W3C home > Mailing lists > Public > public-webid@w3.org > September 2012

Re: Perceived issues with TLS Client Auth

From: Ben Laurie <benl@google.com>
Date: Thu, 27 Sep 2012 10:35:51 +0100
Message-ID: <CABrd9SRtEcs=f7WOGKRuEQU+_CmP5SH9kY7QjpP6h27t9Q_3mA@mail.gmail.com>
To: Henry Story <henry.story@bblfish.net>
Cc: Melvin Carvalho <melvincarvalho@gmail.com>, public-webid <public-webid@w3.org>
On 27 September 2012 10:19, Henry Story <henry.story@bblfish.net> wrote:

> On 27 Sep 2012, at 10:51, Ben Laurie <benl@google.com> wrote:
> On 26 September 2012 17:10, Henry Story <henry.story@bblfish.net> wrote:
> On 26 Sep 2012, at 17:54, Ben Laurie <benl@google.com> wrote:
> On 26 September 2012 14:24, Henry Story <henry.story@bblfish.net> wrote:
> Here is how that would look if we were to  imagine a user (me) using
> Google+.
> One day I go to google plus on my desktop browser and Google Plus entices
> me to
> "Use WebID and login securely across the web"
> I click on that banner, and pronto, a certificate is created and
> transferred to
> my browser. (ok perhaps you add an intermediate page with helpful
> explanations
> and cool demos)
> Next I am walking down the street with my Android. Google+ is clever
> enough to notice that my android does not have a certificate - it does a
> TLS request for a client certificate, but receives none - and so asks me
> "Hi Henry, get a WebID certificate for your phone too"
> I click the banner and oops I have a certificate in Android.
> Once I have a certificate for a device, I can log into any web site that
> supports WebID in one click. I can also determine for any site how much
> information I wish to give that site about me - using access control on
> information at my profile. Someting we need to work on still.
> You seem to have missed out a step - how do these web sites know about
> my new WebID?
> In the scenario described I get my (personal) WebID from Google+ . If I
> were employed by the W3C I would then get a professional WebID by doing the
> same procedure on my W3C profile page.
> So I then go to say the WebSite of a friend of mine who has his personal
> web server, at a domain
> joe.name . When I arrive on the front page of https://joe.name/ that site
> does not ask me to log in,
> it gives me public information that joe is happy for anyone to know. Then
> perhaps I want to login, so I click
> the login button, and this sets up a procedure described in the spec
> http://www.w3.org/2005/Incubator/webid/spec/#connecting-at-the-application-layer
> which starts with a TLS renegotiation and a request for the client
> certificate as explained in the TLS spec.
> How does joe.name know this certificate represents you?
> 1. Through TLS his server knows that I have the private key of the public
> key in the certificate.
> 2. The verification of the WebID is then done by follwing the procedure
> described here
>    http://www.w3.org/2005/Incubator/webid/spec/#verifying-the-webids

Right - so the steps you missed are where the WebID profile gets updated to
include the new key, and where joe.name somehow (how?) decides that this
WebID is allowed to log in...

> If that results in no certificate a pop up can appear, and any number of
> other authentication systems can be proposed to the user.
> Also, if I've been using WebID to log into google for some time, and
> my Android phone is new, how do I get logged into G+ in order for
> Google to notice that I do not have a cert?
> You use a password there for Google+ . Luckily you' only need one or two
> passwords, so those
> could be really long and easy to remember - and also dead safe. I don't
> think I heard that anyone had trouble connecting to Google+ at present with
> any number of devices, even though people have to remember passwords to do
> so?
> People forget passwords all the time, even though they have to use
> them regularly. The problem gets much worse for passwords that are
> used rarely.
> well use whatever procedures you are using now and adapt them. This is not
> a new problem,  and it is not the problem we are trying to solve. One could
> say indeed that this is a solved problem. I put my passwords in a key chain.
> The issue we are trying to deal with is having to remember a password for
> all the other sites, and the duplication of information that comes with
> that, the lack of security this duplication brings, the centralisation of
> information that are the consequences of the difficulty of having all of
> the above be easy to use - and so the consequent loss of privacy. WebID
> solves the privacy problem, because it no longer requires centralisation of
> all information on one mega server, and it allows cross domain
> identification and cooperation. It helps create a Social Web, as opposed to
> a social network. (you will find more on that on my home page)
> I totally understand the goals, and I have no argument with them. My
> concerns are purely around usability. But apparently you don't want to
> hear that - you think you have a usable solution. So what's your
> explanation for lack of adoption?
> The solution we are proposing cuts across domains very heavily: from TLS
> to UI to LinkedData. Most devs don't grok TLS that well. If they do, they
> don't tend to be good at UI. Rarely do they know LinkedData. None of these
> is difficult, once one has a few demonstrations. It is not unlike the
> difficulty people had explaining the web before Netscape came out. If you
> don't see it used you need to be the type of person who can project himself
> imaginatively into a new domain. Not everybody is like that.
> The further problem is that these tools are making use of old technologies
> in new ways and so it requires a conceptual shift, not unlike the one
> involved in seeing a duck or a rabbit in the image below [1]
> And in many of these spaces people's attitudes to received wisdom is very
> hardened. So it is difficult to get them to make that shift. Add to that
> that there may be some perceived business interests in not shifting and one
> has an answer to your question. Notice that sometimes people do get it, but
> then they want to make a million out of it. I think that is what happened
> to the original developer assigned to bug
> http://code.google.com/p/chromium/issues/detail?id=29784
> He left your company soon thereafter to work for a startup that was
> attempting to integrate all social networks into Google Chrome.
>   Anyway, lets leave it to the historians to understand why people could
> not see that the earth is round, or why they could not see that the earth
> was turning around the sun. When people moved form one to the other way of
> thinking nothing in reality changed. It could be that people in engineering
> are used to a new tool appearing to solve their problems, and that they
> tend to not consider that they could use the old tool they had in a new
> way. You could also ask: why did it take so long for AJAX to be used?
> Henry
> [1] https://blogs.oracle.com/bblfish/entry/foaf_ssl_pki_and_the
> Social Web Architect
> http://bblfish.net/

(image/tiff attachment: PastedGraphic-1.tiff)

Received on Thursday, 27 September 2012 09:36:20 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:54:35 UTC