A Simple Usage Exercise with the YouID Browser Extension

YouID Browser Extension UI for selecting and/or adding WebIDs en route to Verifiable Identity, at Web-Scale

Today, we have “Fake News” reintroducing the verifiable identity problem that has afflicted the Web for years. Unfortunately, it has taken events such as Brexit and the recent US Elections to make this problem resonate en masse.

An ability to unambiguously identify and verify identity claims of agents (such as humans and software) is crucial to killing the underlying problem that’s currently associated with the “Fake News” meme.

Everyone needs to possess the following in order to take safe and full advantage of the Web & Internet:

  1. Identification using a Hyperlink
  2. Description using a Profile Document
  3. One or more Identity Cards (or Digital Certificates) for certification of identity claims
  4. One or more Private Keys for Digital Signature
  5. An optional ability to encrypt content in transit and/or at rest.

In this post, I present a simple demonstration of verifiable Identity (using our YouID Browser Extension) that scales to the Web & Internet, using existing open standards (URI, URL, HTTP, HTTPS, RDF Language, RDF Documents, X.509, TLS, and PKI).

Demonstration

The goal of this endeavor is to showcase the following:

  1. Identity verification using a protocol that doesn’t require passwords
  2. Identity toggling within a single browser session, i.e., no browser restart following identity changes
  3. Power of HTTP URIs (hyperlinks) as Entity Identifiers
  4. Use of a single (rather than multiple) X.509 Certificate to authenticate multiple identities (i.e., various WebIDs) in a single HTTPS session

Here’s a quick breakdown of the role of each open standard used in this exercise:

  1. URI — an Entity Identifier (i.e., People, Places, Software, and anything else that comes to mind or perceived via our “mind’s eye”)
  2. URL —a Document Location (i.e., an Address on a Network)
  3. HTTP — a Document Access Protocol
  4. HTTPS — variant of HTTP that includes use of TLS (Transport Layer Security)
  5. RDF Language — an Abstract Language for digital sentence construction that provides a compact rendition of natural language based on its subject, predicate, and object structure
  6. RDF Documents — a variety of Document Types for persisting RDF Language Sentences (e.g., RDF-Turtle, JSON-LD, RDF-XML, and others)
  7. WebID — an HTTP URI that identifies an Agent (Person, Organization, or piece of Software)
  8. WebID-Profile Document — an RDF document that describes an Agent
  9. X.509 — Digital Identity Card (Certificate) use to store Identity Claims
  10. TLS — Secure Data Transmission Protocol (this is the “S” in HTTPS)
  11. PKI — Public Key Infrastructure which is an established methodology for signing and encoding content using asymmetric keys (i.e., Public & Private Keys); for instance, this is a critical part of the methodology used to enact and complete a TLS-handshake
  12. WebID+TLS — an enhancement to TLS protocol that includes looking up additional claims (specifically, Public Key association) from a WebID-Profile document en route to identity verification
  13. WebID+TLS+Delegation — an enhancement to WebID+TLS protocol that includes looking up delegation-oriented relationship types from a WebID-Profile document en route to identity verification.

Here’s a depiction of my local X.509 Certificate that holds identity claims that I used to identify my Software Agent distinct from myself in the example that follows:

X.509 Certificate snippet from my local Key Store (note the live hyperlinks)

Stage One

This exercise assumes that you already have a WebID. If not, you can generate one using any of the following services:

  1. Online WebID and WebID-Profile Document Generator
  2. WebID and WebID-Profile Document Generator for iOS
  3. WebID and WebID-Profile Document Generator for Android.

Remember, a WebID is an HTTP URI (Hyperlink) that identifies an Agent (Person, Organization, and Machine) in a manner that’s implicitly linked to a WebID-Profile Document that contains a variety of identity claims.

The focal point of this exercise boils down to establishing a machine- and human-comprehensible relationship between a piece of software and a user where both entities are unambiguously identified using their respective WebIDs. In addition, we have RDF Language sentences describing relationships that exist between a Person and a piece of Software:

Illustrating Entity Relationships that associate a Person and Digital Agents (e.g., Software Applications like a Web Browser)

You achieve this goal (outlined above) by performing the following four steps:

