W3C home > Mailing lists > Public > public-webid@w3.org > September 2012

Re: Perceived issues with TLS Client Auth

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Fri, 28 Sep 2012 22:27:49 +0200
Message-ID: <CAKaEYhJG4rJsWY+RmUOaCjDmX=cRJxYjLKnoN9gZOCjW_X89CA@mail.gmail.com>
To: Ben Laurie <benl@google.com>
Cc: Henry Story <henry.story@bblfish.net>, public-webid <public-webid@w3.org>
On 27 September 2012 10:51, Ben Laurie <benl@google.com> wrote:

> On 26 September 2012 17:10, Henry Story <henry.story@bblfish.net> wrote:
> >
> > On 26 Sep 2012, at 17:54, Ben Laurie <benl@google.com> wrote:
> >
> >> On 26 September 2012 14:24, Henry Story <henry.story@bblfish.net>
> wrote:
> >>> Here is how that would look if we were to  imagine a user (me) using
> Google+.
> >>>
> >>> One day I go to google plus on my desktop browser and Google Plus
> entices me to
> >>> "Use WebID and login securely across the web"
> >>> I click on that banner, and pronto, a certificate is created and
> transferred to
> >>> my browser. (ok perhaps you add an intermediate page with helpful
> explanations
> >>> and cool demos)
> >>>
> >>> Next I am walking down the street with my Android. Google+ is clever
> enough to notice that my android does not have a certificate - it does a
> TLS request for a client certificate, but receives none - and so asks me
> >>> "Hi Henry, get a WebID certificate for your phone too"
> >>> I click the banner and oops I have a certificate in Android.
> >>>
> >>> Once I have a certificate for a device, I can log into any web site
> that supports WebID in one click. I can also determine for any site how
> much information I wish to give that site about me - using access control
> on information at my profile. Someting we need to work on still.
> >>
> >> You seem to have missed out a step - how do these web sites know about
> >> my new WebID?
> >
> > In the scenario described I get my (personal) WebID from Google+ . If I
> were employed by the W3C I would then get a professional WebID by doing the
> same procedure on my W3C profile page.
> >
> > So I then go to say the WebSite of a friend of mine who has his personal
> web server, at a domain
> > joe.name . When I arrive on the front page of https://joe.name/ that
> site does not ask me to log in,
> > it gives me public information that joe is happy for anyone to know.
> Then perhaps I want to login, so I click
> > the login button, and this sets up a procedure described in the spec
> >
> >
> http://www.w3.org/2005/Incubator/webid/spec/#connecting-at-the-application-layer
> >
> > which starts with a TLS renegotiation and a request for the client
> certificate as explained in the TLS spec.
>
> How does joe.name know this certificate represents you?
>
> > If that results in no certificate a pop up can appear, and any number of
> other authentication systems can be proposed to the user.
> >
> >>
> >> Also, if I've been using WebID to log into google for some time, and
> >> my Android phone is new, how do I get logged into G+ in order for
> >> Google to notice that I do not have a cert?
> >
> > You use a password there for Google+ . Luckily you' only need one or two
> passwords, so those
> > could be really long and easy to remember - and also dead safe. I don't
> think I heard that anyone had trouble connecting to Google+ at present with
> any number of devices, even though people have to remember passwords to do
> so?
>
> People forget passwords all the time, even though they have to use
> them regularly. The problem gets much worse for passwords that are
> used rarely.
>
> > The issue we are trying to deal with is having to remember a password
> for all the other sites, and the duplication of information that comes with
> that, the lack of security this duplication brings, the centralisation of
> information that are the consequences of the difficulty of having all of
> the above be easy to use - and so the consequent loss of privacy. WebID
> solves the privacy problem, because it no longer requires centralisation of
> all information on one mega server, and it allows cross domain
> identification and cooperation. It helps create a Social Web, as opposed to
> a social network. (you will find more on that on my home page)
>
> I totally understand the goals, and I have no argument with them. My
> concerns are purely around usability. But apparently you don't want to
> hear that - you think you have a usable solution. So what's your
> explanation for lack of adoption?
>

What about users that wish to take their identity with them across multiple
sites, and are happy to reveal who they are on registration / login?

In this case you would have one certificate, which is generally what I do,
would you consider that a usable solution?
Received on Friday, 28 September 2012 20:28:17 UTC

This archive was generated by hypermail 2.3.1 : Sunday, 31 March 2013 14:41:00 UTC