Re: Logging out from Facebook from Henry Story on 2011-09-30 (www-tag@w3.org from September 2011)

From: Henry Story <henry.story@bblfish.net>
Date: Fri, 30 Sep 2011 11:07:45 +0200
To: Paul Libbrecht <paul@hoplahup.net>
Cc: "www-tag@w3.org List" <www-tag@w3.org>
Message-Id: <8BB9823B-11F7-4CD3-9743-BC789912249E@bblfish.net>

On 30 Sep 2011, at 10:48, Paul Libbrecht wrote:

> 
> Le 30 sept. 2011 à 10:14, Henry Story a écrit :
> 
>>> From reading this whole thread I understand the following logout mechanism should be as close as possible:
>>> 
>>> - go back to the site's home (the user can always go back if he wishes)
>>> - remove cookies for that domain and any transcluded resources' domains
>>> - remove local storage for the same (JS, flash, ....)
>>> - remove stored etags
>>> - remove or at least slightly modify cached entities last-modification dates
>>> - close all connections
>> 
>> You forgot: do not send that host your client certificates anymore.  (Safari sends those automatically, for example, and I am not exactly sure how you disable it. I think you have to go to the keychain and manually disable the certificate from being sent to a particular host name, but I am not sure.)
> 
> I personally find this so special that I do not think it is worth mentionning: if you install client certs for a particular host (is it host-directed?) you rarely fear being watched by that host... 

Our work at the WebID XG ( http://webid.info ) shows that this is not the case. There is a short video on that page that shows the following:

 - creating a certificate is easy - it can be as easy as clicking one button: "install certificate"  when going to a web site
 - a certificate can be used across sites:  WebID is enabling the creation a distributed secure social web 

So given that, I could use one certificate when connecting to any number of sites - say all my friends sites - avoiding me the trouble of creating a user name and profile at each of one those places, and allowing those sites to tie into my profile on say my FreedomBox [1], where I can use access control to allow them more or less access to my information.

In that scenario client side certificate will suddenly become immensely useful, and I would certainly like it to be easy to logout of client side SSL too.

But even if you don't buy into the social web vision, it is still a problem that a site could easily get me to use a client side certificate to log in, and that later it could find it impossible to stop my browser from sending it. That's a problem for the site as well as for the user. It is easy to solve,  as the prototype by Aza Raskin showed a few years ago. As it happens that solution also solves the cookie issue, which is not surprising: we are dealing with the same problem: user control of his persona.

    Henry

> 
> My guts feeling would be to simply disable the "browser logout" for such a site (Safari should otherwise have a way to "reactivate the certs" which, as you describe, seems not really planned for).
> 
> paul

[1] http://www.cbsnews.com/video/watch/?id=7358702n

Social Web Architect
http://bblfish.net/

Received on Friday, 30 September 2011 09:08:30 UTC