foaf+ssl was: XAuth critiques

Story Henry henry.story at bblfish.net
Tue Jun 8 17:47:03 UTC 2010 

On 8 Jun 2010, at 19:18, Peter Watkins wrote:

> On Tue, Jun 08, 2010 at 05:55:30PM +0100, Ben Laurie wrote:
>> On 8 June 2010 17:39, Story Henry <henry.story at bblfish.net> wrote:
> 
>>> Why should browser manufacturers bother to install this in the browser and
>>> maintain it, when they already have an excellent identification protocol
>>> built into https?
>>> 
>>> The fact that this group wishes to ignore the existence of SSL does not
>>> make it not be there.
>>> 
>>> Just check out the video of it on http://webid.myxwiki.org/
>>> to see it working!
> 
>> I would really like to see better support for client certificates in
>> browsers so that this became less clunky around the certificate management
>> aspects...
> 
> Yes, Henry's demo looks messy to me, and helps illustrate the primary problem 
> of auth based on SSL/TLS clients: portability and "roaming". Note in Henry's
> demo at 4:43 he logs in with Firefox and sees a (hideous!) dialogue box
> suggesting client keypair "firefox hjs3". Later, at 6:12 in the video, on
> the same computer, Henry tries Chromium, which has a clean interface suggesting
> (only!) client cert "Henry Story". You don't even have good UX on the same 
> machine. Let's say Michal Zalewski scares you away from using Firefox for a 
> few days -- you have to manually export "firefox hjs3" and then manually 
> import it into Chromium? Even on the same computer?

I need to improve the video then clearly, because you seem to have missed the point here.

You DON't need to export the certificate! You just create a new one: it's a one click procedure!

In fact in the video I show how one can make a new certificate for Firefox, Opera and Chromium all with the same WebId. The procedure is simple.

1. Go to your profile page with the new browser
2. Log in
3. click button

(so you do need a username/password for one site! But that is all.)

Done.
I don't think it can be simpler.

(well it can be, using usb crypto keys, in which case you just use one key.)

> 
> What happens when you buy a new PC or some relatively locked-down web tablet?

You do those three steps above.  See the video. http://webid.myxwiki.org/


> 
> I for one am not ignoring SSL/TLS, I just don't think it's ever been a viable
> solution for general use because it doesn't roam well -- and I first looked
> at client cert auth many years ago.

Many years ago people were not thinking of foaf+Ssl. It solves the major problem
of client certs, principally that they tied the user to one service, or required Certificate Authorities. All their problems follow from that. 

So you may have looked at SSL/TLS, but not the right way. That happens from
time to time. People lived on earth for millions of years before some people
discovered it was round. And yet if you look, it still looks flat.

So I should rephrase my point above: I am sure a lot of very knowledgeable people here
looked at SSL/TLS. It became conventional wisdom that certain things cannot be done with it. Those were written in text books probably, because I always get the same arguments.

But those text books were mistaken! 

What is required is a conceptual shift. What happened is that I went off and looked at the basic principles of the semantic web, and so of the web. Because I had little knowledge of security, and I have a philosophical mind, and time, and am on the whole quite stubborn, I asked some basic questions, which more experienced people did not. Then we discovered a new way of thinking of SSL/TLS.

> 
> I don't think OpenID ignores SSL/TLS, either. It's up to the OP to decide
> how an OpenID user authenticates, and Verisign PIP already supports using 
> client certificates as an authentication factor.
>  https://pip.verisignlabs.com/learnmore.do

Indeed, but they use SSL/TLS in the standard way. 
We turn SSL/TLS on its head, and it simplifies a lot. For one, it removes the need for
OpenId, which is still useful though as a transition protocol.

> 
> Finally, even if you don't care about the roaming issue

I do.

> or the requirement
> that the RP use https,

Does not need to, it can use an external service, in which case it starts to gain some of the disadvantages of OpenId. We have such a service https//foafssl.org/

> I don't understand how FOAF+SSL at all addresses the 
> UI problems that XAuth tackles (client service discovery & NASCAR interfaces).

thanks for pointing those out to me:

 - NASCAR problem http://factoryjoe.com/blog/2009/04/06/does-openid-need-to-be-hard/

 Too many login buttons. I think we could have one login link that if you don't have a
cert proposes you all the other options. But I'll add that to my todo list.

 - sorry I am a bit new to this terminology. Can you point me to "client service discovery" problem. I googled it just now and found no answers.  

  Thanks for the feedback,

	Henry Story



> 
> -Peter
>

More information about the specs mailing list