- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Tue, 10 Jun 2014 00:25:39 -0400
- To: Web Payments CG <public-webpayments@w3.org>
TL;DR: There is now an open source demo of credential-based login
for the Web. We think it’s better than Persona, WebID+TLS, and
OpenID Connect. If we can build enough support for Identity
Credentials over the next year, we’d like to standardize it via
the W3C.
This is a text-only version of the original blog post, which can be
found here:
http://manu.sporny.org/2014/identity-credentials/
Identity Credentials and Web Login
In a [1]previous blog post, I outlined the need for a better login
solution for the Web and why Mozilla Persona, WebID+TLS, and
OpenID Connect currently don’t address important use cases that
we’re considering in the Web Payments Community Group. The blog
post contained a proposal for a new login mechanism for the Web
that was simultaneously more decentralized, more extensible,
enabled a level playing field, and was more privacy-aware than the
previously mentioned solutions.
In the private conversations we have had with companies large and
small, the proposal was met with a healthy dose of skepticism and
excitement. There was enough excitement generated to push us to
build a proof-of-concept of the technology. We are releasing this
proof-of-concept to the Web today so that other technologists can
take a look at it. It’s by no means done, there are plenty of bugs
and security issues that we plan to fix in the next several weeks,
but the core of the idea is there and you can try it out.
The Demo
The demonstration that we’re releasing today is a proof-of-concept
asserting that we can have a unified, secure identity and login
solution for the Web. The technology is capable of storing and
transmitting your identity credentials (email address, payment
processor, shipping address, driver’s license, passport, etc.)
while also protecting your privacy from those that would want to
track and sell your online browsing behavior. It is in the same
realm of technology as Mozilla Persona, WebID+TLS, and OpenID
Connect. Benefits of using this technology include:
* Solving the [2]NASCAR login problem in a way that greatly
increases identity provider competition.
* Removing the need for usernames and passwords when logging
into 99.99% of the websites that you use today.
* Auto-filling information that you have to repeat over and over
again (shipping address, name, email, etc.).
* Solving the NASCAR payments problem in a way that greatly
increases payment processor competition.
* Storage and transmission of credentials, such as email
addresses, driver’s licenses, and digital passports, via the
Web that cryptographically prove that you are who you say you
are.
The demonstration is based on the [3]Identity Credentials
technology being developed by the [4]Web Payments Community Group
at the [5]World Wide Web Consortium. It consists of an ecosystem
of four example websites. The purpose of each website is explained
below:
Identity Provider (identus.org)
The Identity Provider stores your identity document and any
information about you including any credentials that other sites
may issue to you. This site is used to accomplish several things
during the demo:
* Create an identity.
* Register your identity with the Login Hub.
* Generate a verified email credential and store it in your
identity.
Login Hub (login-hub.com)
This site helps other websites discover your identity provider in
a way that protects your privacy from both the website you’re
logging into as well as your identity provider. Eventually the
functionality of this website will be implemented directly in
browsers, but until that happens, it is used to bootstrap the
discovery of and login/credential transmission process for the
identity provider. This site is used to do the following things
during the demo:
* Register your identity, creating an association between your
identity provider and the email address and passphrase you use
on the login hub.
* Login to a website.
Credential Issuer (credential.club)
This site is responsible for verifying information about you like
your home address, driver’s license, and passport information.
Once the site has verified some information about you, it can
issue a credential to you. For the purposes of the demonstration,
all verifications are simulated and you will immediately be given
a credential when you ask for one. All credentials are digitally
signed by the issuer which means their validity can be proven
without the need to contact the issuer (or be online). This site
is used to do the following things during the demo:
* Login using an email credential.
* Issue other credentials to yourself like a business address,
proof of age, driver’s license, and digital passport.
Single Sign-On Demo
The single sign-on website, while not implemented yet, will be
used to demonstrate the simplicity of credential-based login. The
sign-on process requires you to click a login button, enter your
email and passphrase on the Login Hub, and then verify that you
would like to transmit the requested credential to the single
sign-on website. This website will allow you to do the following
in a future demo:
* Present various credentials to log in.
