Re: U2F and keygen from Kingsley Idehen on 2014-07-21 (public-webid@w3.org from July 2014)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Mon, 21 Jul 2014 09:53:42 -0400
To: "henry.story@bblfish.net" <henry.story@bblfish.net>
CC: public-webid@w3.org
Message-ID: <53CD1B66.9080408@openlinksw.com>
On 7/21/14 9:22 AM, henry.story@bblfish.net wrote:
> On 21 Jul 2014, at 04:45, Kingsley Idehen<kidehen@openlinksw.com>  wrote:
>
>> >On 7/20/14 12:42 PM,henry.story@bblfish.net  wrote:
>>>> >>>Why it that?  Microsoft doesn't care and neither does Apple (for iOS).
>>> >>I don't care that microsoft does not care since I can work around it
>>> >>using ActiveX.
>> >
>> >Do care i.e, please don't recommend ActiveX circa. 2014.
>> >
>> >IE doesn't have a problem. You don't need to do anything for IE to work properly with WebID-TLS.
> Does IE now support keygen?
>

No it doesn't, never will, and rightly so (IMO).

Keygen isn't a critical WebID-* related application feature or part of 
the spec, so I've never really understood the relevance you give to this 
questionable feature, in regards to Web-scale privacy and identity. When 
a Windows user wants to generate an identity card for themselves they 
use the Windows keystore (via its in-built UI) or the native OS API. The 
same applies to Mac OS X via keychain.

Generating identity credentials that aren't understood by an end-user 
might look like a convenience, but it actually a potential point of 
vulnerability and identity compromise. That's why Microsoft doesn't 
support <keygen/> .

WebID and WebID-TLS experience in IE:

1. User or 3rd party Native App generates Identity Card (an x.509 cert) 
that includes WebID in SAN -- Identity purveyor
2. User selects Identity Card when prompted by TLS CCA
3. User Identity Claims are authenticated by a protected resource server 
using authentication protocols e.g., WebID-TLS
     -- and is capable of repeating this using different WebIDs without 
restarting IE by simply using the "New Session" feature of IE.

WebID and WebID-TLS experience in Safari:

1. User or 3rd party Native App generates Identity Card (an x.509 cert) 
that includes WebID in SAN -- Identity purveyor
2. User selects Identity Card when prompted by TLS CCA
3. User Identity Claims are authenticated by a protected resource server 
using authentication protocols e.g., WebID-TLS
     -- and is capable of repeating this using different WebIDs without 
restarting Safari since Mac OS X will end idle TLS sessions after a 
short timeout (only minus is that in my version of Mac OS X 10.6 the 
timeout isn't configurable, I expect that to change).

WebID and WebID-TLS experience in Firefox, which has its own keystore 
(rather than using what the host OS provides, more securely):

1. User or 3rd party Native App (some use <keygen/> for this) generates 
Identity Card (an x.509 cert) that includes WebID in SAN -- Identity 
purveyor
2. User selects Identity Card when prompted by TLS CCA
3. User Identity Claims are authenticated by a protected resource server 
using authentication protocols e.g., WebID-TLS
     -- and is capable of repeating this using different WebIDs without 
restarting Firefox if the protected resource server leverages Javascript.


Conclusion:

If users can generate identity cards for themselves (directly or via 3rd 
party apps), and make use of them with ease i.e achieve the following:

1. Be fully aware of which certificate aligns with a specific identity
2. Select the appropriate certificate for the appropriate identity when 
challenged by a protected resource server
3. All of the above without restarting their browser.

Why would they need <keygen/> specifically? Remember, pkcs#12 is 
implemented by all browsers and provides a powerful mechanism for 
distributing cryptographically enhanced identity credentials.

Links:

[1] 
http://linkeddata.uriburner.com/about/id/entity/http/security.stackexchange.com/questions/27955/what-are-the-benefits-and-drawbacks-of-the-html5-keygen-element#Answer_27956 
-- <keygen/> issues explained via StackExchange post

[2] https://plus.google.com/+KingsleyIdehen/posts/26AYNLeeb6m -- 
programmer perspective of end-user problems .


-- 
Regards,

Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog 1: http://kidehen.blogspot.com
Personal Weblog 2: http://www.openlinksw.com/blog/~kidehen
Twitter Profile: https://twitter.com/kidehen
Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen
Personal WebID: http://kingsley.idehen.net/dataspace/person/kidehen#this
Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Monday, 21 July 2014 13:54:03 UTC