W3C home > Mailing lists > Public > public-usable-authentication@w3.org > February 2008

Re: Public-Key authentication for websites

From: Johnathan Nightingale <johnath@mozilla.com>
Date: Fri, 15 Feb 2008 12:44:59 -0500
Message-ID: <47B5CF9B.9090807@mozilla.com>
To: Christoph Hack <c.hack@gmx.at>
CC: public-usable-authentication@w3.org

Christoph Hack wrote:
> Oh, you are right. Looks like SSL/TLS is exactly what I want, I just
> haven't known that you can create and use this certificates on the
> client side too. I never saw that before, but I will take a deeper look
> on it.
> 
> The only problem is that you must pay quite a lot for a trusted
> certificate and that you aren't able to use existing Web-of-Trusts (if
> you are using cacert). (Beside of that fact, that SSL/TLS doesn't
> work on virtual hosts). And that nearly nobody owns a private
> certificate (in comparison to GPG keys, which are well known in Linux
> communities *g*).

I'm glad this is helpful to you, and I would encourage you to take a 
closer look, but I wanted to catch a couple things up front.

First off - vis a vis pricing on SSL certs, if you are looking to 
experiment, there are several CAs that will cut server SSL certs for 
<$20, and a couple that do them for free, so I hope you won't find the 
expense too prohibitive.

But also, for client certs, there needn't be any cost at all, at least 
not for a particular site.  A client cert's job is to prove *to the 
server* that you are who you claim to be.  With that in mind then, a 
server can generate and sign its own client certificates as needed; as 
long as the certificate presented by a client is one the server has 
properly signed, the server can trust it.  Because this case is 
Many-to-1, there isn't a real need for the CA, who acts as a trusted 
third party in many-to-many transactions.

On the other hand, if you want a client certificate which is accepted 
and recognized by multiple unrelated servers, which identifies you as 
you in some verified way, then yes, I imagine there will be a cost 
involved in that verification.  Some of this work already exists for 
individuals acquiring things like code-signing certificates, but you 
might also look at the various (ahem) "Identity 2.0" companies out there 
who are trying to build a marketplace around this concept.

Cheers, and happy hunting,

Johnathan

> 
> Anyway many thanks for your answer :)
> 
> Christoph
> 
> 
> On Fri, 2008-02-15 at 10:41 -0500, Johnathan Nightingale wrote:
>> I'm not sure if this is the right list (nor how precisely, for that  
>> matter, I got onto this list :) but how does your idea differ from  
>> just using client certs?  Yes, that potentially means the format of  
>> your GPG key might not be directly compatible, but there is pretty  
>> widespread use of, for instance, government-issued non-repudiation  
>> keys for e-government stuff.
>>
>> As far as I know, though I haven't looked in detail, most modern  
>> browsers allow sites to store client certs, and to request client  
>> certificates as part of the TLS handshake.
>>
>> Or am I totally missing your point?
>>
>> Johnathan
>>
>>
>> On 14-Feb-08, at 7:00 PM, Christoph Hack wrote:
>>
>>> Hiho everybody,
>>>
>>> today Public Keys are very popular and most Internet applications
>>> support GPG-Keys (e.g. lots of Mail readers and Jabber). Those public
>>> keys are much more secure and the user doesn't have transmit his
>>> password and remember it.
>>>
>>> But up to now, there aren't any Web Browsers which support a way to
>>> ask the user to sign something with his personal GPG Key. (please tell
>>> me if I'm wrong). But I think if somebody could write a RFC or  
>>> something
>>> similar for that, there might be a chance of getting this feature into
>>> some full-featured browsers :)
>>>
>>> Use Case:
>>> A use case for that could be the authentication handling for a web  
>>> site.
>>> The websites must provide an (optional) way for the user to attach his
>>> public keys to his profile and when the user wants to log-in, it's
>>> enough if he is able to decrypt or sign a specific message.
>>>
>>> Benefits:
>>> - the user must not remember different passwords
>>> - it's probably much more secure than other password handling methods
>>> - websites could use this as an alternative authentication method
>>> - Bruce Force attacks against hashes in big databases (like recently  
>>> on
>>>   phpbb, woltlab, smf) aren't possible any more
>>> - and yes, I know that this idea is similar to OpenID, but it doesn't
>>>   require any additional services
>>>
>>> Problems:
>>> You can't use static messages for signing or decrypting, because then
>>> there is a high risk that somebody might collect and use the
>>> authentication information again. On the other side, completely  
>>> dynamic
>>> keys allow the server to get any messages signed by the user, probably
>>> with content the user don't want to sign. So there must be a well
>>> defined format (for example a tuple including a general header to
>>> describe the context, a domain and a secret (session)-key)...
>>>
>>> So, I am very interested in your opinion now. Do you think there is a
>>> way to get a feature like that? Or is this idea just a crap?
>>>
>>> Regards,
>>> Christoph Hack
>>>
>>>
>>> PS: I hope this is the right ML to share this idea, if not please
>>> redirect to the right one...
>>>
>>>
>>>
>> ---
>> Johnathan Nightingale
>> Human Shield
>> johnath@mozilla.com
>>
>>
> 
Received on Friday, 15 February 2008 17:45:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:15 GMT