- From: Harry Halpin <hhalpin@w3.org>
- Date: Tue, 25 Oct 2011 21:17:09 +0100 (BST)
- To: "Henry Story" <henry.story@bblfish.net>
- Cc: "Harry Halpin" <hhalpin@w3.org>, "Dan Brickley" <danbri@danbri.org>, public-identity@w3.org, "Ben Adida" <ben@adida.net>, "Tim Berners-Lee" <timbl@w3.org>
> > On 25 Oct 2011, at 21:27, Harry Halpin wrote: > >> While I of course believe in open standards and privacy, and thus >> personally believe there are some good ideas into looking at a >> Web-of-trust model as opposed to CAs for certs in WebID (and thus am >> serious about a second workshop focussed on certificates), WebID was not >> viewed as very convincing by the vast majority of attendees at the >> workshop and there were serious security concerns raised by Brad Hill. > > you keep saying that Harry, but I don't think I know of these security > concerns. Are these concerns that can be aired in the open, or are they > the type of security concerns that cannot be discussed? If they can be > discussed then I propose a todo list: write each one of them out one by > one in a way that can be falsified in a Popperian manner. We can then > work out what these issues are, and see how we can respond to them. > > Criticism of the WebID protocol need to be laid out carefully given that > it is based on the widely deployed TLS standard, which has had a huge > amount of review. If WebID risks falling prey to criticism, then doing > javascript APIs and certificate signing in JavaScript, is bound to lead to > way way bigger issues, and is therefore going to have to undergo massive > review. I suggest that you re-open the thread with Brad and I'll also chime in with a review of WebID on your list. Off the top of my head in a personal capacity, I'm pretty sure the dependency on RDFa, URIs in client certs, and etc. need to be rethought as is the basic premise as I have emailed before to your list I'm pretty sure, and folks like Brad (and the large majority of the workshop attendees) found doing an async HTTP GET out in order to complete a TLS handshake and requiring TLS to be a non-starter. Again, discussion of WebID protocol specifics is off-topic unless it directly related to proposed modifications of the charter, including those that you feel could help your effort. Also, as regards TLS, please note issues with the X.509 infrastructure and ASN format in this link [1], and of course latest issues with TLS 1.0. Given the scoping of these issues and their current relationship to the CA system, I think a separate workshop done in co-operation with relevant bodies like the CA/Browser Forum or ISOC would be great. > > >> As WebID is still emerging work, I suggest strongly that it stay in >> another >> XG, CG, or WG and that we co-ordinate as needed as WebID matures. > > I think we should coordinate now as these evolve. This is a consequence of > your calling the other group the Web Identity group. I'm open to changing the name of the Working Group and splitting the group into two or more working groups. I'd want concrete suggestions for names and divisions. However, it's easier managing one group than multiple if they are closely related enough and involve many of the same people. > >> I do >> think that the Javascript APIs that this WG is aiming at could benefit >> WebID, as well as many other identity efforts like OpenID Connect and >> BrowserID. > > Very possibly: but then perhaps call the group the Crypto API WG. > > As for the profile documents if W3C process were to lead to a widely > adopted profile format, that would of course also be welcome to WebID and > beyond in fact. It is quite easy to see how such a profile could even make > certificate dialog boxes a lot more friendly: by for example using the > info in the profile to fill the certificate selection box, with a photo or > such information... That won't of course affect the WebID protocol, but it > clearly would make the end user experience better. New profile documents I'm pretty sure would be out of scope, although I could see this work compatible with widely deployed work. [1] http://www.ioactive.com/pdfs/PKILayerCake.pdf > >> In fact, the only identity effort that was viewed as a widescale >> deployment success by our membership at the workshop was SAML. > > Perhaps there is a way of doing SAML with WebID. I think there was work in > Manchester along those lines. > > Henry > > Social Web Architect > http://bblfish.net/ > > >
Received on Tuesday, 25 October 2011 20:28:49 UTC