W3C home > Mailing lists > Public > public-identity@w3.org > July 2011

Re:

From: Mo McRoberts <mo.mcroberts@bbc.co.uk>
Date: Wed, 20 Jul 2011 09:48:37 +0100
Cc: public-identity@w3.org, "Karen P. Lewison" <kplewison@pomcor.com>
Message-Id: <8EE12EAD-4756-463A-915F-75293F84E2D3@bbc.co.uk>
To: fcorella@pomcor.com
Hi Francisco,

Thanks for forwarding this paper to the list, it certainly made interesting reading.

I haven't given it a thorough reading yet, but a couple of thoughts sprang to mind while skipping through it.

1. I absolutely agree that some means by which application-layer code can signal to a UA the end of a session is going to need to be high on the list of priorities — and I think this is increasingly going to apply irrespective of whether identity systems are PKI-based or otherwise. Certainly in SSL/TLS-land, it's very hit and miss.

2. I'd be wary of building a system whereby authentication tokens (i.e., client certificates) are issued in a centralised fashion — I'm increasingly becoming convinced that conflating the “identification” and “assurance” functions of an identity system is a fool’s errand, and that it would be wise to decouple them — in other words, I can use _any_ valid X.509 certificate to identify myself, but assurance information (such as institutions that I belong to, for example) while separate, is cryptographically associated (e.g., by way of a signature and countersignature). Separating the identification from the assurance data might also remove the need to extend TLS itself?

3. Broadly speaking, the reason that PKI-based identity systems haven't taken off to date, despite their ubiquity, has little to do with their inability to fulfil a technical purpose and more to do with the fact that the user experience of doing -anything- PKI-based outside of a corporate environment (and often inside one) is consistently confusing and unpleasant for ordinary users, and I'm including the problems of key management in amongst that.

My gut feeling (and please don’t take this as a criticism of the paper — it's a more general comment) is that if a PKI-based identification system can be shown to be workable by real people in ordinary contexts (e.g., with extensions to browsers to aid key management and transport, identity selection, and so forth), then it's very easy to envisage a world in which strong crypto is used as the basis for identity on the Web, and that would be a very very good thing indeed. Without solving those problems, proposals based upon PKI and the like do very much seem like building the Eiffel Tower on sand: it's a nice design, but the foundations are seriously problematic.

M.

-- 
Mo McRoberts - Data Analyst - Digital Public Space,
Zone 1.08, BBC Scotland, 40 Pacific Drive, Glasgow G51 1DA,
Room 7066, BBC Television Centre, London W12 7RJ,
0141 422 6036 (Internal: 01-26036) - PGP key 0x663E2B4A


http://www.bbc.co.uk/
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.
					
Received on Wednesday, 20 July 2011 08:49:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 20 July 2011 08:49:14 GMT