Re: A WebID Implementation => HTTPS Client Certificate Authentication lacks a useful filter mechanism. from Anders Rundgren on 2014-05-20 (public-webid@w3.org from May 2014)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Tue, 20 May 2014 18:28:51 +0200
To: "henry.story@bblfish.net" <henry.story@bblfish.net>
CC: "public-webid@w3.org" <public-webid@w3.org>
Message-ID: <537B82C3.1060209@gmail.com>

On 2014-05-20 10:35, henry.story@bblfish.net wrote:
<snip>
>>> How would this OID be used in a request from the server to the client? Does that require a change
>>> in the TLS protocol? Do you think we could get by with the above mentioned proposal?
>>
>> I believe that changing the TLS protocol is pretty unrealistic given
>> 1) the time needed to roll out new TLS versions
>> 2) the limited use of HTTPS Client Certificate Authentication through browsers
>> 3) that it would also require changes in browsers and in things like the Servlet API
>> 4) the quirky session workarounds which also are needed
>>
>> There are AFAICT three possible alternatives:
>> - Continue with the "bag of tricks" to make HTTPS CCA sort of usable
>>
>> - Design a WebID-U2F.  I don't see how that's is possible but
>>  other people claim that it is easy
>>
>> - Create a brand new X.509 authentication solution that covers a
>>  wide range of applications including on-line banking which would
>>  work on the application-level rather than on the transport ditto
>>  (leaving TLS unchanged)
>>
>> Personally I continue with the latter since almost all big users of
>> consumer-PKI have created their own PKI client and that's IMO not
>> very good for anybody.
> 
> Anders your reasons against changing the TLS protocol are exactly the reasons 
> against inventing a new protocol.

Since there are probably FOUR MAGNITUDES more people *already using*
variants of what I'm proposing compared to WebID-TLS, it is proven
beyond doubt that it is doable.

That this bunch of providers have invested >100 MEUR in proprietary
client-solutions (and continue spending) is because neither Microsoft
nor W3C has ever bothered asking them what they actually need.

> So it follows that the best choice is to 
> design around TLS as it is, in order to prove the use of LinkedData with 
> Authentication, which is what we are really interested in here.

Personally, I' targeting *all* users of X.509 client-certificates in browsers
including those who only want to replace OTP tokens and userid/passwords.

Anders

Received on Tuesday, 20 May 2014 16:29:22 UTC