Henry Story
2011-12-22 10:48:55 UTC
What I have initially had trouble understanding in Dave Longley's javascript implementation
of WebID is how the keys generated in one server and save in a local datastore
get used from one server to another. That is never made clear in any documentation I have
seen.
In a conversation some time ago with one of the developers, I learnt that essentially until
the browser supports javascript access to the local keystone there is a lot of jumping around
using perhaps even OAuth in the background. So that means that the protocols in the
background is in fact very complicated and probably very difficult to secure. Cryptography
is notoriously tricky to get right, and javascript comes itself with a huge number of security
issues.
But all is not lost
There is a group called the Web Crypto API that is being put in place
http://www.w3.org/wiki/IdentityCharter
Sorry the correct link is here now:of WebID is how the keys generated in one server and save in a local datastore
get used from one server to another. That is never made clear in any documentation I have
seen.
In a conversation some time ago with one of the developers, I learnt that essentially until
the browser supports javascript access to the local keystone there is a lot of jumping around
using perhaps even OAuth in the background. So that means that the protocols in the
background is in fact very complicated and probably very difficult to secure. Cryptography
is notoriously tricky to get right, and javascript comes itself with a huge number of security
issues.
But all is not lost
There is a group called the Web Crypto API that is being put in place
http://www.w3.org/wiki/IdentityCharter
http://www.w3.org/2011/11/webcryptography-charter.html
And they had/have their discussions on the public-identity-***@public.gmane.org . They reduced their
aims from identity to cryptography and are in the final stages of building the charter.
And they are just developing their charter. If browsers support apis to have
direct access to the crypto layer then of course those back end hacks won't be
needed and furthermore it will be secure, in which case one could use javascript
to do the WebID authentication perhaps to bring in web sites that don't have
TLS (hopefully a slowly diminishing number with DNSsec deployment)
At the same time I think we can look at this work as a way to do proofs of concepts
to open a discussion with BrowserId which also needs such a web cryptography layer.
Is Dave participating in the Crypto API group? I think that would be very useful.
Henry
http://bblfish.net/
Social Web Architectdirect access to the crypto layer then of course those back end hacks won't be
needed and furthermore it will be secure, in which case one could use javascript
to do the WebID authentication perhaps to bring in web sites that don't have
TLS (hopefully a slowly diminishing number with DNSsec deployment)
At the same time I think we can look at this work as a way to do proofs of concepts
to open a discussion with BrowserId which also needs such a web cryptography layer.
Is Dave participating in the Crypto API group? I think that would be very useful.
Henry
Our CTO, Dave Longley, has been busy over the past week attempting to
get our pure JavaScript crypto/TLS library updated to remove the Flash
requirement from our WebID demos. He was successful.
Using a WebSockets-enabled browser, such as Google Chrome - go here and
https://webid.digitalbazaar.com/manage/
https://payswarm.com/webid-demo/
Select "Digital Bazaar WebID" as the provider and then "Select
(WebSocket)". You will be logged in and the login works faster than the
Flash-based version of our WebID implementation.
Just to be clear - this is a complete, open-source implementation of
x509, TLS, and WebID using pure JavaScript and standards-based browser
technologies.
You can view the source for Forge (the JavaScript x509/TLS/WebSockets
https://github.com/digitalbazaar/forge
https://github.com/digitalbazaar/webid-demo
-- manu
--
Manu Sporny (skype: msporny, twitter: manusporny)
President/CEO - Digital Bazaar, Inc.
blog: PaySwarm Developer Tools and Demo Released
http://digitalbazaar.com/2011/05/05/payswarm-sandbox/
Social Web Architectget our pure JavaScript crypto/TLS library updated to remove the Flash
requirement from our WebID demos. He was successful.
Using a WebSockets-enabled browser, such as Google Chrome - go here and
https://webid.digitalbazaar.com/manage/
https://payswarm.com/webid-demo/
Select "Digital Bazaar WebID" as the provider and then "Select
(WebSocket)". You will be logged in and the login works faster than the
Flash-based version of our WebID implementation.
Just to be clear - this is a complete, open-source implementation of
x509, TLS, and WebID using pure JavaScript and standards-based browser
technologies.
You can view the source for Forge (the JavaScript x509/TLS/WebSockets
https://github.com/digitalbazaar/forge
https://github.com/digitalbazaar/webid-demo
-- manu
--
Manu Sporny (skype: msporny, twitter: manusporny)
President/CEO - Digital Bazaar, Inc.
blog: PaySwarm Developer Tools and Demo Released
http://digitalbazaar.com/2011/05/05/payswarm-sandbox/
http://bblfish.net/
http://bblfish.net/