Re: Logging out from Facebook

On 30 Sep 2011, at 10:48, Paul Libbrecht wrote:

> Le 30 sept. 2011 à 10:14, Henry Story a écrit :
>>> From reading this whole thread I understand the following logout mechanism should be as close as possible:
>>> - go back to the site's home (the user can always go back if he wishes)
>>> - remove cookies for that domain and any transcluded resources' domains
>>> - remove local storage for the same (JS, flash, ....)
>>> - remove stored etags
>>> - remove or at least slightly modify cached entities last-modification dates
>>> - close all connections
>> You forgot: do not send that host your client certificates anymore.  (Safari sends those automatically, for example, and I am not exactly sure how you disable it. I think you have to go to the keychain and manually disable the certificate from being sent to a particular host name, but I am not sure.)
> I personally find this so special that I do not think it is worth mentionning: if you install client certs for a particular host (is it host-directed?) you rarely fear being watched by that host... 

Our work at the WebID XG ( ) shows that this is not the case. There is a short video on that page that shows the following:
 - creating a certificate is easy - it can be as easy as clicking one button: "install certificate"  when going to a web site
 - a certificate can be used across sites:  WebID is enabling the creation a distributed secure social web 

So given that, I could use one certificate when connecting to any number of sites - say all my friends sites - avoiding me the trouble of creating a user name and profile at each of one those places, and allowing those sites to tie into my profile on say my FreedomBox [1], where I can use access control to allow them more or less access to my information.

In that scenario client side certificate will suddenly become immensely useful, and I would certainly like it to be easy to logout of client side SSL too.

But even if you don't buy into the social web vision, it is still a problem that a site could easily get me to use a client side certificate to log in, and that later it could find it impossible to stop my browser from sending it. That's a problem for the site as well as for the user. It is easy to solve,  as the prototype by Aza Raskin showed a few years ago. As it happens that solution also solves the cookie issue, which is not surprising: we are dealing with the same problem: user control of his persona.


> My guts feeling would be to simply disable the "browser logout" for such a site (Safari should otherwise have a way to "reactivate the certs" which, as you describe, seems not really planned for).
> paul


Social Web Architect

Received on Friday, 30 September 2011 09:08:30 UTC