W3C home > Mailing lists > Public > semantic-web@w3.org > March 2010

Re: call to arms

From: <henry.story@bblfish.net>
Date: Mon, 29 Mar 2010 22:00:25 -0700 (PDT)
Message-Id: <201003300500.o2U50PeI029930@rust.entic.net>
To: Semantic Web <semantic-web@w3.org>
CC: paoladimaio10@googlemail.com, Danny Ayers <danny.ayers@gmail.com>, Peter Ansell <ansell.peter@gmail.com>
> On 30 Mar 2010, at 01:52, Peter Ansell wrote:
>> 
>> On 30 March 2010 08:50, Melvin Carvalho <melvincarvalho@gmail.com> wrote:
>>
>> 2010/3/30 Paola Di Maio <paola.dimaio@gmail.com>
>>> Melvin
>>> 
>>> you provide a nice list, but I have the impression most people find it
>>> ..... not fun?
>>> 
>>> I think you can achieve most of what you say below with less complexity
>>> using more intuitive systems (say open ID)
>> 
>> Dont get me wrong I'm a big fan of OpenID, but it was the complexity of
>> OpenID that lead me to FOAF+SSL.  With openid you need a server that can
>> provide and verify your identity.  With FOAF+SSL you just need one click to
>> make your browser into your own identity provider.  FOAF also has the
>> wonderful side-effect that once you've got the ID, you've got all the
>> friends and other information there, for free.
>  
>  The idea of the technology sounds interesting, as long as users can
> securely login from anywhere in the world as they can now. Can't go
> back to the bad old days where logins were restricted to particular
> workstations.

That is the world we are living in now. Passwords are limited to particular
services. 60% of break ins and security breaches are due to passwords. In 
an interview Dan Kaminsky said last year:

[[
Kaminsky: DNSSEC is interesting not because it fixes DNS. DNSSEC is interesting
because it allows us to start addressing core problems we have on the Internet
in a systematic and scalable way. The reality is: Trust is not selling across
organizational boundaries. We have lots and lots systems that allow companies to
authenticate their own people, manage and monitor their own people and interact
with their own people. In a world where companies only deal with themselves,
that's great. We don't live in that world and we haven't for many years.

Q: How does DNSSEC help fix that?

Kaminsky: One of the fascinating elements of the Verizon Data Breach
Investigations Report is that if there was a hack, 40% of the time it was an
implementation flaw, and 60% of the time it was an authentication flaw --
something happened with authentication credentials and everything blew up. At
the end day, why do we use passwords? It's the only authentication technology
that we have that even remotely works across organizational boundaries, and the
only thing that scales today. Our existing ways of doing trust across
organizational boundaries don't work. Passwords are failures; certificates that
were supposed to replace passwords are not working -- period, end of discussion.

DNS has been doing cross-organizational address management for 25 years; it
works great. DNS is the world's largest PKI without the 'K.'All DNSSEC does is
add keys. It takes this system that scales wonderfully and has been a success
for 25 years, and says our trust problems are cross-organizational, and takes
best technology on the Internet for cross-organizational operations and gives it
trust. And if we do this right, we'll see every single company with new products
and services around the fact that there's one trusted root, and one trusted
delegating proven system doing security across organizational boundaries.
]] http://bit.ly/19P188

DNSSEC helps give us trust in DNS. 

Most important in the quote above is the importance of cross organisational
boundaries.

As you will see below Dan, in his critique of Certificates missed foaf+ssl

> 
> Overall though, Distributed identity isn't a killer application, as
> proven by OpenID, 

OpenId fails because 
  - it only does authentication (attribute exchange is very poor)
  - it still requires the user to type in a username ( URL )
  - it requires a 3rd service
  - implementation wise it is more complex than needed
  - It is not RESTful - so it does not play that well with linked data
   
Most importantly because it is not well architected it fails to play well
with linked data. That is it cannot tie into distributed social networks.

> and distributed social networking may not be as
> necessary as one might think, per the enormous popularity of *the*
> widely used social network, Facebook (outranking Google in terms of
> web traffic), especially given the demise of Google Wave, which was
> intended to be a distributed social network but failed miserably.

( Google Wave's distribution seems to me more of a marketing thing. )

Distributed social networks are extreemly important for businesses, 
for governments, armys, helath organisations, which are all social 
networks. They can't all be on Facebook.

