apt-get install gobby-infinote gobby -c gobby.debian.org WebID is a (still pending?) standard protocol for authentication of webby resources using FOAF profile WebID ⇒ Having a way for web sites to ask your central site references regarding on what/who _you_ are W3C site : http://www.w3.org/wiki/WebID References : - FOAF : http://www.foaf-project.org/ (Friends of a Friend) - WebID thread on debian-devel : http://lists.debian.org/debian-devel/2013/05/msg00886.html Keywords : - decentralized trust relations (relates to Web of Trust, as in GPG/PGP) - interoperability (W3C standard) - extensible (because of RDF) * Overview: 3 parts involved: - the client certificate, that lives in the user browser - a FOAF or RDF profile, that doesn't need to have relationships nor projects, just the public key of the client certficate. It lives in a web server, usually own by yourself, in the case of Debian could be stored in debian.org - the authentication service that checks that the client certificate public key match with the FOAF public key. In this case would be in a Debian server. * Cons: - users might not have technical knowledges to generate client certificates by themselves, and having an application that generate the client certificate for the user might mean that private keys aren't generate in the user browser. - mobile browsers allow client certificates? - TLS issues... - ... * Pros: - no need of password - reusable for different services - other info like projects or relationships could be in the profile (advantage?) - ... * Use-cases - using WebID to authenticate Debian participants on Debian services * relevancy → Having the authenticating server not store your credentials, but relaying trust to the trusted third party (federation) * local ID * OpenID * Persona (a.k.a. BrowserID) * Is it safe? * is the security design sane * how about privacy? * Why we don't use distributed authentication like the Web of Trust (GPG)? - It relates on a Web of Trust described by the FOAF/WebID documents distributed on each other's Web sites (i.e. under control of everyone, no central authority, etc.) - While you use a third party site to authenticate, you are giving information about relations to those sites. - Distributed authentication/WoT are really not flying well when seen in a corporate light — That's probably the main reason to why SSL CAs are so much better known than decentralized GPG - The corporation could use its own key and publish the public key. Sorry but maybe I don't see the point. - Why do we need to care about corporations when talking about social networking? * Pushing ideas for Debian use: * Were we to add WebID information as key attributes (that is, just information) in the GPG keys, WebID authentication could replace sso.debian.org (which is password-based, blagh!) See also : - http://webid.debian.net/ : FOAF profiles for Debian developers - see : https://wiki.debian.org/WebIDDebianNet - https://my-profile.eu/ : demo of a social network app relying on WebID auth + WebID user profiles