W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: UI for client cert selection (Was: Releasing RWW.IO)

From: Tim Holborn <timothy.holborn@gmail.com>
Date: Sun, 4 May 2014 14:29:06 +1000
Cc: Anders Rundgren <anders.rundgren.net@gmail.com>, Andrei Sambra <andrei.sambra@gmail.com>, public-webid <public-webid@w3.org>, "public-rww@w3.org" <public-rww@w3.org>
Message-Id: <9BBF0CAA-0FC5-4A1C-8F81-7FC75E8330AD@gmail.com>
To: Tim Berners-Lee <timbl@w3.org>

I’ve spent some time with anders last night (i’m in oz); showing Cimba, running on other services - i.e. TLS AUTH to RWW.io (not TLD/app host - i.e. Cimba[1] / Kima[2] (whatever, perhaps best described as rdflib[3]?), and am looking forward to understanding more of his considerations and possible alternatives (or additions) he seeks to introduce to the group/s for consideration.  IMHO, the tangential differences relating to decentralisation change paradigms in ways that are difficult to understand without looking at the stack, rather than a specified segment.  If the mission was simply to authenticate to a traditional web2 methodology - inc. client(browser session) / server (.TLD with Relational DB) then some considerations would become more difficult to understand.


Some questions I’ve had for a while (re: data layer, not auth. or privacy crypto specifically) is why the WebID-TLS seeks to ID a person (foaf:person / foaf:agent) - rather than a machine / local account (i.e.: WebID:thing< rel:foaf/me#>).  A possible alternative use-case could be that TLS defaults to issuing a client certificate that says something like - Timh’s desktop; which in-turn means if a friend wants to use their RWW Services temporarily on my machine - they can authenticate, link to that cert (perhaps i need to authorise that action, and give it a profile..).

I understand the end-result is to provide identity services to users (therein, FOAF records); however, IMHO, the WebID Enabled TLS Cert appears to identify the machine account / browser - not the person sitting in front of the machine at the time of use. re: POC work (proof of concept) i don’t think it matters, but as things progress having WoT (web of trust) ID’s for each entity (things / legal entities) would seemingly enhance accessibility…? 

I imagine, 

- I have a desktop machine, with one profile. 
- I install an RWW Cloud account on that machine, as administrator.
- In the SubjectAltName link - I embed ubiquitous.rww.io/profile/card#me and perhaps ubiquitous.rww.io/things/workstation#home or ubiquitous.rww.io/profile/card#homemachine or whatever alternative.

An alternative could be to define a WebID ontology...

WoT (or IoT) Related records might have server-side info; like 
- what Subnet the device lives on (if the machine is moved somewhere else - it might not have access anymore, without additional authentication..)
- a description of the capability / permissions of/with the device (can send anything you want from that HDD to your cloud account, or alternatively - it’s not allowed - not thinking rules, just the ability to create them.)
- a description of my relationship to the device (inc. preferences - similar to above.)

With regard to persona - the client-side cert for a person / persona (of a person) might be located on the cloud somewhere..  whether this is a public or an encrypted record is tangential, the fact would be that in accessing that record user-intervention is required and in some instances this may require multiple devices to interact in a specified way.   

I imagine the mechanism around this ‘agreement’ to be segmented from the user-device (i.e.: workstation).  (understanding, that some may choose to build their own environments internally: at home, on a NAS or ubuntu phone, etc.); and that agreements between entities can be transcribed to rdf, forging ACL’s around data-sharing, etc..

I can also imagine a UI creating authorisation procedures, in a recipe format: which could then be defined differently for different machines used by a particular individual or persona (work, family, accounting, etc.) of a persons life, in relation to machines they’re using.

WebID Ontology?
When this gets down to the WebID-TLS Spec[4] - it currently it defines FOAF specifically, which kinda excludes the concept of ‘thing’.  A possible alternative I’ve considered, is to create a WebID ontology, using w3id[5] perhaps…

When describing concepts relating to AUTH recently,  The use-case of traditional lock-keys (doors, vehicles, padlocks, etc.) seemed useful.  One of the characteristics of a keyring is not simply that someone needs to get them from you; but also, the possession of the key does not = knowledge of which key fits which lock.  That information is generally information stored in someones head.   if you loose your keyring at a pub, even if you put your phone number on it - someone still needs to ‘link’ the keyring, to the specified location of the lock, in-order to use it.  

I imagine that the future of AUTH will feature some of these concepts / considerations - including the use of multiple keys, rather than a specified master-key (understanding we also live in a world where if all else fails we can seek some help from a locksmith) let alone a master-key that’s provided on traditional web portal terms…  (i’m not entirely sure how far the privacy issue goes, but the email is long enough already. )


[1] https://github.com/social-webarch/cimba or live at http://cimba.co/
[2] https://github.com/rww-apps/kima/  or live at http://rww-apps.github.io/kima/
[3] https://github.com/linkeddata/rdflib.js
[4] http://www.w3.org/2005/Incubator/webid/spec/tls/
[5] https://w3id.org/

On 4 May 2014, at 4:51 am, Tim Berners-Lee <timbl@w3.org> wrote:

> On 2014-05 -03, at 10:45, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>> We can call it whatever we like, the user-experience offered by WebID as featured
>> on http://cimba.co web doesn't meet reasonable user expectations [..]
> So imagine the browser was going to be changed to make that better.
> People seem to widely agree that the client-side cert UI is bad on browsers
> Can we at least do a thought experiment to be in a world where it is fixed -- what would that look like?
> Maybe things like:-
> - Allowing the user to click a check box on "Always use this persona (client-side cert) with this web site (domain)"
> - Allowing a preferences access to manage the persona/website allocation matrix
> - Allow more screen space for selecting those certs
> - Allow a user to label, color, and suppress certs in the list
> - By default, not including expired certs in the list
> - Tracking which persona is in use on this website (only when a user has more than one) in the URL bar
> and so on.  Maybe is someone sketched the UI then a browser code could be persuaded to do it.
> It is necessary for existing client side cert sites anyway, and would maybe make the cimba.co experience 
> quite reasonable.
> timbl

Received on Sunday, 4 May 2014 04:30:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC