List of WebIDs presented for selection via YouID Browser Extension

Simple Web-Scale Verifiable Identity Exercise using our YouID Browser Extension

Created on 2016-11-29 21:04

Published on 2016-11-29 21:41

Today, we have “Fake News” reintroducing the verifiable identity problem that has afflicted the Web for years. Unfortunately, it has taken events such as Brexit and the recent US Elections to make this problem resonate en masse. 

An ability to unambiguously identify and verify identity claims of agents (such as humans and software) is crucial to killing the underlying problem that’s currently associated with the “Fake News” meme. 

Everyone needs to possess the following capabilities in order to take safe and full advantage of the Web & Internet:

  1. Identification using a Hyperlink
  2. Description using a Profile Document
  3. One or more Identity Cards (or Digital Certificates) for certification of identity claims
  4. One or more Private Keys for Digital Signature
  5. An optional ability to encrypt content in transit and/or at rest.

In this post, I present a simple demonstration of verifiable Identity (using our YouID Browser Extension) that scales to the Web, using existing open standards (URI, URL, HTTP, HTPS, RDF Language, RDF Documents, X.509, TLS, and PKI). 

Demonstration

The goal of this endeavor is to showcase the following:

  1. Identity verification using a protocol that doesn’t require passwords
  2. Identity toggling within a single browser session i.e., now browser restart following identity changes
  3. Power of HTTP URIs (hyperlinks) as Entity Identifiers
  4. Use of a single (rather than multiple) X.509 Certificate en route to authenticating multiple identities (i.e., various WebIDs) in a single HTTPS session.

Here’s a quick breakdown of the role of each open standard used in this exercise:

  1. URI — an Entity Identifier (i.e., People, Places, Software, and anything else that comes to mind or perceived via our “mind's eye”)
  2. URL —a Document Location (i.e., an Address on a Network)
  3. HTTP — a Document Access Protocol 
  4. HTTPS — variant of HTTP that includes use of TLS (Transport Layer Security) 
  5. RDF Language — an Abstract Language for digital sentence construction that provides a compact rendition of natural language based on its subject, predicate, and object structure
  6. RDF Documents — a variety of Document Types for persisting RDF Language Sentences (e.g., RDF-Turtle, JSON-LD, RDF-XML, and others)
  7. WebID — an HTTP URI that identifies an Agent (Person, Organization, or piece of Software)
  8. WebID-Profile Document — an RDF document that describes an Agent
  9. X.509 — Digital Identity Card (Certificate) use to store Identity Claims
  10. TLS — Secure Data Transmission Protocol (this is the “S” in HTTPS)
  11. PKI — Public Key Infrastructure which is an established methodology for signing and encoding content using asymmetric keys (i.e, Public & Private Keys); for instance, this is a critical part of the methodology used to enact and complete a TLS-handshake
  12. WebID+TLS — an enhancement to TLS protocol that includes looking up additional claims (specifically Public Key association) from a WebID-Profile document en route to identity verification
  13. WebID+TLS+Delegation — an enhancement to WebID+TLS protocol that includes looking up delegation-oriented relationship types from a WebID-Profile document en route to identity verification.

Here’s a depiction of my local X.509 Certificate that holds identity claims that I used to identify my Software Agent distinct from myself in the example that follows:

First Part of X.509 Certificate as presented by my local Key Store (in this case Mac OS X Keychain)

Second Part of X.509 Certificate as presented by my local Key Store (note the live hyperlinks)

Stage One

This exercise assumes that you already have a WebID. If not, you can generate one using any of the following services:

  1. Online WebID and WebID-Profile Document Generator
  2. WebID and WebID-Profile Document Generator for iOS
  3. WebID and WebID-Profile Document Generator for Android.

Remember, a WebID is an HTTP URI (Hyperlink) that identifies an Agent (Person, Organization, and Machine) in a manner that’s implicitly linked to a WebID-Profile Document that contains a variety of identity claims. 

