TLS authentication remarks from Henry Story on 2012-10-09 (public-webid@w3.org from October 2012)

From: Henry Story <henry.story@bblfish.net>
Date: Tue, 9 Oct 2012 09:47:22 +0200
To: Yoav Nir <ynir@checkpoint.com>, "http-auth@ietf.org" <http-auth@ietf.org>, Derek Atkins <derek@ihtfp.com>
Message-Id: <F86CB6B1-2B84-45C0-BC24-4DC4BFDBA965@bblfish.net>
Hi,

On the TLS mailing list, a discussion on making TLS Client-Authentication useful was ruled 
out of bounds, and Yoav Nir suggested this be a better place to argue for it. Since I 
have been discussing this quite widely I just wanted to collect the discussions I have 
had in various groups on the w3c and ietf here, to help perhaps provide material for 
your Atlanta BOF ( which I won't be attending, though I will be at W3C TPAC [2] )

So to start off with my argument for TLS authentication comes from experience
we have had developing the WebID protocol at the W3C, which is just really 
explaining how one can use TLS to do client authentication globally and usefully.

At this point some people's hair stand on end, because this implies linkability
of identity across sites. So I recently posted an argument for "Liking Linkability"
on the saag@ietf.org and public-privacy@w3.org mailing lists. In short
linkability of identity is very important to increase privacy on the web.

 http://www.ietf.org/mail-archive/web/saag/current/msg04044.html
 http://lists.w3.org/Archives/Public/public-privacy/2012OctDec/

So having established that, it is important to notice that TLS can do a lot more
than people realise with client certificates. Essentially with TLS you can

 - authenticate on any site using WebID enabled certificates
 - place information in access controlled manner at the WebID profile location
 - use this to create distributed social networks - the social web
 - use information on the web to improve browser experience

More on video at http://webid.info/ and the w3c draft spec http://webid.info/spec/, 
and of course a lot of real working code, of which one of the best currently is
https://my-profile.eu/ where you can create a certificate to authenticate say
on https://foafssl.org/srv/idp?rs=http%3A%2F%2Fbblfish.net%2F  ( but we need more
demo apps - something I am working on )

So the main problem in my view is not at the TLS layer, or at the HTTP layer
but at the browser UI layer. Since I already had a long discussion with Ben
Laurie on the topic I'll just point to it here.

 Starting from a simple definition of transparency of identity, we agree that
anonymous should be the default on the web, and in my view one is then committed
to making it easy for the user of the browser to see what his identity is at all
times.

http://lists.w3.org/Archives/Public/public-webid/2012Oct/att-0022/privacy-definitions-1Oct.pdf

Even Chrome's new persona feature does not give me this transparency of traceability/identity.
I finally show how browsers could use the information available at the WebID to personalise the UI 
of the certificate selection box in a non privacy invading manner.

http://lists.w3.org/Archives/Public/public-webid/2012Oct/att-0022/privacy-definition-final.pdf

So I think that covers most of my thoughts on the subject. I opened bug reports elsewhere. Having Used TLS client authentication ( for non anonymous login of course ) I am pretty impressed by the power of that technology. IT has been underused in part because

- web servers have done a bad job making it easy ( but that is going to change pretty soon - when servers like Play 2.1 show how one can use Futures to get certificates in the middle of an http connection, without breaking state 
https://github.com/jroper/Play20/blob/ssl/framework/src/play/src/main/scala/play/api/mvc/Http.scala#L57
But we do have otherwise implementations of WebID in every language and platform 
  ( see http://www.w3.org/wiki/Foaf%2Bssl#Libraries )
- because CA's create a not very believable security method  -  but IETF Dane should take care of that 

 So fundamentally:
   - make UIs transparent please, this may be a legal requirement in the EU, and even if it is not, browser vendors should do what is right. See Dr Ian Walden's short contribution 
  http://lists.w3.org/Archives/Public/public-webid/2012Oct/0021.html
   - Implement Dane http://tools.ietf.org/html/rfc6698
   - play with WebID
 And you'll find there is a huge amount of fun and great apps that can appear.

Ah and finally TLS versus JS in the browser Crypto. I think in the browser crypto is going
to be a good thing, but not because of Auth - that will be better left to the TLS layer because:
 - TLS is efficient 
 - JS is a Turing complete langauge - which download something that big when a little
    langauge can do it right
 - whatever JS brings in advantage on UI level would be better done declaratively by tying
   TLS to resources on the web.
 - JS will only be better if it is not physhable, and the work to do that right will be
  just as difficult if not much more than the small improvements to TLS


Thats all folks,

	I need to get back to programming. Hope that helps for the IETF meeting. 

All the best from France,

	Henry      


[1] http://www.ietf.org/mail-archive/web/tls/current/msg09001.html
[2] http://www.w3.org/2012/10/TPAC/

Social Web Architect
http://bblfish.net/
Attachments

application/pkcs7-signature attachment: smime.p7s
Received on Tuesday, 9 October 2012 07:48:17 UTC