Re: Perceived issues with TLS Client Auth from Kingsley Idehen on 2012-09-27 (public-webid@w3.org from September 2012)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Thu, 27 Sep 2012 07:45:23 -0400
To: Ben Laurie <benl@google.com>
CC: Henry Story <henry.story@bblfish.net>, Melvin Carvalho <melvincarvalho@gmail.com>, public-webid <public-webid@w3.org>
Message-ID: <50643C53.3070408@openlinksw.com>

On 9/27/12 4:51 AM, Ben Laurie wrote:
>> >So I then go to say the WebSite of a friend of mine who has his personal web server, at a domain
>> >joe.name . When I arrive on the front page ofhttps://joe.name/  that site does not ask me to log in,
>> >it gives me public information that joe is happy for anyone to know. Then perhaps I want to login, so I click
>> >the login button, and this sets up a procedure described in the spec
>> >
>> >    http://www.w3.org/2005/Incubator/webid/spec/#connecting-at-the-application-layer
>> >
>> >which starts with a TLS renegotiation and a request for the client certificate as explained in the TLS spec.
> How does joe.name know this certificate represents you?

joe.name doesn't know or care about "you". It should simply care about a 
verifiable identity to which a resource acl applies. As for nebulous 
"you" that's a matter between "you" and the identity claims graph 
extends from your local X.509 certificate to your Web-accessible profile 
document, via the WebID in the certs. SAN. Note, the profile document 
could be as basic as a tweet, blog post, chunk of blurb in a text file 
etc..  I've dropped posts in the past demonstrating these WebID 
utilization patterns [1] .

We are even going to release an official service for all of this that 
works for the most basic end-user profile, since we tired of waiting for 
others to fully grasp the potential of WebID. As history has shown, 
commercial competition and palpable opportunity costs are always the 
shortcuts to massive adoption.

>
>> >If that results in no certificate a pop up can appear, and any number of other authentication systems can be proposed to the user.
>> >
>>> >>
>>> >>Also, if I've been using WebID to log into google for some time, and
>>> >>my Android phone is new, how do I get logged into G+ in order for
>>> >>Google to notice that I do not have a cert?
>> >
>> >You use a password there for Google+ . Luckily you' only need one or two passwords, so those
>> >could be really long and easy to remember - and also dead safe. I don't think I heard that anyone had trouble connecting to Google+ at present with any number of devices, even though people have to remember passwords to do so?
> People forget passwords all the time, even though they have to use
> them regularly. The problem gets much worse for passwords that are
> used rarely.

This whole thing is about reducing password use to:

1. local keystore access
2. add claims from local x.509 certificate to profile document, and 
that's subject to shape and form or a profile document -- e.g., for G+, 
Twitter, LinkedIn etc.. one uses OAuth which brings passwords into play .

>
>> >The issue we are trying to deal with is having to remember a password for all the other sites, and the duplication of information that comes with that, the lack of security this duplication brings, the centralisation of information that are the consequences of the difficulty of having all of the above be easy to use - and so the consequent loss of privacy. WebID solves the privacy problem, because it no longer requires centralisation of all information on one mega server, and it allows cross domain identification and cooperation. It helps create a Social Web, as opposed to a social network. (you will find more on that on my home page)
> I totally understand the goals, and I have no argument with them. My
> concerns are purely around usability.

Okay, I am happy to narrow this conversation down to usability. Maybe we 
start a new thread appropriately titled?

>   But apparently you don't want to
> hear that - you think you have a usable solution. So what's your
> explanation for lack of adoption?

Very good question. I think it's a cocktail of issues, some of which 
start with prevalence of AWWW incomprehension across many Web developer 
profiles etc.. Anyway, let's talk about the usability issues as you see 
them in a separate thread.
>
>
>
Links:

1. http://bit.ly/QejVnP -- posts about using the di: (DIGEST) scheme URI 
re. Web-scale verifiable identity .

-- 

Regards,

Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Thursday, 27 September 2012 11:45:52 UTC