Closed bblfish closed 4 years ago
Couple of comments:
keyId
terminology...To clarify my comment about app authentication - using the temporary terminology from the App identity discussion, how does this proposed authentication mechanism propose to link the ephemeral in-browser app identity to a particular installed app instance (or app source identity)?
Sorry to take so long to answer - I have been busy reading all the Capabilties material @dmitrizagidulin gave me... :-)
@dmitrizagidulin wrote
To clarify my comment about app authentication - using the temporary terminology from the App identity discussion, how does this proposed authentication mechanism propose to link the ephemeral in-browser app identity to a particular installed app instance (or app source identity)?
The way to do this is to create an Auth App that would also be an App Launcher started from an secure origin trusted by the user. This would allow the Launcher App to:
See the User controlled Authorization App and App launcher proposal .
The keyId
is a URL for a key, like a WebID is a URL for an Agent. (It is true that in Abadi et al, those are often conflated, but I think that is simply because any well functioning key has via the inverse of cert:key
a foaf:Agent
). If you take a WebID profile document you can give the blank node a hash URI and turn it into a keyId
.
I think we could merge this PR, possibly create a label for issues related to it and then continue discussion in small focused issues.
Some issues will deal with something more general that also applies to HTTP-Sig
as well as other approaches. In that case we should avoid dissing it just in one more specific context eg. clients authenticating directly with RS, not just AS.
As per issue https://github.com/solid/authentication-panel/issues/18 "Detailing HTTP-Signature based authentication for Solid"