Re: Perceived issues with TLS Client Auth

On 26 September 2012 17:10, Henry Story <henry.story@bblfish.net> wrote:
>
> On 26 Sep 2012, at 17:54, Ben Laurie <benl@google.com> wrote:
>
>> On 26 September 2012 14:24, Henry Story <henry.story@bblfish.net> wrote:
>>> Here is how that would look if we were to  imagine a user (me) using Google+.
>>>
>>> One day I go to google plus on my desktop browser and Google Plus entices me to
>>> "Use WebID and login securely across the web"
>>> I click on that banner, and pronto, a certificate is created and transferred to
>>> my browser. (ok perhaps you add an intermediate page with helpful explanations
>>> and cool demos)
>>>
>>> Next I am walking down the street with my Android. Google+ is clever enough to notice that my android does not have a certificate - it does a TLS request for a client certificate, but receives none - and so asks me
>>> "Hi Henry, get a WebID certificate for your phone too"
>>> I click the banner and oops I have a certificate in Android.
>>>
>>> Once I have a certificate for a device, I can log into any web site that supports WebID in one click. I can also determine for any site how much information I wish to give that site about me - using access control on information at my profile. Someting we need to work on still.
>>
>> You seem to have missed out a step - how do these web sites know about
>> my new WebID?
>
> In the scenario described I get my (personal) WebID from Google+ . If I were employed by the W3C I would then get a professional WebID by doing the same procedure on my W3C profile page.
>
> So I then go to say the WebSite of a friend of mine who has his personal web server, at a domain
> joe.name . When I arrive on the front page of https://joe.name/ that site does not ask me to log in,
> it gives me public information that joe is happy for anyone to know. Then perhaps I want to login, so I click
> the login button, and this sets up a procedure described in the spec
>
>    http://www.w3.org/2005/Incubator/webid/spec/#connecting-at-the-application-layer
>
> which starts with a TLS renegotiation and a request for the client certificate as explained in the TLS spec.

How does joe.name know this certificate represents you?

> If that results in no certificate a pop up can appear, and any number of other authentication systems can be proposed to the user.
>
>>
>> Also, if I've been using WebID to log into google for some time, and
>> my Android phone is new, how do I get logged into G+ in order for
>> Google to notice that I do not have a cert?
>
> You use a password there for Google+ . Luckily you' only need one or two passwords, so those
> could be really long and easy to remember - and also dead safe. I don't think I heard that anyone had trouble connecting to Google+ at present with any number of devices, even though people have to remember passwords to do so?

People forget passwords all the time, even though they have to use
them regularly. The problem gets much worse for passwords that are
used rarely.

> The issue we are trying to deal with is having to remember a password for all the other sites, and the duplication of information that comes with that, the lack of security this duplication brings, the centralisation of information that are the consequences of the difficulty of having all of the above be easy to use - and so the consequent loss of privacy. WebID solves the privacy problem, because it no longer requires centralisation of all information on one mega server, and it allows cross domain identification and cooperation. It helps create a Social Web, as opposed to a social network. (you will find more on that on my home page)

I totally understand the goals, and I have no argument with them. My
concerns are purely around usability. But apparently you don't want to
hear that - you think you have a usable solution. So what's your
explanation for lack of adoption?

Received on Thursday, 27 September 2012 08:52:05 UTC