Shared publicly  - 
How WebID Delivers Flexible & Verifiable Identity at InterWeb Scale

The issue of flexible and verifiable identity is an InterWeb scale problem. I've stated on a number of occasions that WebID and its authentication (verification) protocol offer a viable and scalable solution by leveraging:

1. Internet Architecture

2. Web Architecture -- URIs

3. Linked Data -- directed graph based "whole data representation" that leverages de-referenceable URIs.

Here is a simple step-by-step guide that demonstrates how users of Twitter can achieve the following, right now:

1. Obtain an Info Card (X.509 Certificate / Security Token) with a WebID watermark

2. Verify the Info Card.

Steps to Generate your Info Card

1. In the web browser of your choice, go to <>.

2. Where it says "Please provide one of the following," Click on the Sign in with Twitter button, and then complete OAuth bonding.

3. Click "next" button, and if you like, on the "Certificate details" page which now loads, add an organization name or email address to the relevant fields. Change your "name" here, if you have or will have multiple certificates installed in your OS or browser -- so you can tell which is which, when prompted to provide an identity.

4. Choose any Identity option, Key Strength, and/or Cipher (the defaults are fine), and click "Next".

5. On "Select signer of the Certificate," leave "Issuer" as "Self-Signed" and click "Generate".

6. On "Select format and store option", "Friendly name" is the string you'll see in the "choose a certificate dialogs" in the future. Be sure to enter a password before proceeding! "PKCS#12 file bundle" (that is, a .p12 file you can persist on any filesystem) is the most flexible storage option. Click "Download" to save the .p12 file to your local disk. (We'll come back to this file later.)

7. Click on the "Persist in IdP dataspace" button.

8. You are now presented with a Tabbed interface that provides a variety of options for persisting your Info Card's fingerprint to a particular data space. In this case, click the second tab labeled "Store using OAuth" (this really means, "store to the OAuth authenticated data space from the Twitter bonding page") and click the "save" button.

9. At this stage, you will be able to see a Tweet with hashtag #WebID that includes your Info Card's fingerprint and its associated crypto hash function (MD5 or SHA1).

9. In your local OS filesystem UI, open (typically, double-click) the local .p12 resource (file) and your OS should commence the process of persisting the content to its native keystore or keychain. (Generally, you can take the defaults in all prompts, until saved.)

Steps to Verify Identity via Info Card with WebID watermark

1. In the web browser of your choice, go to <> -- a simple HTML-based WebID verification app.

2. Click on the "check" button.

3. Verification will either pass or fail.

What just happened?

You've just created a verifiable identifier for yourself, that's been used as a watermark in an Info Card (something like a digital parallel to your passport or drivers license). You have also verified this identifier (i.e., acted like the passport or license office).

Passport Issuer

This is what happened when you generated the Info Card via the HTML wizard. To be precise, right up to the point where you saved the PKCS#12 (.p12) resource to your local disk and then imported it into your local operating systems keystore or keychain.

Passport Office

This is what happened when you clicked on the "Persist to IdP dataspace" button. Basically, the generator used (if ou took defaults) <{your-twitter-handle} (a proxy/wrapper Linked Data URI) or <{your-twitter-handle} #this > (an API specific proxy/wrapper URI) serving as a WebID to locate a data space (in this case, the one hosted by Twitter) into which it placed the Fingerprint (a cryto hash) of the Info Card you just generated.

Identifier Verification

This happened when you invoked the HTML-based verification application at <>. The mechanics are as follows:

1. Clicking the "check" button redirects to an https URL.

2. You are challenged to present an Info Card as part of the standard SSL/TLS handshake.

3. When the standard handshake completes, an additional verification step occurs, whereby this WebID protocol-compliant application (conventionally referred to as being in the role of Relying Agent) performs the following steps:

a. De-references the WebID in the Subject Alternative Name of the Info Card.

b. Locates a data object (a graph encapsulator) at an address.

c. Checks to see that it can find a Fingerprint for the certificate used to successfully complete the standard part SSL/TLS handshake; at this point you have success or failure.

Why is this important?

The virtues of WebID have never been in doubt, once the concepts behind the protocol are understood. What's eternally challenging with new technology is how you roll it out to a community of existing users that are already aligned to existing applications and services.

This very simple process grants every Twitter user the opportunity to acquire a self-signed Info Card, en route to exploiting the immense utility of verifiable identity at InterWeb scale.


1. -- additional information about WebID.

2. -- WebID Wiki.
#WebID #Nymwars #LinkedData #Identity #Privacy #Security
JB Segal's profile photoMelvin Carvalho's profile photoKingsley Idehen's profile photo
Web 2.0 finally meets Web 3.0. An exciting day! :)
+Melvin Carvalho -- Yes! Especially as this also covers AtomPub compliant Blogs (e.g. WordPress), LinkedIn, and of course Facebook. We also have Google and friends covered via Webfinger while we await a Write/Post API for G+ :-)
Very nice, but yet not generally useful until I can get my mother to do it, and - while she is intelligent and capable - this is well beyond anything she'd ever get through. I'll probably do it myself in a couple of hours.
IMHO it's easier than a whole bunch of other stuff we do, such as getting a driving license. I'm not sure whether or not your mother has one of those. But by this logic, does that make driving 'not generally useful' also? :)
+JB Segal -- this is a first pass, target audience is anyone that can make a tweet and persist a security token by following an HTML based Wizard.

Even at this stage, its simpler than getting a Passport or Drivers License. It also trumps existing patterns for actually obtaining a usable X.509 certificate etc..

We are just finalizing an engine. Then we'll further tweak UX across HTML, Windows, Mac OS X, iOS5 (that exists in first pass form also), and Android.

We also have it working for AtomPub compliant blog platforms such as Wordpress etc..

One step at a time, we are addressing a serious problem that others have willfully ignored over the years. Ignoring these problems simply undermines the vast power of the InterWeb etc..

You shouldn't hide your email address or any other handle circa. 2011 due to fear of SPAM. Likewise, you shouldn't have parents signing up kids under 13 to Facebook just because fine-grained ACLs don't exist across Social Media spaces etc..
Add a comment...