- From: Kingsley Idehen <kidehen@openlinksw.com>
- Date: Thu, 08 Aug 2013 09:09:32 -0400
- To: Andrei Sambra <andrei.sambra@gmail.com>
- CC: public-lod <public-lod@w3.org>, "public-rww@w3.org" <public-rww@w3.org>, "public-webid@w3.org" <public-webid@w3.org>
- Message-ID: <5203988C.5060402@openlinksw.com>
On 8/8/13 7:22 AM, Andrei Sambra wrote: > On Wed, Aug 7, 2013 at 7:34 PM, Nick Jennings <nick@silverbucket.net > <mailto:nick@silverbucket.net>> wrote: > > Hi Kingsley, > > Thanks for the links. Trying out the first link > (http://youid.openlinksw.com/) now, some notes: > 2. With firefox, after filling out the form, I get a download > dialogue for the cert instead of it installing into the browser. > So I saved, then went into preferences and "import" ... which was > successful with "Successfully restored your security > certificate(s) and private key(s)". Previously, with my-profile.eu > <http://my-profile.eu>, this was automatically installed into the > browser (I was using Chrome then). Though I guess it's better to > have it export/save by default so you can install the same cert on > any number of browsers without hassle. Still, it creates more > steps and could be confusing for new users. > > > Downloading the cert means that it was generated on the server side, > thus the server has knowledge of your private key -> BAD. Using the > HTML5 <KEYGEN> element is always preferred in this case, which is > currently the case for my-profile.eu <http://my-profile.eu> and rww.io > <http://rww.io>. Re., what you assume is BAD: You have a tradeoff, store to pkcs#12 or to browser. We default to saving pkcs#12 while <keygen/> is an option too. Remember, privacy is about *self-calibration* of one's vulnerabilities, so we prefer to provide options to app/service users rather than mandating a single option. Remember, WebID+TLS is not basic PKI meaning: we have a composite of items that challenge compromise feasibility: 1. keypairs 2. agent identity 3. entity relationship semantics. Take any of the items above out of the composite and the WebID+TLS authentication challenge fails. In the context of Webby-PKI (which is what WebID+TLS is about), the private key doesn't have the *pivotal role* it had re. basic PKI. Also note, pkcs#12 files (re. YouID) are actually generated on the mobile device (iPhone for now with Android arriving any second). It is no different to generating a certificate using Keychain on Mac OS X [1]. Links: 1. http://bit.ly/SuMWP4 -- creating an X.509 certificate bearing a WebID (HTTP URI that denotes an Agent) using Mac OS X Keycain (which Apple forgot to port ot iOS) . -- Regards, Kingsley Idehen Founder & CEO OpenLink Software Company Web: http://www.openlinksw.com Personal Weblog: http://www.openlinksw.com/blog/~kidehen Twitter/Identi.ca handle: @kidehen Google+ Profile: https://plus.google.com/112399767740508618350/about LinkedIn Profile: http://www.linkedin.com/in/kidehen
Attachments
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Thursday, 8 August 2013 13:09:58 UTC