- From: Henry Story <henry.story@bblfish.net>
- Date: Wed, 26 Sep 2012 15:24:40 +0200
- To: Melvin Carvalho <melvincarvalho@gmail.com>
- Cc: public-webid <public-webid@w3.org>, Ben Laurie <benl@google.com>
Thanks, Melvin. Linking to the answers I gave in the discussion with Ben Laurie. http://lists.w3.org/Archives/Public/public-webid/2012Sep/0076.html Very short answers here, with more details in the previous thread. On 26 Sep 2012, at 14:04, Melvin Carvalho <melvincarvalho@gmail.com> wrote: > Why not use TLS Client Auth? Because it has problems: > > • User Experience > – Cert generation has UI > – Cert selection has UI > (happens before user can see content of web site) Wrong. You can have the cert selection come after you see the Web. See the diagram in section 3 of the spec http://webid.info/spec/#the-webid-protocol You use TLS renegotiation when requesting the certificate. You can see it working on here: https://foafssl.org/srv/idp?rs=http://bblfish.net/ notice you are behind https. Notice that you don't get a certificate request until you click the button. > > • Privacy > – user identity is same across all web sites Answer does not need to be. One can select certificates for each web site. And this could be improved by work from Aza Raskin. See http://www.azarask.in/blog/post/identity-in-the-browser-firefox/ and the pictures in big http://www.flickr.com/photos/azaraskin/4128966575/sizes/l/ And improvement request on Chrome: http://code.google.com/p/chromium/issues/detail?id=29784 > > • Portability > – moving certs is a hassle WebID makes moving certs a non problem. It can it is true be done by hand, in which case it is non intuitive. Or it can be done with crypto keys such as http://www.crypto-stick.com/ which would be a lot better. But no need to wait for wide deployment of crypto sticks. Certificate generation is so simple and cheap one can make them in one click. The follownig videos show this: - "The WebID and Browsers" video: http://webid.info/ - "WebID creation and use in 4 minutes across browsers" http://www.youtube.com/watch?v=S4dlMTZhUDc Here is a story of how it would work on Google+ Here is how that would look if we were to imagine a user (me) using Google+. One day I go to google plus on my desktop browser and Google Plus entices me to "Use WebID and login securely across the web" I click on that banner, and pronto, a certificate is created and transferred to my browser. (ok perhaps you add an intermediate page with helpful explanations and cool demos) Next I am walking down the street with my Android. Google+ is clever enough to notice that my android does not have a certificate - it does a TLS request for a client certificate, but receives none - and so asks me "Hi Henry, get a WebID certificate for your phone too" I click the banner and oops I have a certificate in Android. Once I have a certificate for a device, I can log into any web site that supports WebID in one click. I can also determine for any site how much information I wish to give that site about me - using access control on information at my profile. Someting we need to work on still. > > • Problems in Datacenters > – make TLS terminators part of the TCB not sure what TCB is. But I think hardware TLS support need just verify the private key and send the certificate on to the app server. > > http://tools.ietf.org/agenda/81/slides/tls-1.pdf. > > As reported in previous thread with Ben Laurie. > Social Web Architect http://bblfish.net/
Received on Wednesday, 26 September 2012 13:25:24 UTC