Dear Android security team, We have been working on a project for open distributed social networks, and as part of this have found a way to use TLS to get one click authentication - without tying the certificate to a web site [1].
As I have an iPhone I demonstrated how this works in a non jail broken one. There is nothing I have changed to the phone to get it running. For photos on the user interaction see: http://blogs.sun.com/bblfish/entry/one_click_global_sign_on I am a Java developer, and of course would rather have a more open Java platform such as Android available to do exactly the same thing. Perhaps it is even possible now? I am asking here as an Android newbie, hoping someone may pick this up and help bridge the foaf+ssl community with the Android community. I can't myself be following every cell phone OS :-) A few things would be nice: 1. Something like support for a <keygen> tag in the browser. Even if it is not perfect, it is simple, works in many browsers such as Opera, Safari, Firefox, ... More advanced versions would be good, but the minimal one is very useful. I use it to help people create their foaf +ssl certificate on http://test.foafssl.org/cert/ By the way the keygen tag is back in html 5, and I support it. http://is.gd/r9fD [2] 2. Something like a very user friendly KeyChain manager for the whole OS. I think the iPhone does a reasonble job of this. Having to mail your certificate to the iPhone is a security risk though, hence the need for <keygen>. But the Identity Selector presentation on the iPhone is very nicely done. 3. I think if you play around with foaf+ssl a little, you will very soon find a couple of extra ways to make the experience even more user friendly. Perhaps UI ways of showing the user what identity he is using, and making it easy to automate certificate selection for a web site... But that is advanced stuff. By the way, there may already be a way to send a user certificate to Android. If so please let us know. We'd like to test this out. Yours sincerely, Henry Story Social Cloud Architect http://blogs.sun.com/bblfish [1] Usually client certificates are designed for one web site only, because they have to be certified by a CA, and it is too costly to have CA create personal certificates. By avoiding the need for a CA, we remove the tie to the web site. The protocol has been called foaf+ssl and has a wiki page http://esw.w3.org/topic/foaf+ssl [2] See the mailing list discussion http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/a82125772628a72e/960bd6bb8e886f2b?lnk=gst&q=keygen#960bd6bb8e886f2b
