Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME"

Thanks Ben for the detailed questions,

   [ continuation of a conversation that got to be a bit off topic on the DANE mailing list, as it was mostly about WebID ]

  so first we still have some progress to make with our demos,

  I am just ccing Andrei, because Ben ( http://research.google.com/pubs/author9639.html ) - has found a bug in https://my-profile.eu/ . (see below) My guess is that Ben logged in with a certificate that is not WebID enabled. So that's a good extra test case to add. Of course for people like Ben, the failure of having a Logout button on chrome is going to add to that inconvenience - because having logged in with a certificate that may not be signed by a CA my-profile.eu knows about, he won't be able to change his certificate later after having made a new one.

 This could be fixed with 
    http://code.google.com/p/chromium/issues/detail?id=29784
 or more simply with 
    http://code.google.com/p/chromium/issues/detail?id=90676

  but the last issue was closed abruptly, and the first issue is progressing so slowly hell will have time to freeze over before its done.

Ben if you have more feedback like that joining the WebID Community group would be great.
     http://www.w3.org/community/webid/
we are progressing very slowly now, and looking for feedback from people with real implementations. I'll be at TPAC http://www.w3.org/2012/10/TPAC/ and the WebID group will be meeting there with RWW and Social Web groups on Monday and Tuesday.

So to answer in more detail your questions below,

On 25 Sep 2012, at 19:47, Ben Laurie <benl@google.com> wrote:

> [offlist, because it really is nothing to do with DANE]
> 
> On 25 September 2012 17:32, Henry Story <henry.story@bblfish.net> wrote:
>> 
>> On 25 Sep 2012, at 18:12, Ben Laurie <benl@google.com> wrote:
>> 
>>> On 25 September 2012 17:06, Henry Story <henry.story@bblfish.net> wrote:
>>>> 
>>>> On 25 Sep 2012, at 17:45, Ben Laurie <benl@google.com> wrote:
>>>> 
>>>>> On 25 September 2012 16:07, Henry Story <henry.story@bblfish.net> wrote:
>>>>>> [snip, a somewhat flaming conversation]
>>>>>> Anyway, the webid spec
>>>>>> 
>>>>>>  http://www.w3.org/2005/Incubator/webid/spec/
>>>>>> 
>>>>>> also is very clearly tied to TLS, and would benefit a lot from DANE being deployed. So my interest in DANE is not a side issue. The strongest pushback against WebID ( and so using client certificates ) is the cost of server certificates for most players.
>>>>> 
>>>>> You mean people who aren't using HTTPS to secure logins care about WebID?
>>>> 
>>>> People who are not using HTTPS to secure logins won't have very secure logins (even passwords require protection). I am speaking about pushback from people who are serious about security (not counting the TOR type super security folks - but I will show that WebID works there too).
>>>> 
>>>>> 
>>>>>> ( the next strongest is the inability to logout from all but Firefox browsers )
>>>>> 
>>>>> Am I really the only one who cares about usability?
>>>> 
>>>> Firefox usability (of client certs) sucks. All the others are pretty good, and could easily be made better by a little work from the browser vendors. I demonstrate that very clearly in the video on http://webid.info/ . Now why browser vendors like Firefox don't do the few weeks work to get useability working is beyond me. I think it is partly because they don't understand how useable they could make client certificates with WebID.
>>> 
>>> Sigh. Why do I have to go over this every time?
>> 
>> I really don't know. I keep answering your questions precisely. Perhaps you are asking them rhetorically to help me the difficult bits to new audiences? :-)
>> 
>>> Usability in the
>>> browser is only part of the problem, the rest are things like moving
>>> between machines, dealing with revocation, migrating existing accounts
>>> and so on.
>> 
>> 
>> But that is exactly what WebID makes simple:
>>  - moving between machines:
>>     + create different certificates on each machine ( use a one time passwords to log in if you want high security)
> 
> What? Where does this one-time password come from?

It could be sent to your phone for example. I also hear that there is a protocol called OATH.
( http://www.crypto-stick.com/2012/OATH-One-Time-Passwords-Allow-Login-to-Gmail-Dropbox-AWS )
But you could just have a complex password for your server - one of the few passwords you'd really need.

> 
>>      here is a video that shows this: http://www.youtube.com/watch?v=S4dlMTZhUDc
>>    ( + use crypto keys if you wanted to be seriously secure )
> 
> Again, where do these come from?

here for example: http://www.crypto-stick.com/
I have not played with this yet. I think initial setup will be more difficult here, but perhaps not. 

