- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Tue, 10 Jun 2014 10:13:19 +0200
- To: Tim Holborn <timothy.holborn@gmail.com>
- Cc: public-webid <public-webid@w3.org>, public-rww <public-rww@w3.org>
- Message-ID: <CAKaEYhLfiqPqCQ=WedtpfN6f_RHk2aHb6rvdqm4GntXxAhpcxQ@mail.gmail.com>
On 10 June 2014 08:02, Tim Holborn <timothy.holborn@gmail.com> wrote: > I’m really, super impressed with it… > > Obviously, it's early days… > > Melvin, i was wondering how your web-credits identifiers will link? > Web credits is an IOU between 2 URIs. It's agnostic to authentication, so any authentication system can be plugged in. > > timh. > > On 10 Jun 2014, at 3:49 pm, Melvin Carvalho <melvincarvalho@gmail.com> > wrote: > > FYI > > ---------- Forwarded message ---------- > From: Manu Sporny <msporny@digitalbazaar.com> > Date: 10 June 2014 06:25 > Subject: Proof of Concept: Identity Credentials Login > To: Web Payments CG <public-webpayments@w3.org> > > > TL;DR: There is now an open source demo of credential-based login > for the Web. We think it’s better than Persona, WebID+TLS, and > OpenID Connect. If we can build enough support for Identity > Credentials over the next year, we’d like to standardize it via > the W3C. > > This is a text-only version of the original blog post, which can be found > here: > > http://manu.sporny.org/2014/identity-credentials/ > > Identity Credentials and Web Login > > In a [1]previous blog post, I outlined the need for a better login > solution for the Web and why Mozilla Persona, WebID+TLS, and > OpenID Connect currently don’t address important use cases that > we’re considering in the Web Payments Community Group. The blog > post contained a proposal for a new login mechanism for the Web > that was simultaneously more decentralized, more extensible, > enabled a level playing field, and was more privacy-aware than the > previously mentioned solutions. > > In the private conversations we have had with companies large and > small, the proposal was met with a healthy dose of skepticism and > excitement. There was enough excitement generated to push us to > build a proof-of-concept of the technology. We are releasing this > proof-of-concept to the Web today so that other technologists can > take a look at it. It’s by no means done, there are plenty of bugs > and security issues that we plan to fix in the next several weeks, > but the core of the idea is there and you can try it out. > > The Demo > > The demonstration that we’re releasing today is a proof-of-concept > asserting that we can have a unified, secure identity and login > solution for the Web. The technology is capable of storing and > transmitting your identity credentials (email address, payment > processor, shipping address, driver’s license, passport, etc.) > while also protecting your privacy from those that would want to > track and sell your online browsing behavior. It is in the same > realm of technology as Mozilla Persona, WebID+TLS, and OpenID > Connect. Benefits of using this technology include: > * Solving the [2]NASCAR login problem in a way that greatly > increases identity provider competition. > * Removing the need for usernames and passwords when logging > into 99.99% of the websites that you use today. > * Auto-filling information that you have to repeat over and over > again (shipping address, name, email, etc.). > * Solving the NASCAR payments problem in a way that greatly > increases payment processor competition. > * Storage and transmission of credentials, such as email > addresses, driver’s licenses, and digital passports, via the > Web that cryptographically prove that you are who you say you > are. > > The demonstration is based on the [3]Identity Credentials > technology being developed by the [4]Web Payments Community Group > at the [5]World Wide Web Consortium. It consists of an ecosystem > of four example websites. The purpose of each website is explained > below: > > Identity Provider (identus.org) > > The Identity Provider stores your identity document and any > information about you including any credentials that other sites > may issue to you. This site is used to accomplish several things > during the demo: > * Create an identity. > * Register your identity with the Login Hub. > * Generate a verified email credential and store it in your > identity. > > Login Hub (login-hub.com) > > This site helps other websites discover your identity provider in > a way that protects your privacy from both the website you’re > logging into as well as your identity provider. Eventually the > functionality of this website will be implemented directly in > browsers, but until that happens, it is used to bootstrap the > discovery of and login/credential transmission process for the > identity provider. This site is used to do the following things > during the demo: > * Register your identity, creating an association between your > identity provider and the email address and passphrase you use > on the login hub. > * Login to a website. > > Credential Issuer (credential.club) > > This site is responsible for verifying information about you like > your home address, driver’s license, and passport information. > Once the site has verified some information about you, it can > issue a credential to you. For the purposes of the demonstration, > all verifications are simulated and you will immediately be given > a credential when you ask for one. All credentials are digitally > signed by the issuer which means their validity can be proven > without the need to contact the issuer (or be online). This site > is used to do the following things during the demo: > * Login using an email credential. > * Issue other credentials to yourself like a business address, > proof of age, driver’s license, and digital passport. > > Single Sign-On Demo > > The