Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]

To: debian-devel@lists.debian.org
Subject: Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
From: Stéphane Glondu <glondu@debian.org>
Date: Thu, 16 May 2013 10:57:19 +0200
Message-id: <[🔎] 51949F6F.3010700@debian.org>
In-reply-to: <[🔎] 87li7fy6am.fsf@poker.hands.com>
References: <[🔎] 87y5btehw3.fsf@gkar.ganneff.de> <[🔎] 20130506070543.GE25004@x230-buxy.home.ouaza.com> <[🔎] 87haif7vkv.fsf@gkar.ganneff.de> <[🔎] 20130507062252.GA32129@x230-buxy.home.ouaza.com> <[🔎] 87haibnb9y.fsf@windlord.stanford.edu> <[🔎] 8738tpwxtk.fsf@inf-8657.int-evry.fr> <[🔎] 20130514140321.23166.32356@bastian.jones.dk> <[🔎] 5193133C.7050506@fifthhorseman.net> <[🔎] 87li7fy6am.fsf@poker.hands.com>

Le 16/05/2013 05:04, Philip Hands a écrit :
> Do you have any thoughts on how that compares with using
> BrowserID/Persona?  I'd got the impression that BrowserID has been put
> together learning from mistakes of OpenID & WebID, but perhaps I'm just
> swallowing their marketing.

IIUC, there is no transfer of metadata (name, etc.) with BrowserID,
unlike OpenID and WebID. An identity is an e-mail address, period.

A benefit compared to OpenID and WebID is that the relying party doesn't
need to query the identity provider each time, so this improves privacy.

BrowserID also relies on the CA cartel. You need to setup an HTTPS (with
a trusted certificate) server that responds to some hard-coded path [1]
to implement an identity provider. I see this as a serious limitation,
but I guess big identity providers don't care.

There is an open issue [1] about looking up information in DNS instead
of the current hard-coded path. Maybe this, combined with DNSSEC, could
lift the HTTPS constraint. But this is work in progress.

[1]
https://developer.mozilla.org/en-US/docs/Mozilla/Persona/Implementing_a_Persona_IdP
[2] https://github.com/mozilla/browserid/issues/1523


Cheers,

-- 
Stéphane

Reply to:

Follow-Ups:
- Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Jonas Smedegaard <dr@jones.dk>

References:
- Developer repositories for Debian
  - From: Joerg Jaspert <joerg@ganneff.de>
- Re: Developer repositories for Debian
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: Developer repositories for Debian
  - From: Joerg Jaspert <joerg@debian.org>
- Re: Developer repositories for Debian
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: Developer repositories for Debian
  - From: Russ Allbery <rra@debian.org>
- Re: Developer repositories for Debian
  - From: Olivier Berger <obergix@debian.org>
- Re: Developer repositories for Debian
  - From: Jonas Smedegaard <dr@jones.dk>
- Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Philip Hands <phil@hands.com>

Prev by Date: Re: uscan connection error
Next by Date: Re: jessie release goals
Previous by thread: Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
Next by thread: Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
Index(es):
- Date
- Thread