[Openid-specs-ab] Fwd: Re: using HTTP 'From' request header

elf Pavlik perpetual-tripper at wwelves.org
Fri Dec 16 17:35:59 UTC 2011


Hello,

i started this thread on webfinger mailinglist:
https://groups.google.com/group/webfinger/browse_thread/thread/52599662c273a043

after comment from Blane on his old idea on webfinger based authentication, Kingsley suggested solution using WebID...
i would like to invite OpenID and BrowserID developers to also join this conversation =)

part of this thread:

--- Begin forwarded message from Kingsley Idehen ---
From: Kingsley Idehen <kidehen at openlinksw.com>
To: webfinger <webfinger at googlegroups.com>
Date: Fri, 16 Dec 2011 16:25:05 +0000
Subject: Re: using HTTP 'From' request header

On 12/16/11 10:30 AM, Blaine Cook wrote:
> On 16 December 2011 14:10, Paul E. Jones <paulej at packetizer.com>
> wrote:> With the syntax I saw, there is no associated security, so
> it's not clear to me what benefit "From" would offer.>> Blaine, can
> you share more about this?  Is "From" something we should introduce
> into Webfinger, or is this something that should be considered at a
> later point?
> The "From" header is something that's been included in HTTP[1] since
> very early days, but, as Paul points out, there's no security
> associated with it so it was never used. Therefore, the header itself
> doesn't need to be specified.
> 
> The proposal that I've passed around and talked about is to combine
> the From header with webfinger to enable secure, authenticated HTTP
> requests. I've always considered this to be more important in the
> federated social web case, and less important for authenticating users
> who are using a web browser (or desktop / mobile client) since
> cookies, Basic Auth and OAuth already handle those cases, though
> various schemes can be imagined for the latter.
>
> Essentially, the use case is that Bob wants to subscribe to Alice's
> private feed on alice.com, but Bob wants to do so without signing up
> at alice.com; he wants to use bob.com for his subscription.
>
> Currently the web offers no way to make this happen. Either Alice
> publishes public data (as happens with RSS / Atom), or Bob signs up to
> alice.com to gain authorisation.
> 
> Using the From address, combined with Webfinger and a (hypothetical)
> rel=delegate link, Bob can designate requests from bob.com as being
> trusted by "him"; i.e., his email address.
> 
> I've attached a flow diagram that describes the process for the
> PubSubHubbub scenario. Note that cryptography could be used instead of
> dial-back authentication, but I worry that cryptographic approaches
> will be too complicated, especially for early deployment.
> 
> I've resisted standardising this process, since the only place I've
> seen it work is over XMPP, and I'd like to see some examples in the
> wild before working on standards to support the process (especially
> given that each delegation and negotiation flow will vary slightly
> from application to application).
> 
> Hope that helps explain my thinking on this – there was broad
> consensus that it's a Good Idea™ at the W3C TPAC in San Jose recently,
>  and I'd be glad to elaborate more on specific points where it'd be
> helpful.
> 
> b.
> 
> [1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.22

You can achieve this using WebID based ACLs and Semantic Pingbacks 
(Pingback Protocol + WebID)

1. Alice and Bob both obtain WebIDs.
2. Alice publishes her feeds with an ACL specifically for her friend / 
circles network (Bob might not be a member, just yet).
3. Bob sends a Ping to Alice (this will show up in her stream i.e., no 
different to seen a new blog post re. old blogosphere patter prior to 
Pingback death by Spam)
4. Alice adds Bob to her feeds ACL.

WebID leverages PKI, but PKI doesn't need to be hard for users. It can 
be simple across multiple platforms.

See:

1. http://id.myopenlink.net/certgen/ - simple Cert. Generator that 
produces x.509 certs. with WebID watermarks (these can include mailto: 
and acct: scheme URIs, and this service also leverages Webfinger when 
such are used as WebIDs in Certs. SAN)
2. http://id.myopenlink.net/ods/webid_demo.html -- simple WebID 
verification service
3. http://goo.gl/Ffg7R -- using Facebook as a WebID IdP
4. http://goo.gl/C1g4K -- using Twitter as a WebID IdP
5. http://goo.gl/a8InL -- using an AtomPub compliant blog (e.g., Blogger 
/ Blogspot and WordPress) as a WebID IdP .

--- End forwarded message ---
-- 
(living strictly moneyless already for over 2 years)
http://wwelves.org/perpetual-tripper
http://moneyless.info
http://hackers4peace.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1625 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20111216/b55767a8/attachment.p7s>


More information about the Openid-specs-ab mailing list