RESTful Single Sign on shown on the iPhon

by bblfish » Thu, 09 Apr 2009 17:19:52 GMT


Sponsored Links
 Dear Android security team,

We have been working on a project for open distributed social
networks, and as part of this have found a way to use TLS to get one
click authentication - without tying the certificate to a web site
[1].

As I have an iPhone I demonstrated how this works in a non jail broken
one. There is nothing I have changed to the phone to get it running.
For photos on the user interaction see:

   http://blogs.sun.com/bblfish/entry/one_click_global_sign_on 

I am a Java developer, and of course would rather have a more open
Java platform such as Android available to do exactly the same thing.
Perhaps it is even possible now? I am asking here as an Android
newbie, hoping someone may pick this up and help bridge the foaf+ssl
community with the Android community. I can't myself be following
every cell phone OS :-)

  A few things would be nice:

 1. Something like support for a <keygen> tag in the browser. Even if
it is not perfect, it is simple, works in many browsers such as Opera,
Safari, Firefox, ... More advanced versions would be good, but the
minimal one is very useful. I use it to help people create their foaf
+ssl certificate on  http://test.foafssl.org/cert/ 
    By the way the keygen tag is back in html 5, and I support it.
 http://is.gd/r9fD  [2]

 2. Something like a very user friendly KeyChain manager for the whole
OS. I think the iPhone does a reasonble job of this. Having to mail
your certificate to the iPhone is a security risk though, hence the
need for <keygen>. But the Identity Selector presentation on the
iPhone is very nicely done.

  3. I think if you play around with foaf+ssl a little, you will very
soon find a couple of extra ways to make the experience even more user
friendly. Perhaps UI ways of showing the user what identity he is
using, and making it easy to automate certificate selection for a web
site... But that is advanced stuff.

By the way, there may already be a way to send a user certificate to
Android. If so please let us know. We'd like to test this out.

     Yours sincerely,


             Henry Story

      Social Cloud Architect
       http://blogs.sun.com/bblfish 


[1] Usually client certificates are designed for one web site only,
because they have to be certified by a CA, and it is too costly to
have CA create personal certificates. By avoiding the need for a CA,
we remove the tie to the web site.
    The protocol has been called foaf+ssl and has a wiki page
      http://esw.w3.org/topic/foaf +ssl
[2] See the mailing list discussion
 



RESTful Single Sign on shown on the iPhon

by bblfish » Fri, 10 Apr 2009 09:17:56 GMT


 


I should add that the original part of this protocol, is that you do
not need a CA to sign the certificates.
They can be self signed. Hence the cost of producing client
certificates can be brought down to 0. This works
in a very similar way to OpenId except that being RESTful, we can
build on a web of trust, and we only need 1-2
SSL connections instead of OpenId's 8.[2]  There is a lot more on the
details of how this works on the foaf+ssl wiki, and
we have a paper coming up that reveals the logic of the protocol. [3]

In any case, it is clear from the iPhone case that the user experience
is as simple as can be (apart from the piece of uploading
the certificate). The iphone presents the user with an identity
selector that is easy to understand.

Again the iPhone was not designed with this in mind, it just
implemented all the relevant protocols, and has a reasonably good
UserInterface to go with it.

sincerly,

  Henry Story



[1]   http://esw.w3.org/topic/foaf +ssl
[2] openid comparison  http://blogs.sun.com/bblfish/entry/what_does_foaf_ssl_give 
[3] 
 http://lists.foaf-project.org/pipermail/foaf-protocols/2009-March/000366.html 


Sponsored Links


Other Threads

1. SOAP complex request

I'm trying to consume the following service

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://
schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <DoIt xmlns="http://tempuri.org/">
      <procedure>string</procedure>
      <args>
        <string>string</string>
        <string>string</string>
      </args>
    </DoIt>
  </soap:Body>
</soap:Envelope>

I've cobbled together the following.: ---

String rtn = "";
                        SoapObject Request =  new SoapObject(NAME_SPACE, 
METHOD_NAME);
                        PropertyInfo pi = new PropertyInfo();

                        String [] objectArray = { "string1", "string2", 
"string3",
"string4"};

                        pi.setName("args");
                        pi.setValue(objectArray);


                        Request.addProperty("procedure", "actionProcedure");
                        Request.addProperty(pi);

                        SoapSerializationEnvelope soapEnvelope = new
SoapSerializationEnvelope(SoapEnvelope.VER11);
                        soapEnvelope.dotNet = true;
                        soapEnvelope.setOutputSoapObject(Request);

                        AndroidHttpTransport aht = new 
AndroidHttpTransport(URL);
                        try
                        {
                                aht.call(SOAP_ACTION, soapEnvelope);
                                SoapObject resultString = 
(SoapObject)soapEnvelope.getResponse();

But I'm getting a "Cannot serialize" error...

Any ideas??? thanks...

Milo


-- 

2. Less number of downloads

Hi folks

i published my application in android market 7 months before.i am getting
less number of downloads .is there any publish problem or any other

Thanks in advance

Aswan

-- 

3. Font di n1

4. KS Launche

5. WiFi Tethering - was: WTI: Huawei Aviator -=- Salam Kenal

6. Error Recieving Broadcast Intent

7. Best Way to detect online connection ?