> 
>>  - dealing with revocation is easy: remove the public key from the WebID profile
>>   you can see how easy it is to do this on this live server https://my-profile.eu/
>>   (that's a one click event)
> 
> Slim Application Error
> The application could not run because of the following error:
> 
> Details
> 
> Code: 8
> Message: Undefined index: subjectAltName
> File: /var/www/auth-rest/classes/WebidAuth.php
> Line: 169
> Trace
> 
> #0 /var/www/auth-rest/classes/WebidAuth.php(169):
> Slim::handleErrors(8, 'Undefined index...', '/var/www/auth-r...', 169,
> Array)
> #1 /var/www/auth-rest/public/index.php(86):
> Classes_WebidAuth->__construct('../conf/myp.pas...', 'password',
> 'https://my-prof...')
> #2 [internal function]: {closure}()
> #3 /var/www/auth-rest/lib/Slim/Route.php(429):
> call_user_func_array(Object(Closure), Array)
> #4 /var/www/auth-rest/lib/Slim/Slim.php(1147): Slim_Route->dispatch()
> #5 /var/www/auth-rest/lib/Slim/Middleware/Flash.php(84): Slim->call()
> #6 /var/www/auth-rest/lib/Slim/Middleware/MethodOverride.php(91):
> Slim_Middleware_Flash->call()
> #7 /var/www/auth-rest/middleware/ContentType.php(64):
> Slim_Middleware_MethodOverride->call()
> #8 /var/www/auth-rest/lib/Slim/Middleware/PrettyExceptions.php(65):
> Middleware_ContentType->call()
> #9 /var/www/auth-rest/lib/Slim/Slim.php(1098):
> Slim_Middleware_PrettyExceptions->call()
> #10 /var/www/auth-rest/public/index.php(213): Slim->run()
> #11 {main}

That's a bug for Andrei.

>>  - migrating existing accounts: you have HTTP redirects for that
> 
> That makes no sense to me at all! 

Ah I thought you were speaking of something else. I thought the issue was: Sun gets
eaten by Oracle, and Oracle renames all the domains to oracle.com. My WebID used to be
http://people.sun.com/bblfish#hjs and now it is 
http://people.oracle.com/bblfish#hjs

So here the idea is to redirect from 
  http://people.sun.com/bblfish -> http://people.oracle.com/bblfish

Does it make sense how that could also be seen as a migration? :-)

> Let's say that Google agreed right
> now to use WebID. What would be the process to migrate all my devices
> to using it instead of my existing login?

ok. So say Google does this using google+.

One day I go to google plus on my desktop browser and Google Plus entices me to 
  "use WebID and get rid of login problems"
I click on that banner, and pronto, a certificate is created and transferred to 
my browser. (ok perhaps we add an intermediate page with helpful explanations and cool
demos)

Next I am walking down the street with my Android. Google+ is clever enough to notice that
my android does not have a certificate - it does a TLS request for a client certificate, but receives none - and so asks me 
   "Hi Henry, get a WebID certificate for your phone too"
I click the banner and oops I have a certificate in Android.

There. It is that easy. Just follow the procedure for each device you can. Make sure it works best in Android and in Chrome, and help sites place certificates in DNS with DANE and push WebID to work everywhere by sponsoring Google Summer of code implementations. We have a list of them, but Google Summer of code could enhance them in innumerable ways

>> I think the reason people never consider 1. is that they keep thinking of certificates as things you use to log into only one web site. So of course if that is what it were for, then having a certificate to login AND a password would be weird. But our position is the opposite: the purpose of a certificate is to login to any web site you wish to - usually not your home server.
> 
> That's absolutely terrible for privacy. In fact, unacceptable.

Only if you are not asked, or are not given the choice which certificate to use, when to use it, and cannot logout when you want to.

If Google were to implement

   http://code.google.com/p/chromium/issues/detail?id=29784

then this issue would be solved. This is a UI issue. You can get quite a long way without this fix, but in the end it is the browser manufacturers that are to blame for this solution being unacceptable. As you work at Google, you could push the right peopl to fix that, and make that a lot less unacceptable. What I find unacceptable is that whenever I go to a web site I get my facebook profile appear even though I did not even log in.

> 
>> Ok, so now someone is going to barge in and say this is off topic, probably just in time to avoid you having to answer the above points :-)
>>   But I hope those who are open to new ideas will see that there is something odd in how there is a simple working solution to a serious problem that is making the headlines every week, and how slow it is to get these ideas to move along - even amongst IETF members who have everything to gain from this working out.
> 
> It is because it is NOT a "simple working solution", despite your
> repeated assertions.

It requires some programming for sure, but it does not require everything to be re-invented. It is all there for the taking. One just has to line up the pieces correctly.

> 
> As I've said before, client certificates are, IMO, a very good idea,
> and I'd really like to see them usable, but you, once more, have left
> me with a load of unanswered problems.

I hope the above answers help. I am trying to build a new server that will do this
extreemly efficiently using functional programming now so that one can run these things on Freedom Boxes, and I'd like to show also how it can work with TOR too.

Henry 


Social Web Architect
http://bblfish.net/

Received on Tuesday, 25 September 2012 18:45:23 UTC