How it Works
The demo is split into four distinct parts. Each part will be
explained in detail in the rest of this post. Before you try the
demo, it is important that you understand that this is a
proof-of-concept. The demo is pretty easy to break because we
haven’t spent any time polishing it. It’ll be useful for
technologists that understand how the Web works. It has only been
tested in Google Chrome, versions 31 – 35. There are glaring
security issues with the demo that have solutions which have not
been implemented yet due to time constraints. We wanted to publish
our work as quickly as possible so others could critique it early
rather than sitting on it until it was “done”. With those caveats
clearly stated up front, let’s dive in to the demo.
Creating an Identity
The first part of the demo requires you to [6]create an identity
for yourself. Do so by clicking the link in the previous sentence.
Your short name can be something simple like your first name or a
handle you use online. The passphrase should be something long and
memorable that is specific to you. When you click the Create
button, you will be redirected to your new identity page.
Note the text displayed in the middle of the screen. This is your
raw identity data in [7]JSON-LD format. It is a machine-readable
representation of your credentials. There are only three pieces of
information in it in the beginning. The first is the JSON-LD
@context value, https://w3id.org/identity/v1, which tells machines
how to interpret the information in the document. The second is
the id value, which is the location of this particular identity on
the Web. The third is the sysPasswordHash, which is just a bcrypt
hash of your login password to the identity website.
Global Web Login Network
Now that you have an identity, you need to register it with the
global Web login network. The purpose of this network is to help
map your preferred email address to your identity provider. Keep
in mind that in the future, the piece of software that will do
this mapping will be your web browser. However, until this
technology is built into the browser, we will need to bootstrap
the email to identity document mapping in another way.
The way that both Mozilla Persona and OpenID do it is fairly
similar. OpenID assumes that your email address maps to your
identity provider. So, an OpenID login name of joe@gmail.com
assumes that gmail.com is your identity provider. Mozilla Persona
went a step further by saying that if gmail.com wouldn’t vouch for
your email address, that they would. So Persona would first check
to see if gmail.com spoke the Persona protocol, and if it didn’t,
the burden of validating the email address would fall back to
Mozilla. This approach put Mozilla in the unenviable position of
running a lot of infrastructure to make sure this entire system
stayed up and running.
The Identity Credentials solution goes a step further than Mozilla
Persona and states that you are the one that decides which
identity provider your email address maps to. So, if you have an
email address like bob@gmail.com, you can use yahoo.com as your
identity provider. You can probably imagine that this makes the
large identity providers nervous because it means that they’re now
going to have to compete for your business. You have the choice of
who is going to be your identity provider regardless of what your
email address is.
So, let’s register your new identity on the global web login
network. Click the text on the screen that says “Click here to
register”. That will take you to a site called login-hub.com. This
website serves two purposes. The first is to map your preferred
email address to your identity provider. The second is to protect
your privacy as you send information from your identity provider
and send it to other websites on the Internet (more on this
later).
You should be presented with a screen that asks you for three
pieces of information. Your preferred email address, a passphrase,
and a verification of that passphrase. When you enter this
information, it will be used to do a number of things. The first
thing that will happen is that a public/private keypair will be
generated for the device that you’re using (your web browser, for
instance). This key will be used as a second factor of
authentication in later steps in this process. The second thing
that will happen is that your email address and passphrase will be
used to generate a query token, which will be later used to query
the decentralized [8]Telehash-based identity network. The third
thing that will happen is that your query token to identity
document mapping will be encrypted and placed onto the Telehash
network.
The Decentralized Database (Telehash)
We could spend an entire blog post itself on Telehash, but the
important thing to understand about it is that it provides a
mechanism to store data in a decentralized database and query that
database at a later time for the data. By storing this query token
and query response in the decentralized database, it allows us to
find your identity provider mapping regardless of which device
you’re using to access the Web and independent of who your email
provider is.
