Closed bblfish closed 4 years ago
dmitrizagidulin
commented
4 years ago Couple of comments:
keyId terminology...dmitrizagidulin
commented
4 years ago To clarify my comment about app authentication - using the temporary terminology from the App identity discussion, how does this proposed authentication mechanism propose to link the ephemeral in-browser app identity to a particular installed app instance (or app source identity)?
bblfish
commented
4 years ago Sorry to take so long to answer - I have been busy reading all the Capabilties material @dmitrizagidulin gave me... :-)
@dmitrizagidulin wrote
To clarify my comment about app authentication - using the temporary terminology from the App identity discussion, how does this proposed authentication mechanism propose to link the ephemeral in-browser app identity to a particular installed app instance (or app source identity)?
The way to do this is to create an Auth App that would also be an App Launcher started from an secure origin trusted by the user. This would allow the Launcher App to:
See the User controlled Authorization App and App launcher proposal .
bblfish
commented
4 years ago The keyId is a URL for a key, like a WebID is a URL for an Agent. (It is true that in Abadi et al, those are often conflated, but I think that is simply because any well functioning key has via the inverse of cert:key a foaf:Agent ). If you take a WebID profile document you can give the blank node a hash URI and turn it into a keyId.
elf-pavlik
commented
4 years ago I think we could merge this PR, possibly create a label for issues related to it and then continue discussion in small focused issues.
Some issues will deal with something more general that also applies to HTTP-Sig as well as other approaches. In that case we should avoid dissing it just in one more specific context eg. clients authenticating directly with RS, not just AS.
As per issue https://github.com/solid/authentication-panel/issues/18 "Detailing HTTP-Signature based authentication for Solid"