Re: U2F and keygen from henry.story@bblfish.net on 2014-07-21 (public-webid@w3.org from July 2014)

From: <henry.story@bblfish.net>
Date: Mon, 21 Jul 2014 17:50:07 +0200
To: "Kingsley (Uyi) Idehen" <kidehen@openlinksw.com>
Cc: public-webid@w3.org
Message-Id: <7239B951-8B10-4448-873C-4B61AD997D03@bblfish.net>
On 21 Jul 2014, at 15:53, Kingsley Idehen <kidehen@openlinksw.com> wrote:

> On 7/21/14 9:22 AM, henry.story@bblfish.net wrote:
>> On 21 Jul 2014, at 04:45, Kingsley Idehen<kidehen@openlinksw.com>  wrote:
>> 
>>> >On 7/20/14 12:42 PM,henry.story@bblfish.net  wrote:
>>>>> >>>Why it that?  Microsoft doesn't care and neither does Apple (for iOS).
>>>> >>I don't care that microsoft does not care since I can work around it
>>>> >>using ActiveX.
>>> >
>>> >Do care i.e, please don't recommend ActiveX circa. 2014.
>>> >
>>> >IE doesn't have a problem. You don't need to do anything for IE to work properly with WebID-TLS.
>> Does IE now support keygen?
>> 
> 
> No it doesn't, never will, and rightly so (IMO).

It has an activeX component that is pretty secure and does the same thing, which can be called from JS.

> 
> Keygen isn't a critical WebID-* related application feature or part of the spec, so I've never really understood the relevance you give to this questionable feature, in regards to Web-scale privacy and identity. When a Windows user wants to generate an identity card for themselves they use the Windows keystore (via its in-built UI) or the native OS API. The same applies to Mac OS X via keychain.
> 
> Generating identity credentials that aren't understood by an end-user might look like a convenience, but it actually a potential point of vulnerability and identity compromise. That's why Microsoft doesn't support <keygen/> .

That's why you think they don't support keygen. See below for why I don't think that's a correct assumption.

> 
> WebID and WebID-TLS experience in IE:
> 
> 1. User or 3rd party Native App generates Identity Card (an x.509 cert) that includes WebID in SAN -- Identity purveyor
> 2. User selects Identity Card when prompted by TLS CCA
> 3. User Identity Claims are authenticated by a protected resource server using authentication protocols e.g., WebID-TLS
>    -- and is capable of repeating this using different WebIDs without restarting IE by simply using the "New Session" feature of IE.
> 
> WebID and WebID-TLS experience in Safari:
> 
> 1. User or 3rd party Native App generates Identity Card (an x.509 cert) that includes WebID in SAN -- Identity purveyor
> 2. User selects Identity Card when prompted by TLS CCA
> 3. User Identity Claims are authenticated by a protected resource server using authentication protocols e.g., WebID-TLS
>    -- and is capable of repeating this using different WebIDs without restarting Safari since Mac OS X will end idle TLS sessions after a short timeout (only minus is that in my version of Mac OS X 10.6 the timeout isn't configurable, I expect that to change).
> 
> WebID and WebID-TLS experience in Firefox, which has its own keystore (rather than using what the host OS provides, more securely):
> 
> 1. User or 3rd party Native App (some use <keygen/> for this) generates Identity Card (an x.509 cert) that includes WebID in SAN -- Identity purveyor
> 2. User selects Identity Card when prompted by TLS CCA
> 3. User Identity Claims are authenticated by a protected resource server using authentication protocols e.g., WebID-TLS
>    -- and is capable of repeating this using different WebIDs without restarting Firefox if the protected resource server leverages Javascript.


For all of the above I can reduce this to one action.

1. User goes to his home page in his browser and clicks a "create certificate" button.

> 
> 
> Conclusion:
> 
> If users can generate identity cards for themselves (directly or via 3rd party apps), and make use of them with ease i.e achieve the following:
> 
> 1. Be fully aware of which certificate aligns with a specific identity
> 2. Select the appropriate certificate for the appropriate identity when challenged by a protected resource server
> 3. All of the above without restarting their browser.
> 
> Why would they need <keygen/> specifically? Remember, pkcs#12 is implemented by all browsers and provides a powerful mechanism for distributing cryptographically enhanced identity credentials.

Because they don't need to install a third party app to do that.

> 
> Links:
> 
> [1] http://linkeddata.uriburner.com/about/id/entity/http/security.stackexchange.com/questions/27955/what-are-the-benefits-and-drawbacks-of-the-html5-keygen-element#Answer_27956 -- <keygen/> issues explained via StackExchange post
> 
> [2] https://plus.google.com/+KingsleyIdehen/posts/26AYNLeeb6m -- programmer perspective of end-user problems .
> 
> 
> -- 
> Regards,
> 
> Kingsley Idehen	
> Founder & CEO
> OpenLink Software
> Company Web: http://www.openlinksw.com
> Personal Weblog 1: http://kidehen.blogspot.com
> Personal Weblog 2: http://www.openlinksw.com/blog/~kidehen
> Twitter Profile: https://twitter.com/kidehen
> Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
> LinkedIn Profile: http://www.linkedin.com/in/kidehen
> Personal WebID: http://kingsley.idehen.net/dataspace/person/kidehen#this
> 
> 

Social Web Architect
http://bblfish.net/
Received on Monday, 21 July 2014 15:50:40 UTC