's act of resolving the webid+fragment now validate the integrity of the referenced foaf data? ...much as one does with signed XRD today - when references in the signed info of an xml dsig are typically validated using hashes?

To implement, one simply borrows the reference resolver/digester routines from the existing xml dsig API, surely?


Of course, that objects in the foaf file denoted by "http://...#me" may also contain the assertion of the subject's openid "account" - a value such as http://openid.yahoo.com, perhaps.

Upon receiving the access request, now the SSL server might solicit an assertion from the OP, in order to locally link the webid (in one domain space) and openid (in another domain space).

All we really need do to achieve this, surely, is put the users webid in the sreg.homepage store attribute.

I'm never sure if folks desire to "harmonize" the various almost-mature identity efforts are real, or just lobbyist spin. If they are real, there is SO much we can do, when folks combine!

Juts think about it. 3 outsider technologies (SSL client certs, FOAF, openid2) combining .. to define a version of https now fit for the semweb!!


-----Original Message-----
From: openid-general-bounces at lists.openid.net [mailto:openid-general-bounces at lists.openid.net] On Behalf Of Story Henry
Sent: Saturday, August 29, 2009 11:52 AM
To: John Bradley
Cc: openid-general at lists.openid.net
Subject: Re: [OpenID] Windows Live ID OpenID CTP Status Update (August 2009)


On 29 Aug 2009, at 20:44, John Bradley wrote:

> Using SSL client auth seemed like a good idea to me 10 years ago.
>
> Combining it with FOAF is interesting.
>
> I suspect that getting people at large to configure client certs is
> unlikely.

It turns out that that is as easy as clicking a button. Firefox,
Safari and Opera use the until now undocumented keygen tag now in html5

http://dev.w3.org/html5/spec/Overview.html#the-keygen-element

As I said you can try that with http://foaf.me
1. fill in the form
2. create your foaf file
3. click the create cert button

foaf.me can be improoved a lot. But it shows the potential here.

You can get the same with as keygen with ActiveX in IE. We are looking
for VB people to help us test that.

Henry


>
> That was one of the things that lead to the development of
> Information cards.
>
> It is worth considering  amongst the options.  However I personally
> gave up on that approach a good while ago.
>
> John B.
> On 29-Aug-09, at 2:27 PM, Story Henry wrote:
>
>> If you want one click authentication that works with most current
>> browsers, that does not require a username, nor a password, and
>> where the browser offers the user a popup to select his idenity
>> then have a look at foaf+ssl.
>>
>> http://esw.w3.org/topic/foaf+ssl
>>
>> An example implementation is http://foaf.me/
>> which will create a certificate for you in Firefox, Safari and
>> Opera after you created your foaf file. (We could get IE to work
>> too but it requires a bit of ActiveX (no download required) hacking.
>>
>> Henry
>>
>> On 29 Aug 2009, at 20:21, John Bradley wrote:
>>
>>> I have never thought that training users to give out there email
>>> address to whoever asks for it is a good idea.
>>>
>>> I understand the attraction of using email address as it is the
>>> identifier that requires the least explanation.
>>>
>>> Would having someone enter there email or identity provider be too
>>> confusing for people.
>>>
>>> I always thought your me.yahoo.com was a good model.
>>>
>>> Where we are going to hit serious problems first is with services
>>> like openID for google domains, and OPX now from JainRain.
>>>
>>> The current NASCAR doesn't have enough space for thousands of OPs.
>>>
>>> One approach is to come up with a way for users to advertise to RP
>>> who there preferred providers are.
>>> That way the RP can customize the UI more appropriately for the
>>> user.
>>>
>>> One approach would be a browser plugin that injects java script
>>> into the page.
>>>
>>> Another would be to have a centralized discovery service, that a
>>> RP could query via JS in the browser.
>>> OP's would register themselves with the service.
>>>
>>> The latter certainly has privacy issues.
>>>
>>> John B.
>>> On 29-Aug-09, at 12:42 PM, Allen Tom wrote:
>>>
>>>> How about if we ditch the OP buttons and just display this:
>>>>
>>>> Enter your email address or Profile URL: [...................]
>>>>
>>>> Allen
>>>>
>>>>
>>>> John Bradley wrote:
>>>>>
>>>>>
>>>>> A better UI is needed however.
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> general mailing list
>>> general at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-general
>>
>

_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

More information about the general mailing list