W3C home > Mailing lists > Public > public-identity@w3.org > July 2011

Re: WebID discovery. Was: The Internet Identity (WG) Crisis

From: Henry Story <henry.story@bblfish.net>
Date: Sat, 2 Jul 2011 17:16:45 +0200
Cc: "public-identity@w3.org" <public-identity@w3.org>
Message-Id: <08CFEAA1-CE0D-48D0-B1F4-C9AAF3482D91@bblfish.net>
To: Anders Rundgren <anders.rundgren@telia.com>

On 2 Jul 2011, at 16:01, Anders Rundgren wrote:

> On 2011-07-02 09:53, Henry Story wrote:
>> 
>> On 2 Jul 2011, at 08:23, Anders Rundgren wrote:
>> 
>>> I believe there are some very different challenges involved in
>>> the various identity endeavors.
>>> 
>>> WebID's primary challenge is persuading large social network providers
>>> to upgrade.  This would (IMO) be much more realistic if there was some kind
>>> of mechanism that allowed them with the help of some javascript automatically
>>> redirect the login if the user had a [suitable] WebID.
>> 
>> This is quite easy to do I believe, and I have been wanting to implement it 
>> as a way to show how WebID deals with the NASCAR problem.
>> 
>> http://factoryjoe.com/blog/2009/04/06/does-openid-need-to-be-hard/
>> 
>> The answer is simple again: place the login endpoint behind an https service 
>> that asks for the client certificates optionally.
>> 
>> If the user has a certificate 
>> 	his browser will ask him to choose one 
>>        (or select the last one he took for the site) 
>>     resulting in his being logged in. 
>> Else 
>>        the browser returns a NASCAR selection box
> 
> I wouldn't put my money (if I had any...) on such a solution because it
> is quite intrusive unless some very specific conditions are met.

For the user without certificate he would not see anything different from what
he gets now. I don't see what is intrusive.

> In addition, TLS client-certificate-authentication is at least in MSIE
> downright user-hostile and requires restart if you do something wrong.
> There is not even an agreed upon logout scheme for browsers!
> 
> Extract from a web-app of mine:
> 
>     if (document.all == null) // FF, Opera, etc
>       {
>          if (window.crypto) window.crypto.logout();
>       }
>     else // MSIE 6+
>       {
>          document.execCommand('ClearAuthenticationCache');
>       };

Wow! if that works, then I am already delighted! I had not tried that out. That would mean that at least the server can offer logout functionality to the client (by adding the required javascript to the web page)!

Of course in my talk at the Identity in the Browser I argue for client controlled identity selection. I think without this the browsers cannot claim anything serious about privacy of their users. (Btw, the video is now on http://webid.info/ in different html5 formats.)

> 
> We are (de-facto) stuck with stuff that hasn't progressed much since Netscape
> introduced SSL back in 1995.
> 
> In fact, quite a bunch of the bank/e-government plugins I tend to bring up in
> these context rather PKI-authenticate an the *app-level*. This is essentially
> analogous to form-based login versus HTTP-auth (which "nobody" uses).

You mean application in the browser right? Yes, I would support fine grained behaviour such as at least per tab authentication. 

But my point as always is it will be much easier to push these changes with some excellent demos that show what one can do now, and then build a campaign of awareness of privacy aimed at the browsers vendors, to show them how they can compete to get the "best privacy protecting browser". OS vendors of course are also welcome to participate. Bu these are UI/crypto/political/social isues, which is to say the least an odd mixing of interests.

> 
> I therefore included such a scheme in the suite of PKI-enabled applications
> (WASP, WebAUTH and InfoCards) which I started with before I realized that
> "Getting the Damned Key" was higher up on the food chain.

I think one needs to go towards the markets that put less constraints on getting the key, show
to a larger audience how useful that is and then help them arituclate their privacy demands.

This is like all mass movements. Think of the PC or the web that started not being taken seriously by the larger players - here military or high security players - because of the many inadequacies (security on windows 3.1?!) but then grow into it with volume. The knee jerk reaction is to go to those that understand. But their intelligence also means that the volume is much smaller.

> 
>> So no need for Javascript, or anything new to get things working. 
>> Of course there are huge improvements that browser vendors can then make, but one does not
>> need to start ex-nihilo.
> 
> The NASCAR (a new term for me) selection box is the best short-term migration
> solution.  I'm not sure that it is technically feasible doing discovery without
> actually making things even worse.

Mhh. What do you mean by doing discovery? Where is this happening and what is the problem?

>  It might be better that the platform remembers your selection for future uses.

browsers can be set up to do that. One could write a little add on for different browsers to make those available in a one click gesture. What is more important is that browsers show the user what they are identifies on at sites, in such a way that he can control it. This is like Apple adding a little light to the laptop camera when it is on so that one can be aware that one is not just speaking to the room.

Henry


> 
> <snip>
> 
> Anders

Social Web Architect
http://bblfish.net/
Received on Saturday, 2 July 2011 15:17:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 2 July 2011 15:17:28 GMT