single sign-on website, while not implemented yet, will be > used to demonstrate the simplicity of credential-based login. The > sign-on process requires you to click a login button, enter your > email and passphrase on the Login Hub, and then verify that you > would like to transmit the requested credential to the single > sign-on website. This website will allow you to do the following > in a future demo: > * Present various credentials to log in. > > How it Works > > The demo is split into four distinct parts. Each part will be > explained in detail in the rest of this post. Before you try the > demo, it is important that you understand that this is a > proof-of-concept. The demo is pretty easy to break because we > haven’t spent any time polishing it. It’ll be useful for > technologists that understand how the Web works. It has only been > tested in Google Chrome, versions 31 – 35. There are glaring > security issues with the demo that have solutions which have not > been implemented yet due to time constraints. We wanted to publish > our work as quickly as possible so others could critique it early > rather than sitting on it until it was “done”. With those caveats > clearly stated up front, let’s dive in to the demo. > > Creating an Identity > > The first part of the demo requires you to [6]create an identity > for yourself. Do so by clicking the link in the previous sentence. > Your short name can be something simple like your first name or a > handle you use online. The passphrase should be something long and > memorable that is specific to you. When you click the Create > button, you will be redirected to your new identity page. > > Note the text displayed in the middle of the screen. This is your > raw identity data in [7]JSON-LD format. It is a machine-readable > representation of your credentials. There are only three pieces of > information in it in the beginning. The first is the JSON-LD > @context value, https://w3id.org/identity/v1, which tells machines > how to interpret the information in the document. The second is > the id value, which is the location of this particular identity on > the Web. The third is the sysPasswordHash, which is just a bcrypt > hash of your login password to the identity website. > > Global Web Login Network > > Now that you have an identity, you need to register it with the > global Web login network. The purpose of this network is to help > map your preferred email address to your identity provider. Keep > in mind that in the future, the piece of software that will do > this mapping will be your web browser. However, until this > technology is built into the browser, we will need to bootstrap > the email to identity document mapping in another way. > > The way that both Mozilla Persona and OpenID do it is fairly > similar. OpenID assumes that your email address maps to your > identity provider. So, an OpenID login name of joe@gmail.com > assumes that gmail.com is your identity provider. Mozilla Persona > went a step further by saying that if gmail.com wouldn’t vouch for > your email address, that they would. So Persona would first check > to see if gmail.com spoke the Persona protocol, and if it didn’t, > the burden of validating the email address would fall back to > Mozilla. This approach put Mozilla in the unenviable position of > running a lot of infrastructure to make sure this entire system > stayed up and running. > > The Identity Credentials solution goes a step further than Mozilla > Persona and states that you are the one that decides which > identity provider your email address maps to. So, if you have an > email address like bob@gmail.com, you can use yahoo.com as your > identity provider. You can probably imagine that this makes the > large identity providers nervous because it means that they’re now > going to have to compete for your business. You have the choice of > who is going to be your identity provider regardless of what your > email address is. > > So, let’s register your new identity on the global web login > network. Click the text on the screen that says “Click here to > register”. That will take you to a site called login-hub.com. This > website serves two purposes. The first is to map your preferred > email address to your identity provider. The second is to protect > your privacy as you send information from your identity provider > and send it to other websites on the Internet (more on this > later). > > You should be presented with a screen that asks you for three > pieces of information. Your preferred email address, a passphrase, > and a verification of that passphrase. When you enter this > information, it will be used to do a number of things. The first > thing that will happen is that a public/private keypair will be > generated for the device that you’re using (your web browser, for > instance). This key will be used as a second factor of > authentication in later steps in this process. The second thing > that will happen is that your email address and passphrase will be > used to generate a query token, which will be later used to query > the decentralized [8]Telehash-based identity network. The third > thing that will happen is that your query token to identity > document mapping will be encrypted and placed onto the Telehash > network. > > The Decentralized Database (Telehash) > > We could spend an entire blog post itself on Telehash, but the > important thing to understand about it is that it provides a > mechanism to store data in a decentralized database and query that > database at a later time for the data. By storing this query token > and query response in the decentralized database, it allows us to > find your identity provider mapping regardless of which device > you’re using to access the Web and independent of who your email > provider is. > > In fact, note that I said that you use your “preferred email > address” above? It doesn’t need to be an email address, it could > be a simple string like “Bob” and a unique passphrase. Even though > there are many “Bob”s in the world, the likelyhood that they’d use > the same 20+ character passphrase is unlikely and therefore one > could use just a first name and a complex passphrase. That said, > we’re suggesting that most non-technical people use a preferred > email address because most people won’t understand the dangers of > SHA-256 collisions on username+passphrase combinations like > sha256(“Bob” + “password”). In addition to this aside, the > decentralized database solution doesn’t need to be Telehash. It > could just as easily be a decentralized ledger like Namecoin or > Ripple. > > Once you have filled out your preferred email address and > passphrase, click the Register button. You will be sent back to > your identity provider and will see two new pieces of information. > The first piece of information is sysIdpMapping, which is the > decentralized database query token (query) and > passphrase-encrypted mapping (queryResponse). The second piece of > information is sysDeviceKeys, which is the public key associated > with the device that you registered your identity through and > which will be used as a second factor of authentication in later > versions of the demo. The third piece of information is > sysRegistered, which is an indicator that the identity has been > registered with the decentralized database. > > Acquiring an Email Credential > > At this point, you can’t really do much with your identity since > it doesn’t have any useful credential information associated with > it. So, the next step is to put something useful into your > identity. When you create an account on most websites, the first > thing the website asks you for is an email address. It uses this > email address to communicate with you. The website will typically > verify that it can send and receive an email to that address > before fully activating your account. You typically have to go > through this process over and over again, once for each new site > that you join. It would be nice if an identity solution designed > for the Web would take care of this email registration process for > you. For those of you familiar with Mozilla Persona, this approach > should sound very familiar to you. > > The Identity Credentials technology is a bit different from > Mozilla Persona in that it enables a larger number of > organizations to verify your email address than just your email > provider or Mozilla. In fact, we see a future where there could be > tens, if not hundreds, of organizations that could provide email > verification. For the purposes of the demo, the Identity Provider > will provide a “simulated verification” (aka fake) of your email > address. To get this credential, click on the text that says > “Click here to get one”. > > You will be presented with a single input field for your email > address. Any email address will do, but you may want to use the > preferred one you entered earlier. Once you have entered your > email address, click “Issue Email Credential”. You will be sent > back to your identity page and you should see your first > credential listed in your JSON-LD identity document beside the > credential key. Let’s take a closer look at what constitutes a > credential in the system. > > The EmailCredential is a statement that a 3rd party has done an > email verification on your account. Any credential that conforms > to the Identity Credentials specification is composed of a set of > claims and a signature value. The claims tie the information that > the 3rd party is asserting, such as an email address, to the > identity. The signature is composed of a number of fields that can > be used to cryptographically prove that only the issuer of the > credential was capable of issuing this specific credential. The > details of how the signature is constructed can be found in the > [9]Secure Messaging specification. > > Now that you have an email credential, you can use it to log into > a website. The next demonstration will use the email credential to > log into a credential issuer website. > > Credential-based Login > > Most websites will only require an email credential to log in. > There are other sites, such as ecommerce sites or high-security > websites, that will require a few more credentials to successfully > log in or use their services. For example, a ecommerce site might > require your payment processor and shipping address to send you > the goods you purchased. A website that sells local wines might > request that you provide a credential proving that you are above > the required drinking age in your locality. A travel website might > request your digital passport to ease your security clearing > process if you are traveling internationally. There are many more > types of speciality credentials that one may issue and use via the > Identity Credentials technology. The next demo will entail issuing > some of these credentials to yourself. However, before we do that, > we have to login to the credential issuer website using our newly > acquired email credential. > > Go to the [10]credential.club website and click on the “Login” > button. This will immediately send you to the login hub website > where you had previously registered your identity. The request > sent to the login hub by credential.club will effectively be a > request for your email credential. Once you’re on login-hub.com, > enter your preferred email address and passphrase and then click > “Login”. > > While you were entering your email address and passphrase, the > login-hub.com page connected to the Telehash network and readied > itself to send