In fact, note that I said that you use your “preferred email
address” above? It doesn’t need to be an email address, it could
be a simple string like “Bob” and a unique passphrase. Even though
there are many “Bob”s in the world, the likelyhood that they’d use
the same 20+ character passphrase is unlikely and therefore one
could use just a first name and a complex passphrase. That said,
we’re suggesting that most non-technical people use a preferred
email address because most people won’t understand the dangers of
SHA-256 collisions on username+passphrase combinations like
sha256(“Bob” + “password”). In addition to this aside, the
decentralized database solution doesn’t need to be Telehash. It
could just as easily be a decentralized ledger like Namecoin or
Ripple.
Once you have filled out your preferred email address and
passphrase, click the Register button. You will be sent back to
your identity provider and will see two new pieces of information.
The first piece of information is sysIdpMapping, which is the
decentralized database query token (query) and
passphrase-encrypted mapping (queryResponse). The second piece of
information is sysDeviceKeys, which is the public key associated
with the device that you registered your identity through and
which will be used as a second factor of authentication in later
versions of the demo. The third piece of information is
sysRegistered, which is an indicator that the identity has been
registered with the decentralized database.
Acquiring an Email Credential
At this point, you can’t really do much with your identity since
it doesn’t have any useful credential information associated with
it. So, the next step is to put something useful into your
identity. When you create an account on most websites, the first
thing the website asks you for is an email address. It uses this
email address to communicate with you. The website will typically
verify that it can send and receive an email to that address
before fully activating your account. You typically have to go
through this process over and over again, once for each new site
that you join. It would be nice if an identity solution designed
for the Web would take care of this email registration process for
you. For those of you familiar with Mozilla Persona, this approach
should sound very familiar to you.
The Identity Credentials technology is a bit different from
Mozilla Persona in that it enables a larger number of
organizations to verify your email address than just your email
provider or Mozilla. In fact, we see a future where there could be
tens, if not hundreds, of organizations that could provide email
verification. For the purposes of the demo, the Identity Provider
will provide a “simulated verification” (aka fake) of your email
address. To get this credential, click on the text that says
“Click here to get one”.
You will be presented with a single input field for your email
address. Any email address will do, but you may want to use the
preferred one you entered earlier. Once you have entered your
email address, click “Issue Email Credential”. You will be sent
back to your identity page and you should see your first
credential listed in your JSON-LD identity document beside the
credential key. Let’s take a closer look at what constitutes a
credential in the system.
The EmailCredential is a statement that a 3rd party has done an
email verification on your account. Any credential that conforms
to the Identity Credentials specification is composed of a set of
claims and a signature value. The claims tie the information that
the 3rd party is asserting, such as an email address, to the
identity. The signature is composed of a number of fields that can
be used to cryptographically prove that only the issuer of the
credential was capable of issuing this specific credential. The
details of how the signature is constructed can be found in the
[9]Secure Messaging specification.
Now that you have an email credential, you can use it to log into
a website. The next demonstration will use the email credential to
log into a credential issuer website.
Credential-based Login
Most websites will only require an email credential to log in.
There are other sites, such as ecommerce sites or high-security
websites, that will require a few more credentials to successfully
log in or use their services. For example, a ecommerce site might
require your payment processor and shipping address to send you
the goods you purchased. A website that sells local wines might
request that you provide a credential proving that you are above
the required drinking age in your locality. A travel website might
request your digital passport to ease your security clearing
process if you are traveling internationally. There are many more
types of speciality credentials that one may issue and use via the
Identity Credentials technology. The next demo will entail issuing
some of these credentials to yourself. However, before we do that,
we have to login to the credential issuer website using our newly
acquired email credential.
Go to the [10]credential.club website and click on the “Login”
button. This will immediately send you to the login hub website
where you had previously registered your identity. The request
sent to the login hub by credential.club will effectively be a
request for your email credential. Once you’re on login-hub.com,
enter your preferred email address and passphrase and then click
“Login”.
While you were entering your email address and passphrase, the
login-hub.com page connected to the Telehash network and readied
itself to send a query. When you click “Login”, your email address
and passphrase are SHA-256′d and sent as a query to the Telehash
network. Your identity provider will receive the request and
respond to the query with an encrypted message that will then be
decrypted using your passphrase. The contents of that message will
tell the login hub where your identity provider is holding your
identity. The request for the email credential is then forwarded
to your identity provider. Note that at this point your identity
provider has no idea where the request for your email credential
is coming from because it is masked by the login hub website. This
masking process protects your privacy.
