Shared publicly  - 
 
Situation Analysis

The issue of flexible and verifiable identity is an InterWeb scale problem. I've stated on a number of occasions that WebID and its authentication (verification) protocol offer a viable and scalable solution by leveraging:

1. Internet Architecture

2. Web Architecture -- URIs

3. Linked Data -- directed graph based "whole data representation" that leverages de-referenceable URIs.

Here is a simple step-by-step guide that demonstrates how users of WordPress and other AtomPub-compliant Weblogs can achieve the following, right now:

1. Obtain an Info Card (X.509 Certificate / Security Token) with a WebID watermark

2. Verify the Info Card.

Steps to Generate your Info Card

1. In the web browser of your choice, go to <http://id.myopenlink.net/certgen>.

2. Place your Blog Home Page URL into the "Weblog" field.

3. Enter your username and password combination into the new page that has automatically discovered your Blog's AtomPub endpoint URL.

4. Following successful connection to your Blog (using AtomPub), the system will generate a placeholder post in your Blog. Click "next" to proceed to the next stage.

5. The "Certificate details" page now loads, using the placeholder post URL as the WebID watermark for the pending certificate. Change your "name" here, if you have or will have multiple certificates installed in your OS or browser -- so you can tell which is which, when prompted to provide an identity. If you like, you can also add an organization name or email address in the relevant fields.

4. Choose any Identity option, Key Strength, and/or Cipher (the defaults are fine), and click "Next".

5. On "Select signer of the Certificate," leave "Issuer" as "Self-Signed" and click "Generate".

6. On "Select format and store option", you must enter a password before proceeding. "PKCS#12 file bundle" (that is, a .p12 file you can persist on any filesystem) is the most flexible storage option. Click "Download" to save the .p12 file (named with the FriendlyName) to your local disk. Or pick the Browser PKI option which results in a certificate request exchange between your browser and the host operating system or native browser keystore/keychain.

7. Click on the "Persist in IdP dataspace" button.

8. You are now presented with a tabbed interface that provides a variety of options for persisting your Info Card's fingerprint, to a number of data spaces. In this case, click the second tab, labeled "Store using OAuth" (this really means, "store to the OAuth authenticated data space from the AtomPub bonding page"), and click the "save" button.

9. At this stage, you will be able to see a blog post with hashtag #WebID that includes your Info Card's fingerprint and its associated crypto hash function (MD5 or SHA1).

9. In your local OS filesystem UI, open (typically, double-click) the local .p12 resource (file) and your OS should commence the process of persisting the content to its native keystore or keychain. (Generally, you can take the defaults in all prompts, until saved.)

Steps to Verify Identity via Info Card with WebID watermark

1. In the web browser of your choice, go to <http://id.myopenlink.net/webid_demo.html> -- a simple HTML-based WebID verification app.

2. Click on the "check" button.

3. If prompted to choose an Identity, select the one you named in step 5, above.

4. Verification will either pass or fail.

What just happened?

You've just created a verifiable identifier for yourself, that's been used as a watermark in an Info Card (something like a digital parallel to your passport or drivers license). You have also verified this identifier (i.e., acted like the passport or license office).

Passport Issuer

This is what happened when you generated the Info Card via the HTML wizard. To be precise, right up to the point where you saved the PKCS#12 (.p12) resource to your local disk and then imported it into your local operating system's keystore or keychain.

Passport Office

This is what happened when you clicked on the "Persist to IdP dataspace" button. Basically, the generator used your Blog's AtomPub endpoint URL (an HTTP-based URI, serving as a WebID) to locate a data space (in this case, via a WordPress hosted blog post) into which it placed the Fingerprint (a crypto hash) of the Info Card you just generated.

Identifier Verification

This happened when you invoked the HTML-based verification application at <http://id.myopenlink.net/webid_demo.html>. The mechanics are as follows:

1. Clicking the "check" button redirects to an https URL.

2. You are challenged to present an Info Card as part of the standard SSL/TLS handshake.

3. When the standard handshake completes, an additional verification step occurs, whereby this WebID protocol-compliant application (conventionally referred to as being in the role of Relying Agent) performs the following steps:

a. De-references the WebID in the Subject Alternative Name of the Info Card.

b. Locates a data object (a graph encapsulator) at an address.

c. Checks to see that it can find a Fingerprint for the certificate used to successfully complete the standard part SSL/TLS handshake; at this point you have success or failure.

Why is this important?

The virtues of WebID have never been in doubt, once the concepts behind the protocol are understood. What's eternally challenging with new technology is how you roll it out to a community of existing users that are already aligned to existing applications and services.

This very simple process grants every Wordpress (or other AtomPub-compliant Weblog) user the opportunity to acquire a self-signed Info Card, en route to exploiting the immense utility of verifiable identity at InterWeb scale.

Related
1. http://goo.gl/FFsjv -- using Twitter hosted posts (Tweets) as WebID Identity Provider (IdP) oriented data spaces .

2. http://webid.info -- additional information about WebID.

3. http://www.w3.org/wiki/WebID -- WebID Wiki.

#WebID #LinkedData #SemanticWeb #Security #Privacy #Nymwars #Identity
3
Add a comment...