  1. Download at least one of PKCS#12 credentials document at <http://kingsley.idehen.net/DAV/home/kidehen/RWWTests/my_software_agent_https.p12> — note, the password for accessing this protected docs is “1234”
  2. Send me your WebID so that I can associate it with the “My Software Agent” as seen at <http://id.myopenlink.net/describe/?url=https%3A%2F%2Fid.myopenlink.net%2FDAV%2Fhome%2FKingsleyUyiIdehen%2FPublic%2Fsoftware-agent.ttl%23i&distinct=1>
  3. Reciprocate the association in step 2 by adding an acl:delegates and/or oplcert:hasIdentityDelegate relation to your WebID-Profile document with <https://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/software-agent.ttl#i> as the object (or value) and your WebID as the subject (i.e., 
    @prefix oplcert: <http://www.openlinksw.com/schemas/cert#> . 
    @prefix acl: <http://www.w3.org/ns/auth/acl#> . 
    <{your-webid}> acl:delegates <https://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/software-agent.ttl#i>. <{your-webid}> oplcert:hasIdentityDelegate <https://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/software-agent.ttl#i> .
    ).
  4. Add a relation to your WebID-Profile document that associates WebID of My Software Agent with its Public Key, e.g., using an RDF-Turtle based WebID-Profile doc it would be (note: you can copy and paste what follows to the end of your profile document, verbatim):
## For Software Agent Identified using an HTTPS URI
@prefix cert: <http://www.w3.org/ns/auth/cert#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
<https://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/software-agent.ttl#i> cert:key
[
a <http://www.w3.org/ns/auth/cert#RSAPublicKey> ;
cert:exponent "65537"^^xsd:int ;
cert:modulus "aba0d325a82d36c98c96aa1ba7c2bb3131a51d3b1d7db1fc035a2bf3275d8878e1a54f17aee40a89c86e0304185c765242f4ad808a59e1f07f89794af6109ee5922e5fbf27f1f605999f31251c29548d7e035951f6fd4563dd6d29555ac6f72d0c07464073670a652dbe0f0aba897665d8cfcf341c42968e02a0238689eb88f611544efafde1545a776b69261f99378da5276f2cdc3ea0ef07ee5b59999d80115c1f0b59c84c841c584840cde7101223b056ddc685740ef21c1eeddd5480414a090a09932c50182c17d33c1283b4776ae5f6431bcd7990a3f789f82a2fb65349ff5890448dff2e00b75f4bb11341dcf026788429a57e753d91d3484c58b1660b"^^xsd:hexBinary] .

Note: The public key data presented above has to be replaced whenever the Software Agent’s certificate expires (typically, this happens every 60 days for the certificate I use in this exercise — next refresh is 7th September 2018).

Stage Two

Having completed the first four steps, above, you can experience the power of your YouID Browser Extension by performing the next four steps:

  1. Register your WebID with the YouID Browser Extension
  2. Register the WebID of My Software Agent with the YouID Browser Extension — note, this is purely for the effect of demonstrating identity toggling which is the main theme of this post
  3. Direct your browser to <http://linkeddata.uriburner.com/sparql>
  4. Click on Login, and authenticate using the WebID+TLS protocol option.

Once logged in, you should see your WebID presented as the session Identity Principal. Anything else implies at least one of the following:

  • Something is wrong with the setup in your WebID-Profile document; e.g., the RDF sentences that associate your WebID with My Software Agent’s WebID may be missing.
  • Something is wrong with the RDF Language sentences in your WebID-Profile document that associate the Public Key data with My Software Agent.

Stage Three

Once you’ve successfully logged into the SPARQL Query Service with your WebID as the visible Identity Principal, please take these final four steps:

  1. Click on YouID Browser Extension icon and change your preferred WebID by hatching the checkbox beside this registered WebID, e.g., <http://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/software-agent.ttl#i>
  2. In the SPARQL Query Service page, click on “Change Login” link
  3. Authenticate once again using WebID+TLS
  4. Look at the Identity Principal. This should now be My Software Agent’s WebID

Here’s an embedded video (silent screencast form) that demonstrates Stage Three:

You can also repeat this WebID-toggling exercise using other services that have been built to simplify exercising and troubleshooting WebID+TLS+Delegation authentication protocol usage:

[1] http://id.myopenlink.net/ods/webid_demo.html — very basic WebID+TLS Authentication Service (that also includes support for WebID+TLS+Delegation)

[2] https://osdb.openlinksw.com/osdb — another simple authentication service that supports both protocols

[3] http://linkeddata.uriburner.com/sparql — SPARQL Query Service endoint that provides login, change login, and logout options

Wrap up

As you can see, we used a combination of a public profile document, a private digital identity card (x.509 certificate), a private key, entity relationship type semantics (represented using RDF sentences) to demonstrate verifiable identity that scales to the Web. Hopefully, you noticed that Passwords are obsolete in this mode of operation which eliminates another point of vulnerability and management tedium.

Most importantly, none of this has been achieved at the expense of user interface (UI), user experience (UX), or administrator manageability (i.e., you don’t need a certificate for every user).

Links

Related