On 05/15/2013 11:04 PM, Philip Hands wrote: > Do you have any thoughts on how that compares with using > BrowserID/Persona? I'd got the impression that BrowserID has been put > together learning from mistakes of OpenID & WebID, but perhaps I'm just > swallowing their marketing.
It looks to me like BrowserID/Persona will only work in web browsers
with a functional javascript stack (and eventually, with a functional
javascript crypto stack). The client authentication happens inside the
TLS layer, over the HTTP protocol.
If i understand the parts of WebID that intend to perform authentication
correctly, it uses standard TLS client-side certificates to do pubkey
authentication of the client *at* (not inside) the TLS layer, and only
requires the use of HTTP(S) in one small place: on the backend for
servers who need to do key discovery via that mechanism.
Since i'm the kind of person who uses TLS to wrap protocols other than
HTTP (though i also use it around HTTP), i'd prefer to adopt an
authentication regime that isn't limited to that one protocol inside
TLS, but rather to work at the TLS layer directly. For example: it
looks possible to use WebID for authentication in an IMAP client capable
of STARTTLS.
Even if we limit ourselves to the HTTPS subset of the 'net, i'm also the
kind of person who browses the web with javascript disabled most of the
time (and uses and implements automated HTTPS clients that have no HTML
DOM support, let alone javascript support), i'd also prefer to adopt an
authentication regime that doesn't necessarily rely on javascript or the
HTML DOM.
For these reasons (which i think are relevant to debian), what i think
folks are referring to as WebID here (client-side certs verified by some
robust mechanism other than the standard CA cartel) sounds better than
BrowserID to me.
It's possible that i've misunderstood or mischaracterized any of the
protocols or tools mentioned here, though. if that's the case, i hope
that someone will correct me.
Regards,
--dkg
PS thanks for keeping me cc'ed on replies
signature.asc
Description: OpenPGP digital signature