Once the request for your email credential is received by your
identity provider, a response is packaged up and sent back to
login-hub.com, which then relays that information back to
credential.club. Once credential.club recieves your email
credential, it will log you into the website. Note at this point
that you didn’t have to enter a single password on the
credential.club website, all you needed was an email credential to
log in. Now that you have logged in, you can start issuing
additional credentials to yourself.
Issuing Additional Credentials
The previous section introduced the notion that you can issue many
different types of credentials. Once you have logged into the
credential.club website, you may now issue a few of these
credentials to yourself. Since this is a demonstration, no attempt
will be made to verify those credentials by a 3rd party. The
credentials that you can issue to yourself include a business
address, proof of age, payment processor, driver’s license, and
passport. You many specify any information that you’d like to
specify in the input fields to see how the credential would look
if it held real data.
Once you have filled out the various fields, click the blue button
to issue the credential. The credential will be digitally signed
and sent to your identity provider, which will then show you the
credential that was issued to you. You have a choice to accept or
reject the credential. If you accept the credential, it is written
to your identity.
You may repeat this process as many times as you would like. Note
that on the passport credential how there is an issued on date as
well as an expiration date to demonstrate that credentials can
have a time limit associated with them.
Known Issues
As mentioned throughout this post, this demonstration has a number
of shortcomings and areas that need improvement, among them are:
* Due to a lack of time, we didn’t setup our own HTTPS Telehash
seed. Since we didn’t setup the HTTPS Telehash seed, we
couldn’t run login-hub.com secured by TLS due to security
settings in most web browsers related to WebSocket
connections. Not using TLS results in a gigantic
man-in-the-middle attack possibility. A future version will,
of course, use both TLS and HSTS on the login-hub.com website.
* The Telehash query/response database isn’t decentralized yet.
There are a number of complexities associated with creating a
decentralized storage/query network, and we haven’t decided on
what the proper approach should be. There is no reason why the
decentralized database couldn’t be NameCoin or Ripple-based,
and it would probably be good if we had multiple backend
databases that supported the same query/response protocol.
* We don’t check digital signatures yet, but will soon. We were
focused on the flow of data first and ensuring security
parameters were correct second. Clearly, you would never want
to run such a system in production, but we will improve it
such that all digital signatures are verified.
* We do not use the public/private keypair generated in the
browser to limit the domain and validity length of credentials
yet. When the system is productionized, implementing this will
be a requirement and will protect you even if your credentials
are stolen through a phishing attack on login-hub.com.
* We expect there to be many more security vulnerabilities that
we haven’t detected yet. That said, we do believe that there
are no major design flaws in the system and are releasing the
proof-of-concept, along with [11]source code, to the general
public for feedback.
Feedback and Future Work
If you have any questions or concerns about this particular demo,
please leave them as comments on this blog post or send them as
comments to the [12]public-web-payments@w3.org mailing list.
Just as you logged in to the credential.club website using your
email credential, you may also use other credentials such as your
driver’s license or passport to log in to websites. Future work on
this demo will add functionality to demonstrate the use of other
forms of credentials to perform logins while also addressing the
security issues outlined in the previous section.
References
1. http://manu.sporny.org/2014/credential-based-login/
2. http://indiewebcamp.com/NASCAR_problem
3. http://manu.sporny.org/2014/credential-based-login/
4. https://web-payments.org/
5. http://www.w3.org/Consortium/
6. https://identus.org/create
7. https://www.youtube.com/watch?v=vioCbTo3C-4
8. http://telehash.org/
9. https://web-payments.org/specs/source/secure-messaging/
10. https://credential.club/
11. https://github.com/digitalbazaar/opencred-idp
12. http://lists.w3.org/Archives/Public/public-webpayments/
-- manu
--
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Identity Credentials and Web Login
http://manu.sporny.org/2014/identity-credentials/
Received on Tuesday, 10 June 2014 04:24:24 UTC