RESTful Single Sign on shown on the iPhon

by bblfish » Thu, 09 Apr 2009 17:19:52 GMT

Sponsored Links
 Dear Android security team,

We have been working on a project for open distributed social
networks, and as part of this have found a way to use TLS to get one
click authentication - without tying the certificate to a web site

As I have an iPhone I demonstrated how this works in a non jail broken
one. There is nothing I have changed to the phone to get it running.
For photos on the user interaction see: 

I am a Java developer, and of course would rather have a more open
Java platform such as Android available to do exactly the same thing.
Perhaps it is even possible now? I am asking here as an Android
newbie, hoping someone may pick this up and help bridge the foaf+ssl
community with the Android community. I can't myself be following
every cell phone OS :-)

  A few things would be nice:

 1. Something like support for a <keygen> tag in the browser. Even if
it is not perfect, it is simple, works in many browsers such as Opera,
Safari, Firefox, ... More advanced versions would be good, but the
minimal one is very useful. I use it to help people create their foaf
+ssl certificate on 
    By the way the keygen tag is back in html 5, and I support it.  [2]

 2. Something like a very user friendly KeyChain manager for the whole
OS. I think the iPhone does a reasonble job of this. Having to mail
your certificate to the iPhone is a security risk though, hence the
need for <keygen>. But the Identity Selector presentation on the
iPhone is very nicely done.

  3. I think if you play around with foaf+ssl a little, you will very
soon find a couple of extra ways to make the experience even more user
friendly. Perhaps UI ways of showing the user what identity he is
using, and making it easy to automate certificate selection for a web
site... But that is advanced stuff.

By the way, there may already be a way to send a user certificate to
Android. If so please let us know. We'd like to test this out.

     Yours sincerely,

             Henry Story

      Social Cloud Architect 

[1] Usually client certificates are designed for one web site only,
because they have to be certified by a CA, and it is too costly to
have CA create personal certificates. By avoiding the need for a CA,
we remove the tie to the web site.
    The protocol has been called foaf+ssl and has a wiki page +ssl
[2] See the mailing list discussion

RESTful Single Sign on shown on the iPhon

by bblfish » Fri, 10 Apr 2009 09:17:56 GMT


I should add that the original part of this protocol, is that you do
not need a CA to sign the certificates.
They can be self signed. Hence the cost of producing client
certificates can be brought down to 0. This works
in a very similar way to OpenId except that being RESTful, we can
build on a web of trust, and we only need 1-2
SSL connections instead of OpenId's 8.[2]  There is a lot more on the
details of how this works on the foaf+ssl wiki, and
we have a paper coming up that reveals the logic of the protocol. [3]

In any case, it is clear from the iPhone case that the user experience
is as simple as can be (apart from the piece of uploading
the certificate). The iphone presents the user with an identity
selector that is easy to understand.

Again the iPhone was not designed with this in mind, it just
implemented all the relevant protocols, and has a reasonably good
UserInterface to go with it.


  Henry Story

[1] +ssl
[2] openid comparison 

Sponsored Links

Other Threads

1. Support for iterations in xml view - Dynamic Data display

Most of the data driven ui would need a way to iterate certain UI per
record of data. In such scenario.. would it be possible to specify in
xml to iterate a perticular block of view spec based on certain vector
or data record.

There is a very nice solution provided by kuix at
Not sure if such thing is possible already in android.

Raja Nagendra Kumar,


2. Template ROW using xml and api


We have a table which may have infinite rows. Would it be possible to
create row by using the xml template say

            <EditText android:id="@+id/tbRelation"
            <Button android:id="@+id/bRelationQuery"

some thing similar to clone of existing row but with different id's

Raja Nagendra Kumar,

3. AOP support

4. xml view defination to take event handler class name

5. updating a view based on another view

6. Reg:Camera porting

7. Issue with Eclipse Android Plugin on Ubuntu Linux