RESTful Single Sign on shown on the iPhon

by bblfish » Thu, 09 Apr 2009 17:19:52 GMT

Sponsored Links
 Dear Android security team,

We have been working on a project for open distributed social
networks, and as part of this have found a way to use TLS to get one
click authentication - without tying the certificate to a web site

As I have an iPhone I demonstrated how this works in a non jail broken
one. There is nothing I have changed to the phone to get it running.
For photos on the user interaction see: 

I am a Java developer, and of course would rather have a more open
Java platform such as Android available to do exactly the same thing.
Perhaps it is even possible now? I am asking here as an Android
newbie, hoping someone may pick this up and help bridge the foaf+ssl
community with the Android community. I can't myself be following
every cell phone OS :-)

  A few things would be nice:

 1. Something like support for a <keygen> tag in the browser. Even if
it is not perfect, it is simple, works in many browsers such as Opera,
Safari, Firefox, ... More advanced versions would be good, but the
minimal one is very useful. I use it to help people create their foaf
+ssl certificate on 
    By the way the keygen tag is back in html 5, and I support it.  [2]

 2. Something like a very user friendly KeyChain manager for the whole
OS. I think the iPhone does a reasonble job of this. Having to mail
your certificate to the iPhone is a security risk though, hence the
need for <keygen>. But the Identity Selector presentation on the
iPhone is very nicely done.

  3. I think if you play around with foaf+ssl a little, you will very
soon find a couple of extra ways to make the experience even more user
friendly. Perhaps UI ways of showing the user what identity he is
using, and making it easy to automate certificate selection for a web
site... But that is advanced stuff.

By the way, there may already be a way to send a user certificate to
Android. If so please let us know. We'd like to test this out.

     Yours sincerely,

             Henry Story

      Social Cloud Architect 

[1] Usually client certificates are designed for one web site only,
because they have to be certified by a CA, and it is too costly to
have CA create personal certificates. By avoiding the need for a CA,
we remove the tie to the web site.
    The protocol has been called foaf+ssl and has a wiki page +ssl
[2] See the mailing list discussion

RESTful Single Sign on shown on the iPhon

by bblfish » Fri, 10 Apr 2009 09:17:56 GMT


I should add that the original part of this protocol, is that you do
not need a CA to sign the certificates.
They can be self signed. Hence the cost of producing client
certificates can be brought down to 0. This works
in a very similar way to OpenId except that being RESTful, we can
build on a web of trust, and we only need 1-2
SSL connections instead of OpenId's 8.[2]  There is a lot more on the
details of how this works on the foaf+ssl wiki, and
we have a paper coming up that reveals the logic of the protocol. [3]

In any case, it is clear from the iPhone case that the user experience
is as simple as can be (apart from the piece of uploading
the certificate). The iphone presents the user with an identity
selector that is easy to understand.

Again the iPhone was not designed with this in mind, it just
implemented all the relevant protocols, and has a reasonably good
UserInterface to go with it.


  Henry Story

[1] +ssl
[2] openid comparison 

Sponsored Links

Other Threads

1. Updating Existing Context Menus...

I am relatively new to writing Android apps, but I have done a few
small applications to get a feel for the basics.  I have noticed that
a few applications on my phone have made changes to the context menus
of other applications and I am curious as to how to do that.  For
example, Evernote beta added an "Evernote" entry in the Gallery
application "Share Via" context menu.

How is this done??

Can it be done for all types of context menus, e.g. Contacts, Events,

thanks in advance!


2. Inflator

In my custom adapter, that implements the BaseAdapter and its getView,
I use the inflator to generate a new view from a layout. Is there any
way to avoid repetitive inflation step? specially when the convert
View (an argument to the getView) is always null, which mean it can
be reused and the view needs to be re-inflated. I was looking for
something like a copy or clone but fund none.


3. How to remove a component from android build

4. Where are the flags corresponding to the System App's set??

5. FileNotFound in

6. android eclair V4L2 camer

7. Android IPC Mechanism between Java and C/C++ Processes