RESTful Single Sign on shown on the iPhon

by bblfish » Thu, 09 Apr 2009 17:19:52 GMT

Sponsored Links
 Dear Android security team,

We have been working on a project for open distributed social
networks, and as part of this have found a way to use TLS to get one
click authentication - without tying the certificate to a web site

As I have an iPhone I demonstrated how this works in a non jail broken
one. There is nothing I have changed to the phone to get it running.
For photos on the user interaction see: 

I am a Java developer, and of course would rather have a more open
Java platform such as Android available to do exactly the same thing.
Perhaps it is even possible now? I am asking here as an Android
newbie, hoping someone may pick this up and help bridge the foaf+ssl
community with the Android community. I can't myself be following
every cell phone OS :-)

  A few things would be nice:

 1. Something like support for a <keygen> tag in the browser. Even if
it is not perfect, it is simple, works in many browsers such as Opera,
Safari, Firefox, ... More advanced versions would be good, but the
minimal one is very useful. I use it to help people create their foaf
+ssl certificate on 
    By the way the keygen tag is back in html 5, and I support it.  [2]

 2. Something like a very user friendly KeyChain manager for the whole
OS. I think the iPhone does a reasonble job of this. Having to mail
your certificate to the iPhone is a security risk though, hence the
need for <keygen>. But the Identity Selector presentation on the
iPhone is very nicely done.

  3. I think if you play around with foaf+ssl a little, you will very
soon find a couple of extra ways to make the experience even more user
friendly. Perhaps UI ways of showing the user what identity he is
using, and making it easy to automate certificate selection for a web
site... But that is advanced stuff.

By the way, there may already be a way to send a user certificate to
Android. If so please let us know. We'd like to test this out.

     Yours sincerely,

             Henry Story

      Social Cloud Architect 

[1] Usually client certificates are designed for one web site only,
because they have to be certified by a CA, and it is too costly to
have CA create personal certificates. By avoiding the need for a CA,
we remove the tie to the web site.
    The protocol has been called foaf+ssl and has a wiki page +ssl
[2] See the mailing list discussion

RESTful Single Sign on shown on the iPhon

by bblfish » Fri, 10 Apr 2009 09:17:56 GMT


I should add that the original part of this protocol, is that you do
not need a CA to sign the certificates.
They can be self signed. Hence the cost of producing client
certificates can be brought down to 0. This works
in a very similar way to OpenId except that being RESTful, we can
build on a web of trust, and we only need 1-2
SSL connections instead of OpenId's 8.[2]  There is a lot more on the
details of how this works on the foaf+ssl wiki, and
we have a paper coming up that reveals the logic of the protocol. [3]

In any case, it is clear from the iPhone case that the user experience
is as simple as can be (apart from the piece of uploading
the certificate). The iphone presents the user with an identity
selector that is easy to understand.

Again the iPhone was not designed with this in mind, it just
implemented all the relevant protocols, and has a reasonably good
UserInterface to go with it.


  Henry Story

[1] +ssl
[2] openid comparison 

Sponsored Links

Other Threads

1. sdk help

hello ,
i will sound very basic but i really dont know.where do we see the
android sdk help about its all classes n api n its sample
application.i installed it on xp but i doesnt found any in my android
folder.looking forward to your reply


2. How to switch eclipse logcat from emulator to device and back again

Does anyone know how to get the eclipse logcat output to switch from
emulator to device and back again?

I am often developing, and using emulator and device in tandem, mainly
because I can trace the http comms on the emulator and not on the
device, and logcat gets stuck on whichever is launched first from
eclipse.  Right now the only way to get logcat output switched over is
to restart eclipse, which is a little time-consuming.  Anyone know
another way to achieve the same thing?

Many thanks in advance

3. Reloading our Activities State after firing Intent to camera

4. Who will be viewing apps during Round 1 and Round 2 of the ADC2

5. It's not working on USB for Android system building

6. RE : Developing and debugging on HTC Hero

7. String array declared in xml does not accept styling tags <b> <i> <u> ?