Re: Perceived issues with TLS Client Auth

On Thu, Sep 27, 2012 at 09:51:38AM +0100, Ben Laurie wrote:
> On 26 September 2012 17:10, Henry Story <henry.story@bblfish.net> wrote:
> >
> > On 26 Sep 2012, at 17:54, Ben Laurie <benl@google.com> wrote:
> >
> >> On 26 September 2012 14:24, Henry Story <henry.story@bblfish.net> wrote:
> >>> Here is how that would look if we were to  imagine a user (me) using Google+.
> >>>
> >>> One day I go to google plus on my desktop browser and Google Plus entices me to
> >>> "Use WebID and login securely across the web"
> >>> I click on that banner, and pronto, a certificate is created and transferred to
> >>> my browser. (ok perhaps you add an intermediate page with helpful explanations
> >>> and cool demos)
> >>>
> >>> Next I am walking down the street with my Android. Google+ is clever enough to notice that my android does not have a certificate - it does a TLS request for a client certificate, but receives none - and so asks me
> >>> "Hi Henry, get a WebID certificate for your phone too"
> >>> I click the banner and oops I have a certificate in Android.
> >>>
> >>> Once I have a certificate for a device, I can log into any web site that supports WebID in one click. I can also determine for any site how much information I wish to give that site about me - using access control on information at my profile. Someting we need to work on still.
> >>
> >> You seem to have missed out a step - how do these web sites know about
> >> my new WebID?
> >
> > In the scenario described I get my (personal) WebID from Google+ . If I were employed by the W3C I would then get a professional WebID by doing the same procedure on my W3C profile page.
> >
> > So I then go to say the WebSite of a friend of mine who has his personal web server, at a domain
> > joe.name . When I arrive on the front page of https://joe.name/ that site does not ask me to log in,
> > it gives me public information that joe is happy for anyone to know. Then perhaps I want to login, so I click
> > the login button, and this sets up a procedure described in the spec
> >
> >    http://www.w3.org/2005/Incubator/webid/spec/#connecting-at-the-application-layer
> >
> > which starts with a TLS renegotiation and a request for the client certificate as explained in the TLS spec.
> 
> How does joe.name know this certificate represents you?
> 
by joe.name you mean who?

the certificate is mine and i'm the only user, all the rest of the
people know only my foaf url. The only case where certificate is used
is when *i* want to authenticate somewhere using webid. In this case
the server ask me to provide a certificate and check if it match with
what is in my foaf content.

For short, foaf url is like google g+ userid and the whole thing work
aprox. in the same way as openid. Doesn't need a central server of a
openid provider which is replaced by a server where foaf is located.

now some problems can be viewed from a different point of view then
everything you know before:

- info from cert are metadata which can be easy made triples and same
  is the content of foaf
- i can using proper tools to get additional information, from linked
  data sources, like for example relations between my foaf and other
  peoples foaf or a specific policy
- i can use the information to infere how secure is each component of
  the chain before acting

i admit some thing are stil a dream at this stage, for last point a
reasoner is a must imo, but this is how i see it. :)

best regards

Received on Thursday, 27 September 2012 10:17:43 UTC