Re: WebID questions -- was: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME"

On 26 Sep 2012, at 11:15, Ben Laurie <benl@google.com> wrote:

> On 26 September 2012 09:54, Henry Story <henry.story@bblfish.net> wrote:
>> 
>> On 26 Sep 2012, at 10:42, Ben Laurie <benl@google.com> wrote:
>>> 
>>> Once more, I remain unenlightened about the answers to my fundamental questions.
>> 
>> Can we perhaps start back at your fundamental question again? We got sidetracked here a bit because of my-profile.eu
>> no working well for you.
>> 
>> The last thing I remember you stating is that authenticating with one ID across multiple sites is in your view a horrendous thing. Is that the fundamental problem?
> 
> One of them. And not just my view - the view of many. Here's a
> presentation from a colleague that illustrates our thinking on the use
> of client certs for authn:
> http://tools.ietf.org/agenda/81/slides/tls-1.pdf.
> 
> In case its not obvious, the problem is that its a massive privacy invasion.

Well as I pointed out, it is not a problem if the user controls and is aware of the identity he is revealing on each site. This is a simple User Interface issue which Aza Raskin showed in 2009 how to solve 

   https://blogs.oracle.com/bblfish/entry/identity_in_the_browser_firefox 

and which for which there is a bug open in pretty much every browser, e.g.: Chrome

   http://code.google.com/p/chromium/issues/detail?id=29784

So does the above paper take into account that the user could be aware of the identity
he is using, and control it? 

Btw. if you consult the spec you'll see that all a user needs to publish to the world
is his public key

   http://www.w3.org/2005/Incubator/webid/spec/#publishing-the-webid-profile-document

All the rest can be access controlled.

> 
> Next:
> 
> 1. Usability in the browser is only part of the problem. But
> nevertheless it remains a problem.

A problem that browser manufacturers can fix, pretty easily, and which
is even going to be a legal requirement for them to do, as was explained
at the IETF summit in Paris earlier this year.

> 
> 2. If am all signed up to WebID and I get a new device, how do I get
> it signed up? I know your stock response is "you just go through the
> flow again" - once for every site I'm registered with - using what to
> identify myself? Bear in mind that there has to be a per-site
> certificate.

Ah! Here we get at the crux of the misunderstanding!!!

There does not have to be a per site certificate when WebID is used. This is what Linked Data permits us to avoid. This is why WebID is so useful. It is why X509 failed as client certificates. Indeed if all you can use a client certificate for is your own web site then it has very little use - you might as well use a cookie, or a password. But if you can then connect to other sites, and login in one click, then things are different - completely different.

> 
> 3. Related: if I lose all my devices, how do I recover?

If you still have your server you go there and remove all public keys. If you are using a service provider at a university you go and see him and tell him to remove all your keys. If you are at Google, then you get hold of the hotline? How do you do it now?

> 
> 4. How do I revoke access when my laptop is stolen?

You go to the server and remove the public key from your profile. Or you ask your admin to do that. Or if you have your own server at home, can't remember anything, then you unplug it.

> 
> 5. How do I migrate my existing username/password accounts to WebID?

There is a technical answer and UI answer for that.

Let me start with the user's point of view. Here is how that would look if we were to 
imagine a user (me) using Google+.

One day I go to google plus on my desktop browser and Google Plus entices me to 
 "Use WebID and login securely across the web"
I click on that banner, and pronto, a certificate is created and transferred to 
my browser. (ok perhaps you add an intermediate page with helpful explanations 
and cool demos)

Next I am walking down the street with my Android. Google+ is clever enough to notice that my android does not have a certificate - it does a TLS request for a client certificate, but receives none - and so asks me 
  "Hi Henry, get a WebID certificate for your phone too"
I click the banner and oops I have a certificate in Android.

Once I have a certificate for a device, I can log into any web site that supports WebID in one click. I can also determine for any site how much information I wish to give that site about me - using access control on information at my profile. Someting we need to work on still.

So the Technical answer, is that Google+ adds to each profile a representation that can be read as explained in the spec
http://webid.info/spec/ . It is quite easy to retrofit a normal web site with this info.

Henry

Social Web Architect
http://bblfish.net/

Received on Wednesday, 26 September 2012 09:57:22 UTC