Re: Simple WebID, WebID+TLS Protocol, and ACL Dogfood Demo

On 8/8/13 7:22 AM, Andrei Sambra wrote:
> On Wed, Aug 7, 2013 at 7:34 PM, Nick Jennings < 
> <>> wrote:
>     Hi Kingsley,
>      Thanks for the links. Trying out the first link
>     ( now, some notes:
>     2. With firefox, after filling out the form, I get a download
>     dialogue for the cert instead of it installing into the browser.
>     So I saved, then went into preferences and "import" ... which was
>     successful with "Successfully restored your security
>     certificate(s) and private key(s)". Previously, with
>     <>, this was automatically installed into the
>     browser (I was using Chrome then). Though I guess it's better to
>     have it export/save by default so you can install the same cert on
>     any number of browsers without hassle. Still, it creates more
>     steps and could be confusing for new users.
> Downloading the cert means that it was generated on the server side, 
> thus the server has knowledge of your private key -> BAD. Using the 
> HTML5 <KEYGEN> element is always preferred in this case, which is 
> currently the case for <> and 
> <>.
Re., what you assume is BAD:

You have a tradeoff, store to pkcs#12 or to browser.

We default to saving pkcs#12 while <keygen/> is an option too. Remember, 
privacy is about *self-calibration* of one's vulnerabilities, so we 
prefer to provide options to app/service users rather than mandating a 
single option.

Remember, WebID+TLS is not basic PKI meaning: we have a composite of 
items that challenge compromise feasibility:

1. keypairs
2. agent identity
3. entity relationship semantics.

Take any of the items above out of the composite and the WebID+TLS 
authentication challenge fails. In the context of Webby-PKI (which is 
what  WebID+TLS is about), the private key doesn't have the *pivotal 
role* it had re. basic PKI.

Also note, pkcs#12 files (re. YouID) are actually generated on the 
mobile device (iPhone for now with Android arriving any second). It is 
no different to generating a certificate using Keychain on Mac OS X [1].


1. -- creating an X.509 certificate bearing a WebID 
(HTTP URI that denotes an Agent) using Mac OS X Keycain (which Apple 
forgot to port ot iOS) .



Kingsley Idehen 
Founder & CEO
OpenLink Software
Company Web:
Personal Weblog:
Twitter/ handle: @kidehen
Google+ Profile:
LinkedIn Profile:

Received on Thursday, 8 August 2013 13:09:57 UTC