W3C home > Mailing lists > Public > public-rww@w3.org > July 2013

Re: Feds tell Web firms to turn over user account passwords

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Fri, 26 Jul 2013 11:37:24 -0400
Message-ID: <51F297B4.1020103@openlinksw.com>
To: public-fedsocweb@w3.org, "public-rww@w3.org" <public-rww@w3.org>
On 7/26/13 10:35 AM, Melvin Carvalho wrote:
> On 26 July 2013 15:13, Sandro Hawke <sandro@w3.org 
> <mailto:sandro@w3.org>> wrote:
>     [dropping crossposting lists]
>     On 07/26/2013 08:20 AM, Kingsley Idehen wrote:
>         On 7/26/13 5:17 AM, Melvin Carvalho wrote:
>             http://news.cnet.com/8301-13578_3-57595529-38/feds-tell-web-firms-to-turn-over-user-account-passwords/
>         Yep!
>         In a centralized system, a Govt. can simply request (or
>         covertly demand) keys, passwords, and salt used for hashing.
>         In a decentralized and distributed system they will have to
>         ultimately follow due process for accessing private property
>         such as:
>         1. private keys
>         2. passwords
>         3. anything else.
>         The problem is that myopic Web 2.0 patterns have created one
>         hell of a privacy mess, for all the wrong reasons. This isn't
>         what the World Wide Web was supposed to be delivering, far
>         from it.
>         Anyway, the net effect of all of this will be that Web 2.0
>         patterns will now be seen for what they are i.e., utter
>         rubbish that's completely clueless when dealing with privacy
>         and security matters.
>     I've said things a lot like this over the years, and I'm 100% in
>     favor of decentralizing, but I'm no longer confident it'll reduce
>     government access to personal data.   Yes, going from a handful of
>     service providers to millions would make the job of obtaining keys
>     harder, but I don't think it would make it much harder, not
>     technically.   It would make it harder to keep secret, it's true.
>     But now that this stuff isn't even plausibly deniable any more,
>     the lawmakers basically have to decide whether to give the NSA the
>     keys to everything or not. If they decide to, then they can just
>     demand that every Internet connected system have an NSA-approved
>     back door.    Okay, that might be going a bit far, but I'm sure
>     folks will be pushing for that, and we'll probably settle on a
>     compromise that multiuser and/or commercial systems get a
>     backdoor.   And then when you let your kids use your phone, does
>     it qualify as a multiuser system?


I see a network in which symmetric and asymmetric keys are integral 
parts of the system. I don't see a world in which a Web 2.0 (SaaS 
deployment model) vendor tells me "your data is encrypted" which also 
implying "but we hold on to the symmetric key for you".

It is possible to have a system whereby all the key related activity 
occurs on the client which enables exploitation of ACLs and Data Access 
policies when it comes to symmetric key distribution and access.

We are nearly done with what I've described, so expect live demos soon :-)

> What if we put the service provider inside the browser?


You just need the cryto data objects to be produced on the client (this 
could be invoked via the browser e.g., keygen re., asymmetric keypair 
generation part of the workflow)  and persisted in client side storage 
(not inside the browser, but at the OS level).

>          -- Sandro



Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen

Received on Friday, 26 July 2013 15:37:48 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:10:42 UTC