> People like to keep different parts of their life separate, 

You can have any number of WebIds. I have
 - http://bblfish.net/#hjs
 - http://webid.myxwiki.org/xwiki/bin/view/XWiki/hjs

They don't need to be linked

> and may
> not appreciate that every website may be retrieving their identity
> without their knowledge. Privacy is non-existent if people don't have
> a chance to view, understand, and authorise privacy policies, and with
> FOAF, associates have no way of accepting the agreement themselves
> before their information is obtained by the server if it automatically
> decides to retrieve and store their personal information based on a
> link in a FOAF file. 

Good to hear you put this misconception so clearly in writing.
The point of foaf+ssl is that it makes access control possible. It is
designed exactly to solve the above problem: to allow some users to see
some part of your profile, and others to see others.

>For all its faults, Facebook is in a position to
> let users restrict where their personal information goes, where this
> authority won't be available in a distributed network.

Exactly what foaf+ssl permits. To make this clear we need enough people
with WebIds to allow them to see this.

> 
> There are still many questions overall though:
> 
> Does FOAF+SSL require users to stick to a particular computer? 

No. Try http://webid.myxwiki.org/ and get yourself a public key for
each browser on as many computers as you wish.

> Is it useful and safe for private use on public or company computers?

Yes. For public computers you can create yourself a time limited key.
Of course if you are going to use a public computer you are no longer serious
about security.

It could be made safe enough on company computers by giving people USB
sticks with their crypto card, and the private key on a read only 
partition as some European governments are starting to hand out to their
citizens.

> 
> My previous impressions of relying on user certificates is that they
> were just relying on users passwords on their personal computers to
> unlock their certificates to avoid using passwords on websites.

You can also put them on external devices, and if you wanted those could be
fingerprint protected.

> 
> How is it any more structurally safe to deploy your private key on a
> public or company computer in order to work with these services than
> to restrict logins to passwords that users do not have to deploy onto
> a computer other than to type it in?

People who use logins with passwords tend to use very similar ones on all
web sites they use. Many of those sites do not encrypt the communication
channel (FB for example) and are full of viruses (Myspace for example)
One of those sites needs to be compromised and the user looses his password.

Username/passwords do not tie together global identities, so they are not much
use for having cross organisational networks. Most of the people do not work
at your company!

> 
> Would it require users to personally carry their private key around?

Not necessarily. They could have one for each computer. Try the myxwiki
example.

> What happens if they lose their private key? Locked out permanently?

No they can go to their web server and change their private key.
If they keep their web server in their basement that should be easy.

> Will users need more than one private key if the technology is widely
> used? How does one retract permission for a private key if it is
> compromised? 

You remove the public key from your foaf file.
That can be a one click operation with a clever web server, 
or you could do it with vi by editing an html file.

>If companies require users to regularly rotate their
> private key as they do with passwords if FOAF+SSL becomes popular with
> companies, will this destroy the whole system?

No, see above.
Certificates have expiration dates.

> 
> For all of the complexity of OpenID at least it allows users to choose
> how they are going to authenticate with their identity provider, and
> hence does not require them to know about all of the security issues
> around the use of a private key if the identity provider does not
> require them to know that.

Openid has security problems too. I wonder if that's related?
Public key crypto is the only seure method known.

But it is not that difficult to use. 
> 
> Are private keys are going to be stored on a server somewhere to avoid
> the issue of having users manage their certificates as they are never
> going to be widely trained in the protocols of how to do this anyway.

Try http://webid.myxwiki.org/ - you will see how easy it is to create a
private/public key pair. Clicking a Google Search button could be 
more difficult. Don't see Google having trouble with training the millions
of people using them every second.

> If that is the case then why do we need to depart from OpenID as the
> currently known, if not highly used, method of distributed
> authentication? 

Foaf+ssl and openid fit together like a glove. Go to http://webid.myxwiki.org/
By creating yourself a public key you get an OpenId for free.

> How do users authenticate with the place that the
> certificate is stored when they want to retrieve it? Passwords? Ie,
> the insecure method that FOAF+SSL is trying to remove?

There may be only one place you may need passwords on, and that is your
own server. But you could have that send you a one time password via your
phone. Or you could restrict access in other ways.

> 
> Not sure if the answers to these questions are widely known but I
> haven't been able to answer conclusively them looking through the few
> documents that relate to this very new technology.

I think we should add this email to the FAQ list. :-) I get asked exactly
those questions every time I talk. Which is making me think that Plato was
right: the world of ideas is real, as real as the physical world, and to
get from A to B in a particular geography one has to follow a certain path.
Everybody follows the path you have just followed....

> 
> Cheers,
> 
> Peter
> 
> 
Received on Tuesday, 30 March 2010 05:01:04 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 07:42:18 UTC