episode 20: identity

33 views
Skip to first unread message

Michiel B. de Jong

unread,
Apr 30, 2013, 3:53:32 AM4/30/13
to unho...@googlegroups.com
episode 20, about identity: Persona, OpenID, SAML, WebID, and Webfinger

https://unhosted.org/decentralize/20/Persona,-OpenID,-SAML,-WebID,-and-Webfinger.html

Comments welcome!


Cheers,
Michiel

Leen Besselink

unread,
Apr 30, 2013, 6:13:31 AM4/30/13
to unho...@googlegroups.com
You asked for it. :-)

While I totally agree that tying your identity to Facebook, Google, Twitter and others is bad.

Calling then proprietary might be a bit unfear ?

Yahoo supports:
- oAuth
- OpenID

Google supports:
- oAuth
- OpenID
- SAML (for corporate Google apps/docs)

Facebook supports:
- oAuth

Twitter supports:
- oAuth

With oAuth of Facebook, Yahoo and Google it is possible for the website to get the email address.

So I think it should be possible to replace that with Persona, because Yahoo and Google are email
providers and Facebook has a 'verified' flag.

That is a start at least.

I doubt many sites have the possibility yet to attach multiple identities to the same account, so it
might not be possible to change email addresses as easily. I hope many sites will consider this.

Better would be if they could move to an unhosted model of course. :-)

Have you seen the payments articles yet ?:

https://hacks.mozilla.org/category/payments/

>
> Cheers,
> Michiel
>
> --
>
> --- You received this message because you are subscribed to the
> Google Groups "Unhosted Web Apps" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to unhosted+u...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

Sebastian Kippe

unread,
Apr 30, 2013, 7:27:12 AM4/30/13
to unho...@googlegroups.com
Hi,

Just a small note on the nobackend.org link in the context you mention it in: most solutions listed there do not allow you to choose your own backend. No-backend is kind of a privacy-carefree, technology-first approach to things. They don't really care if an app provider stores your data or not.

Cheers,
Basti

☮ elf Pavlik ☮

unread,
Apr 30, 2013, 12:56:24 PM4/30/13
to Michiel B. de Jong, unhosted
Excerpts from Michiel B. de Jong's message of 2013-04-30 07:53:32 +0000:
> episode 20, about identity: Persona, OpenID, SAML, WebID, and Webfinger
>
> https://unhosted.org/decentralize/20/Persona,-OpenID,-SAML,-WebID,-and-Webfinger.html
"Identity is not a problem in unhosted applications: there are no per-application sessions, only per-user sessions." -- I find it bit confusing, if you want to interact with other peers you somehow need to identify each other...

"WebID is based on this idea: you create an asymmetric key pair inside your browser profile on your favorite client device, and use that to establish remote sessions at servers that support WebID." -- have you followed development of distinguishing different elements related to WebID

"WebID 1.0: Web Identity and Discovery"
https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html

"WebID-TLS"
https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/index-respec.html

Michiel B. de Jong

unread,
May 1, 2013, 7:31:28 AM5/1/13
to unho...@googlegroups.com
On 2013-04-30 18:56, ☮ elf Pavlik ☮ wrote:
> Excerpts from Michiel B. de Jong's message of 2013-04-30 07:53:32
> +0000:
>> episode 20, about identity: Persona, OpenID, SAML, WebID, and
>> Webfinger
>>
>>
>> https://unhosted.org/decentralize/20/Persona,-OpenID,-SAML,-WebID,-and-Webfinger.html
> "Identity is not a problem in unhosted applications: there are no
> per-application sessions, only per-user sessions." -- I find it bit
> confusing, if you want to interact with other peers you somehow need
> to identify each other...

right, i should distinguish "log in identities" from third-person
"profile identities". Will fix.

>
> "WebID is based on this idea: you create an asymmetric key pair
> inside your browser profile on your favorite client device, and use
> that to establish remote sessions at servers that support WebID." --
> have you followed development of distinguishing different elements
> related to WebID
>
> "WebID 1.0: Web Identity and Discovery"
> https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html
>
> "WebID-TLS"
> https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/index-respec.html

right, i heard about that split, i meant the TLS part here. will revise
to correct this.


thanks for the tips!


Cheers,
Michiel

Michiel B. de Jong

unread,
May 2, 2013, 11:12:30 AM5/2/13
to unho...@googlegroups.com
On 2013-04-30 12:13, Leen Besselink wrote:
> You asked for it. :-)
>
> While I totally agree that tying your identity to Facebook, Google,
> Twitter and others is bad.
>
> Calling then proprietary might be a bit unfear ?
>
> Yahoo supports:
> - oAuth
> - OpenID
>
> Google supports:
> - oAuth
> - OpenID
> - SAML (for corporate Google apps/docs)

i didn't call using a commercial identity provider in general
proprietary. Indeed Yahoo and Google provide OpenID, and even played a
big role in developing it in the first place.

> Facebook supports:
> - oAuth
>
> Twitter supports:
> - oAuth
>
> With oAuth of Facebook, Yahoo and Google it is possible for the
> website to get the email address.

the use of oAuth as such doesn't say anything about whether you are
offering any open identity protocol. oAuth is a best practice for
exposing the login screen of your API:
http://insanecoding.blogspot.co.nz/2013/03/oauth-great-way-to-cripple-your-api.html

> So I think it should be possible to replace that with Persona,
> because Yahoo and Google are email
> providers and Facebook has a 'verified' flag.

yes, Google, Yahoo and Facebook should all implement Persona, and in
fact, Yahoo already do:
http://techcrunch.com/2013/04/09/mozilla-persona-beta-2/ and in min.
2:23 of the video on there they announce they will have >50% of all
email users worldwide soon, so i'm guessing that would mean they got
either Google or Microsoft, too.

sure, as long as there are not too many parties offering
vendor-specific "social signin" systems, then a relying party can still
come pretty close
to what whitelist-based OpenID gives you, by simply displaying an
OpenID nascar-screen, and adding the logos of Facebook, Twitter and
Github to it.
but you would then have two write 4 login systems:
- one generic OpenID one,
- one specifically for Facebook,
- one specifically for Twitter, and
- one specifically for Github.

> Have you seen the payments articles yet ?:
>
> https://hacks.mozilla.org/category/payments/

yes, also a very interesting development! thanks for the link.


Cheers,
Michiel

Michiel B. de Jong

unread,
May 2, 2013, 11:47:31 AM5/2/13
to unho...@googlegroups.com
On 2013-04-30 13:27, Sebastian Kippe wrote:
> Hi,
>
> Just a small note on the nobackend.org link in the context you
> mention it in: most solutions listed there do not allow you to choose
> your own backend. No-backend is kind of a privacy-carefree,
> technology-first approach to things. They don't really care if an app
> provider stores your data or not.
>
> Cheers,
> Basti


right, that's true. actually, someone on twitter even remarked that in
a way the Backend-as-a-Service platforms that noBackend (also) promotes,
are the opposite of our per-user backend architecture: they move the
sysadmin role /up/ the supply stream towards the app publisher's
suppliers rather than /down/ towards the end-users.

I corrected it, thanks!

Cheers,
Michiel
Reply all
Reply to author
Forward
0 new messages