Re: Browser ID from Kingsley Idehen on 2011-07-16 (public-xg-webid@w3.org from July 2011)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Sun, 17 Jul 2011 00:19:51 +0100
To: public-xg-webid@w3.org
Message-ID: <4E221C97.7070105@openlinksw.com>

On 7/16/11 10:20 PM, Ben Adida wrote:
> On 7/16/11 9:17 AM, Kingsley Idehen wrote:
>> User logs into IdP provided data space and deletes their problematic
>> public keys.
>
> That makes me nervous. You're asking a lot of users. 

No, I am delivering what users actual seek. I am a little more confident 
about "users". I don't consider them dumb or incapable, I simply 
consider them to be very pragmatic. Their interests are aligned to 
problem scenarios.

If someone steals my PC, Notebook, Tablet, or Smartphone, I want to be 
able to log into the data space provided by my IdP to delete all public 
keys associated with the private keys on the stolen devices. They can do 
that today with our product. Its click only affair, basically select all 
keys and delete. Then regenerate a new Certificates for use with my new 
devices. Very very simple user interaction.

> The most a user tends to do (if you're lucky) is change one or two 
> important passwords.

Passwords are broken, users are forced to live with them.

>
>> What happens when someone steals a PC/Laptop/Tablet with the private key
>> associated with the public key in a BrowserID scenario? The statement
>> above tells you what can happen re. WebID.
>
> I don't think so. From what I understand WebID uses long-lived keypairs.

It doesn't that's fully under IdP control. I can generate all kinds of keys.

> BrowserID uses short-lived keypairs that expire in a matter of hours 
> (we're thinking at most a day). 

One size doesn't fit all.

> Our goal is to not have to deal with revocation, which is incredibly 
> problematic.

It isn't. It the UIs that have been problematic. Ditto the CA network.

>
>> Re. BrowserID is the mailto: URI to public key relation 1:1 or 1:N ?
>> This too has implications.
>
> 1:N. Each device generates its own keys. But they expire quickly.
>
>>> Can you trigger cert re-generation automatically and silently? I don't
>>> think so.
>>
>> Of course!
>
> Are you sure that's true? I'm pretty sure that keygen in the browser 
> requires user interaction.

Yes, I have ODS a DBMS hosted platform that can achieve this in a 
variety of ways :-)
>
> -Ben
>
>

-- 

Regards,

Kingsley Idehen	
President&  CEO
OpenLink Software
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen

Received on Saturday, 16 July 2011 23:20:16 UTC