Detail Solid extension for HTTP Signature

[bblfish]

As per issue #18 "Detailing HTTP-Signature based authentication for Solid"

[elf-pavlik]

I think this can get merged as panel member submission and act as reference in future panel discussions.

[dmitrizagidulin]

Couple of comments:

• For in-browser Javascript apps, how is the app authenticated? (Specifically, how is the app's public key linked to the app's URL?)
• I'm not quite sure about the keyId terminology...

[dmitrizagidulin]

To clarify my comment about app authentication - using the temporary terminology from the App identity discussion, how does this proposed authentication mechanism propose to link the ephemeral in-browser app identity to a particular installed app instance (or app source identity)?

[bblfish]

Sorry to take so long to answer - I have been busy reading all the Capabilties material @dmitrizagidulin gave me... :-)

@dmitrizagidulin wrote

To clarify my comment about app authentication - using the temporary terminology from the App identity discussion, how does this proposed authentication mechanism propose to link the ephemeral in-browser app identity to a particular installed app instance (or app source identity)?

The way to do this is to create an Auth App that would also be an App Launcher started from an secure origin trusted by the user.
This would allow the Launcher App to:

• know the URL of the Apps launched (since it launches them)
• allow that Launcher App to keep keys securely for instances of the launched apps, without those less secure Launched Apps getting access to the private keys
• save the information about the user's preferred apps on the Users Pod (securely) and store the keys there as well as giving those app instances WebID.

See the User controlled Authorization App and App launcher proposal .

[bblfish]

The keyId is a URL for a key, like a WebID is a URL for an Agent. (It is true that in Abadi et al, those are often conflated, but I think that is simply because any well functioning key has via the inverse of cert:key a foaf:Agent ). If you take a WebID profile document you can give the blank node a hash URI and turn it into a keyId.

[elf-pavlik]

I think we could merge this PR, possibly create a label for issues related to it and then continue discussion in small focused issues.

Some issues will deal with something more general that also applies to HTTP-Sig as well as other approaches. In that case we should avoid dissing it just in one more specific context eg. clients authenticating directly with RS, not just AS.