Re: Perceived issues with TLS Client Auth

On 26 Sep 2012, at 17:54, Ben Laurie <benl@google.com> wrote:

> On 26 September 2012 14:24, Henry Story <henry.story@bblfish.net> wrote:
>> Here is how that would look if we were to  imagine a user (me) using Google+.
>> 
>> One day I go to google plus on my desktop browser and Google Plus entices me to
>> "Use WebID and login securely across the web"
>> I click on that banner, and pronto, a certificate is created and transferred to
>> my browser. (ok perhaps you add an intermediate page with helpful explanations
>> and cool demos)
>> 
>> Next I am walking down the street with my Android. Google+ is clever enough to notice that my android does not have a certificate - it does a TLS request for a client certificate, but receives none - and so asks me
>> "Hi Henry, get a WebID certificate for your phone too"
>> I click the banner and oops I have a certificate in Android.
>> 
>> Once I have a certificate for a device, I can log into any web site that supports WebID in one click. I can also determine for any site how much information I wish to give that site about me - using access control on information at my profile. Someting we need to work on still.
> 
> You seem to have missed out a step - how do these web sites know about
> my new WebID?

In the scenario described I get my (personal) WebID from Google+ . If I were employed by the W3C I would then get a professional WebID by doing the same procedure on my W3C profile page.

So I then go to say the WebSite of a friend of mine who has his personal web server, at a domain
joe.name . When I arrive on the front page of https://joe.name/ that site does not ask me to log in, 
it gives me public information that joe is happy for anyone to know. Then perhaps I want to login, so I click
the login button, and this sets up a procedure described in the spec 

   http://www.w3.org/2005/Incubator/webid/spec/#connecting-at-the-application-layer

which starts with a TLS renegotiation and a request for the client certificate as explained in the TLS spec.
If that results in no certificate a pop up can appear, and any number of other authentication systems can be proposed to the user. 

> 
> Also, if I've been using WebID to log into google for some time, and
> my Android phone is new, how do I get logged into G+ in order for
> Google to notice that I do not have a cert?

You use a password there for Google+ . Luckily you' only need one or two passwords, so those
could be really long and easy to remember - and also dead safe. I don't think I heard that anyone had trouble connecting to Google+ at present with any number of devices, even though people have to remember passwords to do so?

The issue we are trying to deal with is having to remember a password for all the other sites, and the duplication of information that comes with that, the lack of security this duplication brings, the centralisation of information that are the consequences of the difficulty of having all of the above be easy to use - and so the consequent loss of privacy. WebID solves the privacy problem, because it no longer requires centralisation of all information on one mega server, and it allows cross domain identification and cooperation. It helps create a Social Web, as opposed to a social network. (you will find more on that on my home page)

Henry

Social Web Architect
http://bblfish.net/

Received on Wednesday, 26 September 2012 16:11:36 UTC