The focal point of this exercise boils down to establishing a machine- and human-comprehensible relationship between a piece of software and a user where both entities are unambiguously identified using their respective WebIDs. In addition, we have RDF Language sentences describing relationships that exist between a Person and a piece of Software:

You achieve this goal (outlined above) by performing the following four steps:

  1. Download PKCS#12 credentials document at: http://kingsley.idehen.net/DAV/home/kidehen/Public/RWW-Demos/my_software_agent_id.p12 — note, the password for accessing this encrypted doc is “1234”
  2. Ping me with your WebID so that I can associate it with the My Software Agent as seen at: http://id.myopenlink.net/describe/?url=http%3A%2F%2Fid.myopenlink.net%2FDAV%2Fhome%2FKingsleyUyiIdehen%2FPublic%2Fsoftware-agent.ttl%23i&distinct=1&p=4&lp=4&op=2&next=&gp=4
  3. Reciprocate the association in step 2 by adding an acl:delegates and/or oplcert:hasIdentityDelegate relation to your WebID-Profile document with <http://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/software-agent.ttl#i> as the object (or value) and your WebID as the subject (i.e., <{your-webid}> acl:delegates <http://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/software-agent.ttl#i>. <{your-webid}> oplcert:hasIdentityDelegate <http://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/software-agent.ttl#i> .)
  4. Add a relation to your WebID-Profile document that associates WebID of My Software Agent with its Public Key e.g., using an RDF-Turtle based WebID-Profile doc it would be:

@prefix cert: <http://www.w3.org/ns/auth/cert#> . @prefix xsd: <http://www.w3.org/2001/XMLSchema#> . <http://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/software-agent.ttl#i> cert:key [ cert:exponent "65537"^^xsd:int ; cert:modulus "c64d714d7ec158416d113cbb069c74fe5e592f5202235e6389668cb706533d814fca86b9f8722a84ec2c80dc09ba9b315b888660a04ef6efef0589c930cd6f93ff8eafa25b322ebd8f9e222f2674ae3b433df52509d7dd562b807529836e22b5b6d3ff44f58949992a2e411952461612cb21369bed93247994f22fc7c7778bbe16629aeaea812256421a036321b43c375a3414c0401ad7b66c8738ceca760ac0db1273b26e7043f9e8e23b1da0a9facf72302b2528ab50b9ce2a60822ff06d0f69a3856687e48ec5e1f04f1afdda56f7fb47b9e15979e1f851c9d9b90a37dfb49a32dd4830d551e4a55d9de68924a3d33163cbda3538254796e5002855f1848d"^^xsd:hexBinary ] .


Stage Two

Having completed the first four steps, above, you can experience the power of your YouID Browser Extension by performing the next four steps:

  1. Register your WebID with the YouID Browser Extension
  2. Register the WebID of My Software Agent with the YouID Browser Extension— note, this is purely for the effect of demonstrating identity toggling which is the main theme of this post
  3. Direct your browser to: http://linkeddata.uriburner.com/sparql
  4. Click on Login, and authenticate using the WebID+TLS protocol option.

Once logged in, you should see your WebID presented as the session Identity Principal. Anything else implies at least one of the following:

Stage Three

Once you’ve successfully logged into the SPARQL Query Service with your WebID as the visible Identity Principal, please take these final four steps:

  1. Click on YouID Browser Extension icon and change your preferred WebID by hatching the checkbox beside this registered WebID: <http://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/software-agent.ttl#i>
  2. In the SPARQL Query Service page, click on “Change Login” link
  3. Authenticate once again using WebID+TLS
  4. Look at the Identity Principal. This should now be My Software Agent’s WebID

Here’s an embedded video (silent screencast form) that demonstrates Stage Three:

https://www.youtube.com/watch?v=cyOwxoDj1n4

Wrap up

As you can see, we used a combination of a public profile document, a private digital identity card (x.509 certificate), a private key, entity relationship type semantics (represented using RDF sentences) to demonstrate verifiable identity that scales to the Web. Hopefully, you noticed that Passwords are obsolete in this mode of operation which eliminates another point of vulnerability and management tedium. 

Most importantly, none of this has been achieved at the expense of user interface (UI), user experience (UX), or administrator manageability (i.e., you don’t need a certificate for every user). 

Links

Related