Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]

To: debian-devel@lists.debian.org
Subject: Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
From: Jonas Smedegaard <dr@jones.dk>
Date: Thu, 16 May 2013 12:20:31 +0200
Message-id: <[🔎] 20130516102031.29499.62330@bastian.jones.dk>
In-reply-to: <[🔎] 51949F6F.3010700@debian.org>
References: <[🔎] 87y5btehw3.fsf@gkar.ganneff.de> <[🔎] 20130506070543.GE25004@x230-buxy.home.ouaza.com> <[🔎] 87haif7vkv.fsf@gkar.ganneff.de> <[🔎] 20130507062252.GA32129@x230-buxy.home.ouaza.com> <[🔎] 87haibnb9y.fsf@windlord.stanford.edu> <[🔎] 8738tpwxtk.fsf@inf-8657.int-evry.fr> <[🔎] 20130514140321.23166.32356@bastian.jones.dk> <[🔎] 5193133C.7050506@fifthhorseman.net> <[🔎] 87li7fy6am.fsf@poker.hands.com> <[🔎] 51949F6F.3010700@debian.org>

Quoting Stéphane Glondu (2013-05-16 10:57:19)
> Le 16/05/2013 05:04, Philip Hands a écrit :
> > Do you have any thoughts on how that compares with using 
> > BrowserID/Persona?  I'd got the impression that BrowserID has been 
> > put together learning from mistakes of OpenID & WebID, but perhaps 
> > I'm just swallowing their marketing.
> 
> IIUC, there is no transfer of metadata (name, etc.) with BrowserID, 
> unlike OpenID and WebID. An identity is an e-mail address, period.

Sounds like your are describing (optional(?) extensions to) OpenID.

With WebID only an ID is transfered. That transfered ID is a URI 
pointing to a resource optionally containing more info.


> A benefit compared to OpenID and WebID is that the relying party 
> doesn't need to query the identity provider each time, so this 
> improves privacy.

Again, sounds like you are describing OpenID only.

WebID allows (and encourages) caching.


> BrowserID also relies on the CA cartel. You need to setup an HTTPS 
> (with a trusted certificate) server that responds to some hard-coded 
> path [1] to implement an identity provider. I see this as a serious 
> limitation, but I guess big identity providers don't care.
> 
> There is an open issue [1] about looking up information in DNS instead 
> of the current hard-coded path. Maybe this, combined with DNSSEC, 
> could lift the HTTPS constraint. But this is work in progress.

This seems similar as WebID: In principle ties to HTTPS - and therefore 
the CA cartel - is only optional (other URIs than http ones suffice).  
In reality alternatives to HTTP(S) is work in progress.

If I understand correctly, BrowserID is by design tied to browsers - 
i.e. humans identifying themselves towards servers. WebID is not tied to 
browsers: it is equally useful for server-to-server communication.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Reply to:

Follow-Ups:
- Re: Web ID as passwordless authentication for debian web services
  - From: Russ Allbery <rra@debian.org>

References:
- Developer repositories for Debian
  - From: Joerg Jaspert <joerg@ganneff.de>
- Re: Developer repositories for Debian
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: Developer repositories for Debian
  - From: Joerg Jaspert <joerg@debian.org>
- Re: Developer repositories for Debian
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: Developer repositories for Debian
  - From: Russ Allbery <rra@debian.org>
- Re: Developer repositories for Debian
  - From: Olivier Berger <obergix@debian.org>
- Re: Developer repositories for Debian
  - From: Jonas Smedegaard <dr@jones.dk>
- Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Philip Hands <phil@hands.com>
- Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Stéphane Glondu <glondu@debian.org>

Prev by Date: Re: /bin/sh (was Re: jessie release goals)
Next by Date: Re: Debian development and release: always releasable (essay)
Previous by thread: Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
Next by thread: Re: Web ID as passwordless authentication for debian web services
Index(es):
- Date
- Thread