[cap-talk] Webkeys vs. the web

Charles Landau clandau at macslab.com
Sun Mar 22 23:17:22 EDT 2009

Chip Morningstar wrote:
> If all authority is carried via webkeys, then to get at anything a user needs
> to know the thing's URL.  Looking at this from the perspective of the web
> browser, there are three places it can hold onto webkeys: (1) in bookmarks, (2)
> in the browse history, or (3) in an open page, either in links that are
> actually on the page or in the memory state of Javascript objects loaded from
> that page.  These are the roots of the browser's authority.  It can also get to
> anything reachable from these by fetching whatever they link to and following
> the chain of references.  So far, so good.
> Now let's consider a browser-based UI.  I can't reliably count on using (1) or
> (2) to hold the user's root authorities (in essence, their powerbox) because
> the user might not be coming to the site using the same browser as last time,
> and even if they did they might not have thought to bookmark the right things,
> either because they're stupid or because they just didn't know that that was
> what they were supposed to have done.  

This problem, namely getting back to where you were, applies to any web 
location, not just webkeys. Any existing solution (for example importing 
bookmarks) should work for webkeys too.

> So to deal with this, I had the notion of a having the server hold the
> powerbox, and have a password-authenticated "login" operation that hands it
> back.  So the user logs in, gets their bundle of root authorities, and off to
> the races they go.  

To which Kevin Reid responded:
> Note that it doesn't have to be *your* site that hands out webkeys
> given passwords - any secure bookmark-storage site can do it.

This seems like a reasonable solution.

More information about the cap-talk mailing list