W3C home > Mailing lists > Public > public-webid@w3.org > September 2012

Re: WebID questions -- was: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME"

From: Ben Laurie <benl@google.com>
Date: Wed, 26 Sep 2012 11:14:04 +0100
Message-ID: <CABrd9SS-32KHcbbnXJMTdDc=3QssBmCAhTxAtoHbgUMBrEGR9A@mail.gmail.com>
To: Henry Story <henry.story@bblfish.net>
Cc: Kingsley Idehen <kidehen@openlinksw.com>, "public-webid@w3.org" <public-webid@w3.org>, Andrei Sambra <andrei@fcns.eu>
On 26 September 2012 10:56, Henry Story <henry.story@bblfish.net> wrote:
>
> On 26 Sep 2012, at 11:15, Ben Laurie <benl@google.com> wrote:
>
>> On 26 September 2012 09:54, Henry Story <henry.story@bblfish.net> wrote:
>>>
>>> On 26 Sep 2012, at 10:42, Ben Laurie <benl@google.com> wrote:
>>>>
>>>> Once more, I remain unenlightened about the answers to my fundamental questions.
>>>
>>> Can we perhaps start back at your fundamental question again? We got sidetracked here a bit because of my-profile.eu
>>> no working well for you.
>>>
>>> The last thing I remember you stating is that authenticating with one ID across multiple sites is in your view a horrendous thing. Is that the fundamental problem?
>>
>> One of them. And not just my view - the view of many. Here's a
>> presentation from a colleague that illustrates our thinking on the use
>> of client certs for authn:
>> http://tools.ietf.org/agenda/81/slides/tls-1.pdf.
>>
>> In case its not obvious, the problem is that its a massive privacy invasion.
>
> Well as I pointed out, it is not a problem if the user controls and is aware of the identity he is revealing on each site. This is a simple User Interface issue which Aza Raskin showed in 2009 how to solve
>
>    https://blogs.oracle.com/bblfish/entry/identity_in_the_browser_firefox

Manually choosing one of hundreds of certs sure sounds like a problem to me!

> and which for which there is a bug open in pretty much every browser, e.g.: Chrome
>
>    http://code.google.com/p/chromium/issues/detail?id=29784
>
> So does the above paper take into account that the user could be aware of the identity
> he is using, and control it?

The above paper uses a certificate per site. Identity is controlled in
Chrome by using the "Users" feature.

> Btw. if you consult the spec you'll see that all a user needs to publish to the world
> is his public key
>
>    http://www.w3.org/2005/Incubator/webid/spec/#publishing-the-webid-profile-document

Publishing all your public keys would defeat the purpose of per-site
certificates - unless you publish each on a different page.

> All the rest can be access controlled.
>
>>
>> Next:
>>
>> 1. Usability in the browser is only part of the problem. But
>> nevertheless it remains a problem.
>
> A problem that browser manufacturers can fix, pretty easily, and which
> is even going to be a legal requirement for them to do, as was explained
> at the IETF summit in Paris earlier this year.

Oh really? Got a link?

>> 2. If am all signed up to WebID and I get a new device, how do I get
>> it signed up? I know your stock response is "you just go through the
>> flow again" - once for every site I'm registered with - using what to
>> identify myself? Bear in mind that there has to be a per-site
>> certificate.
>
> Ah! Here we get at the crux of the misunderstanding!!!
>
> There does not have to be a per site certificate when WebID is used. This is what Linked Data permits us to avoid. This is why WebID is so useful. It is why X509 failed as client certificates. Indeed if all you can use a client certificate for is your own web site then it has very little use - you might as well use a cookie, or a password. But if you can then connect to other sites, and login in one click, then things are different - completely different.

If your answer is that WebID relies on me giving up on not being
linkable across all sites, then we may as well stop talking now -
WebID is useless.

But even for a single certificate you have not answered the question.

>> 3. Related: if I lose all my devices, how do I recover?
>
> If you still have your server you go there and remove all public keys. If you are using a service provider at a university you go and see him and tell him to remove all your keys. If you are at Google, then you get hold of the hotline? How do you do it now?

What? Users have to have servers? This is clearly a non-starter.

Now, you login using your password, just as you have always done. This
is one reason passwords won't go away easily - they're only tied to
me, not my devices.

>> 4. How do I revoke access when my laptop is stolen?
>
> You go to the server and remove the public key from your profile.

How do I log in to the server?

> Or you ask your admin to do that. Or if you have your own server at home, can't remember anything, then you unplug it.
>
>>
>> 5. How do I migrate my existing username/password accounts to WebID?
>
> There is a technical answer and UI answer for that.
>
> Let me start with the user's point of view. Here is how that would look if we were to
> imagine a user (me) using Google+.
>
> One day I go to google plus on my desktop browser and Google Plus entices me to
>  "Use WebID and login securely across the web"
> I click on that banner, and pronto, a certificate is created and transferred to
> my browser. (ok perhaps you add an intermediate page with helpful explanations
> and cool demos)
>
> Next I am walking down the street with my Android. Google+ is clever enough to notice that my android does not have a certificate - it does a TLS request for a client certificate, but receives none - and so asks me
>   "Hi Henry, get a WebID certificate for your phone too"
> I click the banner and oops I have a certificate in Android.

Up to here this mostly makes sense, but...

>
> Once I have a certificate for a device, I can log into any web site that supports WebID in one click. I can also determine for any site how much information I wish to give that site about me - using access control on information at my profile. Someting we need to work on still.

Once more, this is an unacceptable privacy problem.

> So the Technical answer, is that Google+ adds to each profile a representation that can be read as explained in the spec
> http://webid.info/spec/ . It is quite easy to retrofit a normal web site with this info.
>
> Henry
>
> Social Web Architect
> http://bblfish.net/
>
Received on Wednesday, 26 September 2012 10:14:41 UTC

This archive was generated by hypermail 2.3.1 : Sunday, 31 March 2013 14:40:59 UTC