[OpenID] Windows Live ID OpenID CTP Status Update (August 2009)

Story Henry henry.story at bblfish.net
Sun Aug 30 03:29:05 UTC 2009 

On 30 Aug 2009, at 04:39, Peter Williams wrote:

> Can we make the webid that we put in the self-signed cert have the  
> form
>
> http://foaf.com/peter.rdf#me#<hash> ?

Don't think so. That's an invalid URL I believe. (I may be wrong)

It is not good architecture to put meaning into URLs such that  
protocols depend on those - which is not to say that they should not  
be humanly readable. That ties URLs between sites much too closely  
together, and I believe unnecessarily.


>
> Let's assume that the webid in the (self-signed) client cert's  
> extended subject name (uri variety) has such a hash fragment - and  
> that acts in addition to the fragment label (#me) that more  
> typically denotes the asserted subject.
>
> Lets assume now that the value of the fragment is hash(foaffile).
>
> Could we make an SSL server's act of resolving the webid+fragment  
> now validate the integrity of the referenced foaf data? ...much as  
> one does with signed XRD today - when references in the signed info  
> of an xml dsig are typically validated using hashes?

Again, I don't think that would be the right way to go about it. The  
URL would have to change whenever you changed your file. Better to  
just sign the document somehow that describes the resource canonically  
referred to by the WebId. We have been thinking about that. But for  
the moment have not explored signing the files, as that adds a level  
extra complexity to the programming of the protocol. But it should be  
possible to do that. We need to work out what advantages this would  
procure. It may not be quite as much as hoped. It may be more.  
Something to explore...

>
> To implement, one simply borrows the reference resolver/digester  
> routines from the existing xml dsig API, surely?
>
>
> Of course, that objects in the foaf file denoted by "http://...#me"  
> may also contain the assertion of the subject's openid "account" - a  
> value such as http://openid.yahoo.com, perhaps.

yes, foaf has the foaf:openid relation that allows one to list the  
openids a user has.  use that to create a foaf+ssl OpenId proxy. Toby  
Inkster wrote such a service which I described here:

see: http://blogs.sun.com/bblfish/entry/join_the_foaf_ssl_community

The nice thing about this OpenID IDP is that you don't have to enter  
any attributes into it. You just leave them in your foaf file, and you  
just get OpenId for free, and all the web sites just keep working.

That OpenId web service would need some work. It does not seem to work  
with many services, but it proved the concept.


>
> Upon receiving the access request, now the SSL server might solicit  
> an assertion from the OP, in order to locally link the webid (in one  
> domain space) and openid (in another domain space).
>
> All we really need do to achieve this, surely, is put the users  
> webid in the sreg.homepage store attribute.

You can do it more RESTfully by linking the openid page to the foaf,  
and to the generic IDP.


>
> I'm never sure if folks desire to "harmonize" the various almost- 
> mature identity efforts are real, or just lobbyist spin. If they are  
> real, there is SO much we can do, when folks combine!
>
> Juts think about it. 3 outsider technologies (SSL client certs,  
> FOAF, openid2) combining .. to define a version of https now fit for  
> the semweb!!

Yep that would be really cool. I'll try to be at the Identity Workshop  
in SF in November.
http://www.internetidentityworkshop.com/


>
>
> -----Original Message-----
> From: openid-general-bounces at lists.openid.net [mailto:openid-general- 
> bounces at lists.openid.net] On Behalf Of Story Henry
> Sent: Saturday, August 29, 2009 11:52 AM
> To: John Bradley
> Cc: openid-general at lists.openid.net
> Subject: Re: [OpenID] Windows Live ID OpenID CTP Status Update  
> (August 2009)
>
>
> On 29 Aug 2009, at 20:44, John Bradley wrote:
>
>> Using SSL client auth seemed like a good idea to me 10 years ago.
>>
>> Combining it with FOAF is interesting.
>>
>> I suspect that getting people at large to configure client certs is
>> unlikely.
>
> It turns out that that is as easy as clicking a button. Firefox,
> Safari and Opera use the until now undocumented keygen tag now in  
> html5
>
> http://dev.w3.org/html5/spec/Overview.html#the-keygen-element
>
> As I said you can try that with http://foaf.me
> 1. fill in the form
> 2. create your foaf file
> 3. click the create cert button
>
> foaf.me can be improoved a lot. But it shows the potential here.
>
> You can get the same with as keygen with ActiveX in IE. We are looking
> for VB people to help us test that.
>
> Henry
>
>
>>
>> That was one of the things that lead to the development of
>> Information cards.
>>
>> It is worth considering  amongst the options.  However I personally
>> gave up on that approach a good while ago.
>>
>> John B.
>> On 29-Aug-09, at 2:27 PM, Story Henry wrote:
>>
>>> If you want one click authentication that works with most current
>>> browsers, that does not require a username, nor a password, and
>>> where the browser offers the user a popup to select his idenity
>>> then have a look at foaf+ssl.
>>>
>>> http://esw.w3.org/topic/foaf+ssl
>>>
>>> An example implementation is http://foaf.me/
>>> which will create a certificate for you in Firefox, Safari and
>>> Opera after you created your foaf file. (We could get IE to work
>>> too but it requires a bit of ActiveX (no download required) hacking.
>>>
>>> Henry
>>>
>>> On 29 Aug 2009, at 20:21, John Bradley wrote:
>>>
>>>> I have never thought that training users to give out there email
>>>> address to whoever asks for it is a good idea.
>>>>
>>>> I understand the attraction of using email address as it is the
>>>> identifier that requires the least explanation.
>>>>
>>>> Would having someone enter there email or identity provider be too
>>>> confusing for people.
>>>>
>>>> I always thought your me.yahoo.com was a good model.
>>>>
>>>> Where we are going to hit serious problems first is with services
>>>> like openID for google domains, and OPX now from JainRain.
>>>>
>>>> The current NASCAR doesn't have enough space for thousands of OPs.
>>>>
>>>> One approach is to come up with a way for users to advertise to RP
>>>> who there preferred providers are.
>>>> That way the RP can customize the UI more appropriately for the
>>>> user.
>>>>
>>>> One approach would be a browser plugin that injects java script
>>>> into the page.
>>>>
>>>> Another would be to have a centralized discovery service, that a
>>>> RP could query via JS in the browser.
>>>> OP's would register themselves with the service.
>>>>
>>>> The latter certainly has privacy issues.
>>>>
>>>> John B.
>>>> On 29-Aug-09, at 12:42 PM, Allen Tom wrote:
>>>>
>>>>> How about if we ditch the OP buttons and just display this:
>>>>>
>>>>> Enter your email address or Profile URL: [...................]
>>>>>
>>>>> Allen
>>>>>
>>>>>
>>>>> John Bradley wrote:
>>>>>>
>>>>>>
>>>>>> A better UI is needed however.
>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> general mailing list
>>>> general at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>
>>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general

More information about the general mailing list