Re: Proof of Concept: Identity Credentials Login

On 6/10/14 12:25 AM, Manu Sporny wrote:
> TL;DR: There is now an open source demo of credential-based login
> for the Web. We think it’s better than Persona, WebID+TLS, and
> OpenID Connect. If we can build enough support for Identity
> Credentials over the next year, we’d like to standardize it via
> the W3C.
>
> This is a text-only version of the original blog post, which can be 
> found here:
>
> http://manu.sporny.org/2014/identity-credentials/
>
> Identity Credentials and Web Login
>
>    In a [1]previous blog post, I outlined the need for a better login
>    solution for the Web and why Mozilla Persona, WebID+TLS, and
>    OpenID Connect currently don’t address important use cases that
>    we’re considering in the Web Payments Community Group. The blog
>    post contained a proposal for a new login mechanism for the Web
>    that was simultaneously more decentralized, more extensible,
>    enabled a level playing field, and was more privacy-aware than the
>    previously mentioned solutions. 
Manu,

I've provided a comment on your blog post. At the same time, my history 
with Wordpress blogs is that comments are 100% guaranteed to make it to 
the public, for a variety of reasons. Anyway, since I want to express my 
opinions on this matter in public, here's a copy of what I pasted to 
your blog, in regards to your assertions about WebID-TLS:

The World Wide Web is inherently architected to accommodate multiple 
ways of providing services driven by Linked Open Data (i.e., open 
standards based structured data) and HTTP URIs. I don't believe in 
OpenID vs Persona vs WebID-TLS vs OAuth etc. These authentication 
protocols can co-exist.

In regards to WebID-TLS, you make the following assertion that I 
disagree with:
WebID+TLS also depends on the use of client-side certificates that are 
managed by the browser, which are difficult to use for most 
non-technologists.

Issues with your assertions:

[1] They are too generic -- dependency of Client Certification 
Authentication (CCA) isn't a bad thing bearing in mind only a minority 
of Browser (circa. 2104) have this problem.

[2] Too subjective -- "difficult to use for most non-technologists" 
isn't a defensible position.

The Client Certificate Authentication (CCA) Problem Status:

As of the time of writing this reply, the only browsers with this 
problem i.e, an inability to disconnect and start new TLS sessions are 
as follows: Chrome and Opera. The aforementioned problem is no longer an 
issue across Firefox, Safari, and IE.  I can prove this with a simple 
WebID-TLS authentication service [1].

I don't see how Opera and Chrome can continue to be deficient re. CCA 
bearing in mind the current state of implementations from IE, Safari, 
and Firefox. Thus, I wouldn't count on a fixable problem on the part of 
browser vendors as the basis for undermining a truly open solution for 
Identity Claims authentication such as WebID-TLS.

End-users do not need programmers thinking or speaking for them. That's 
broken. What end-users need is the ability to control their identity and 
privacy online via solutions that leverage Web & Internet architecture 
such that the following are loosely coupled (no 3rd party .com, .org, 
.cc etc.. in the way):

1. Identity - perceived entity (actually nebulous since none of us can 
accurately claim full perception of the aspects of any entity)

2. Identifiers - HTTP URIs that denote Agents (no different to the role 
of a Passport Number, SSN, Credit Card Number etc..)

3. Identity Claims Documents -- Identity Cards or Profile Documents or 
Certificate (basically what your Passport, Driver's License, Credit 
Card, Club Membership Card etc.. provide)

4. Identity Claims Authentication Protocols -- variety of protocols that 
verify claims made in Identity Claims Documents

5. Protected Resource Access Authorization -- how verified Identities 
are tested against ACLs (Access Control Lists) or Data Access Policies 
(this may be Role Based [RBAC] or Attributed Based [ABAC]).

Links:

[1] http://id.myopenlink.net/ods/webid_demo.html -- WebID-TLS demo that 
proves TLS session login and logout can occur without restarting Safari 
(this is based on a timeout), Firefox (this uses crypto.logout), and IE 
(this uses the "new session" feature under the standard menu)

[2] http://csrc.nist.gov/groups/SNS/rbac/ -- Role Based Access Control 
(RBAC)

[3] http://csrc.nist.gov/projects/abac/ -- Attribute Based Access 
Control (ABAC).

-- 

Regards,

Kingsley Idehen 
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter Profile: https://twitter.com/kidehen
Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen