W3C home > Mailing lists > Public > public-webid@w3.org > September 2012

Re: Perceived issues with TLS Client Auth

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 26 Sep 2012 15:24:40 +0200
Cc: public-webid <public-webid@w3.org>, Ben Laurie <benl@google.com>
Message-Id: <D6CAF040-8A22-46AB-91EA-A05B13B47C96@bblfish.net>
To: Melvin Carvalho <melvincarvalho@gmail.com>
Thanks, Melvin. Linking to the answers I gave in the discussion with Ben Laurie.

Very short answers here, with more details in the previous thread.

On 26 Sep 2012, at 14:04, Melvin Carvalho <melvincarvalho@gmail.com> wrote:

> Why not use TLS Client Auth? Because it has problems:
>  User Experience
>  Cert generation has UI
>  Cert selection has UI
> (happens before user can see content of web site)

Wrong. You can have the cert selection come after you see the Web.
See the diagram in section 3 of the spec http://webid.info/spec/#the-webid-protocol
You use TLS renegotiation when requesting the certificate.

You can see it working on here:

notice you are behind https. Notice that you don't get a certificate request until you click the 

>  Privacy
>  user identity is same across all web sites

Answer does not need to be. One can select certificates for each web site. And this could be improved by work 
from Aza Raskin. See
and the pictures in big 

And improvement request on Chrome:

>  Portability
>  moving certs is a hassle

WebID makes moving certs a non problem. It can it is true be done by hand, in which case it is non intuitive.
Or it can be done with crypto keys such as  http://www.crypto-stick.com/  which would be a lot better.

But no need to wait for wide deployment of crypto sticks. Certificate generation is so simple and cheap one can make them in one click. 

The follownig videos show this:
  - "The WebID and Browsers" video: http://webid.info/  
  - "WebID creation and use in 4 minutes across browsers"  http://www.youtube.com/watch?v=S4dlMTZhUDc

Here is a story of how it would work on Google+

Here is how that would look if we were to  imagine a user (me) using Google+.

One day I go to google plus on my desktop browser and Google Plus entices me to 
"Use WebID and login securely across the web"
I click on that banner, and pronto, a certificate is created and transferred to 
my browser. (ok perhaps you add an intermediate page with helpful explanations 
and cool demos)

Next I am walking down the street with my Android. Google+ is clever enough to notice that my android does not have a certificate - it does a TLS request for a client certificate, but receives none - and so asks me 
 "Hi Henry, get a WebID certificate for your phone too"
I click the banner and oops I have a certificate in Android.

Once I have a certificate for a device, I can log into any web site that supports WebID in one click. I can also determine for any site how much information I wish to give that site about me - using access control on information at my profile. Someting we need to work on still.

>  Problems in Datacenters
>  make TLS terminators part of the TCB

not sure what TCB is. But I think hardware TLS support need just verify the private key and send the certificate on to the app server. 

> http://tools.ietf.org/agenda/81/slides/tls-1.pdf.
> As reported in previous thread with Ben Laurie.


Social Web Architect
Received on Wednesday, 26 September 2012 13:25:24 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:54:35 UTC