Re: Simple WebID, WebID+TLS Protocol, and ACL Dogfood Demo from Kingsley Idehen on 2013-08-08 (public-lod@w3.org from August 2013)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Thu, 08 Aug 2013 09:09:32 -0400
To: Andrei Sambra <andrei.sambra@gmail.com>
CC: public-lod <public-lod@w3.org>, "public-rww@w3.org" <public-rww@w3.org>, "public-webid@w3.org" <public-webid@w3.org>
Message-ID: <5203988C.5060402@openlinksw.com>

On 8/8/13 7:22 AM, Andrei Sambra wrote:
> On Wed, Aug 7, 2013 at 7:34 PM, Nick Jennings <nick@silverbucket.net 
> <mailto:nick@silverbucket.net>> wrote:
>
>     Hi Kingsley,
>
>      Thanks for the links. Trying out the first link
>     (http://youid.openlinksw.com/) now, some notes:
>     2. With firefox, after filling out the form, I get a download
>     dialogue for the cert instead of it installing into the browser.
>     So I saved, then went into preferences and "import" ... which was
>     successful with "Successfully restored your security
>     certificate(s) and private key(s)". Previously, with my-profile.eu
>     <http://my-profile.eu>, this was automatically installed into the
>     browser (I was using Chrome then). Though I guess it's better to
>     have it export/save by default so you can install the same cert on
>     any number of browsers without hassle. Still, it creates more
>     steps and could be confusing for new users.
>
>
> Downloading the cert means that it was generated on the server side, 
> thus the server has knowledge of your private key -> BAD. Using the 
> HTML5 <KEYGEN> element is always preferred in this case, which is 
> currently the case for my-profile.eu <http://my-profile.eu> and rww.io 
> <http://rww.io>.
Re., what you assume is BAD:

You have a tradeoff, store to pkcs#12 or to browser.

We default to saving pkcs#12 while <keygen/> is an option too. Remember, 
privacy is about *self-calibration* of one's vulnerabilities, so we 
prefer to provide options to app/service users rather than mandating a 
single option.

Remember, WebID+TLS is not basic PKI meaning: we have a composite of 
items that challenge compromise feasibility:

1. keypairs
2. agent identity
3. entity relationship semantics.

Take any of the items above out of the composite and the WebID+TLS 
authentication challenge fails. In the context of Webby-PKI (which is 
what  WebID+TLS is about), the private key doesn't have the *pivotal 
role* it had re. basic PKI.

Also note, pkcs#12 files (re. YouID) are actually generated on the 
mobile device (iPhone for now with Android arriving any second). It is 
no different to generating a certificate using Keychain on Mac OS X [1].

Links:

1. http://bit.ly/SuMWP4 -- creating an X.509 certificate bearing a WebID 
(HTTP URI that denotes an Agent) using Mac OS X Keycain (which Apple 
forgot to port ot iOS) .

-- 

Regards,

Kingsley Idehen 
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Thursday, 8 August 2013 13:09:59 UTC