a query. When you click “Login”, your email address > and passphrase are SHA-256′d and sent as a query to the Telehash > network. Your identity provider will receive the request and > respond to the query with an encrypted message that will then be > decrypted using your passphrase. The contents of that message will > tell the login hub where your identity provider is holding your > identity. The request for the email credential is then forwarded > to your identity provider. Note that at this point your identity > provider has no idea where the request for your email credential > is coming from because it is masked by the login hub website. This > masking process protects your privacy. > > Once the request for your email credential is received by your > identity provider, a response is packaged up and sent back to > login-hub.com, which then relays that information back to > credential.club. Once credential.club recieves your email > credential, it will log you into the website. Note at this point > that you didn’t have to enter a single password on the > credential.club website, all you needed was an email credential to > log in. Now that you have logged in, you can start issuing > additional credentials to yourself. > > Issuing Additional Credentials > > The previous section introduced the notion that you can issue many > different types of credentials. Once you have logged into the > credential.club website, you may now issue a few of these > credentials to yourself. Since this is a demonstration, no attempt > will be made to verify those credentials by a 3rd party. The > credentials that you can issue to yourself include a business > address, proof of age, payment processor, driver’s license, and > passport. You many specify any information that you’d like to > specify in the input fields to see how the credential would look > if it held real data. > > Once you have filled out the various fields, click the blue button > to issue the credential. The credential will be digitally signed > and sent to your identity provider, which will then show you the > credential that was issued to you. You have a choice to accept or > reject the credential. If you accept the credential, it is written > to your identity. > > You may repeat this process as many times as you would like. Note > that on the passport credential how there is an issued on date as > well as an expiration date to demonstrate that credentials can > have a time limit associated with them. > > Known Issues > > As mentioned throughout this post, this demonstration has a number > of shortcomings and areas that need improvement, among them are: > * Due to a lack of time, we didn’t setup our own HTTPS Telehash > seed. Since we didn’t setup the HTTPS Telehash seed, we > couldn’t run login-hub.com secured by TLS due to security > settings in most web browsers related to WebSocket > connections. Not using TLS results in a gigantic > man-in-the-middle attack possibility. A future version will, > of course, use both TLS and HSTS on the login-hub.com website. > * The Telehash query/response database isn’t decentralized yet. > There are a number of complexities associated with creating a > decentralized storage/query network, and we haven’t decided on > what the proper approach should be. There is no reason why the > decentralized database couldn’t be NameCoin or Ripple-based, > and it would probably be good if we had multiple backend > databases that supported the same query/response protocol. > * We don’t check digital signatures yet, but will soon. We were > focused on the flow of data first and ensuring security > parameters were correct second. Clearly, you would never want > to run such a system in production, but we will improve it > such that all digital signatures are verified. > * We do not use the public/private keypair generated in the > browser to limit the domain and validity length of credentials > yet. When the system is productionized, implementing this will > be a requirement and will protect you even if your credentials > are stolen through a phishing attack on login-hub.com. > * We expect there to be many more security vulnerabilities that > we haven’t detected yet. That said, we do believe that there > are no major design flaws in the system and are releasing the > proof-of-concept, along with [11]source code, to the general > public for feedback. > > Feedback and Future Work > > If you have any questions or concerns about this particular demo, > please leave them as comments on this blog post or send them as > comments to the [12]public-web-payments@w3.org mailing list. > > Just as you logged in to the credential.club website using your > email credential, you may also use other credentials such as your > driver’s license or passport to log in to websites. Future work on > this demo will add functionality to demonstrate the use of other > forms of credentials to perform logins while also addressing the > security issues outlined in the previous section. > > References > > 1. http://manu.sporny.org/2014/credential-based-login/ > 2. http://indiewebcamp.com/NASCAR_problem > 3. http://manu.sporny.org/2014/credential-based-login/ > 4. https://web-payments.org/ > 5. http://www.w3.org/Consortium/ > 6. https://identus.org/create > 7. https://www.youtube.com/watch?v=vioCbTo3C-4 > 8. http://telehash.org/ > 9. https://web-payments.org/specs/source/secure-messaging/ > 10. https://credential.club/ > 11. https://github.com/digitalbazaar/opencred-idp > 12. http://lists.w3.org/Archives/Public/public-webpayments/ > > -- manu > > -- > Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) > Founder/CEO - Digital Bazaar, Inc. > blog: Identity Credentials and Web Login > http://manu.sporny.org/2014/identity-credentials/ > > > > >
Received on Tuesday, 10 June 2014 08:13:52 UTC