ISSUE-14: WebID and Browsers

bblfish

WebID and Browsers

State:
CLOSED
Product:
User Interface/Browsers
Raised by:
Henry Story
Opened on:
2011-01-31
Description:
SSLv3/TLS have been in available in browsers for over 13 years. But client certificates without WebID only make sense for very large organisations with very strong security requirements. As such browsers have not put as much energy into User Interface issues that a large consumer public requires as they could. There is perhaps not that much to do - fixing a few bugs, a few clever improvements - but these could help make a big difference to adoption once it has broken through the initial adoption phase.

The group should put together some report on the state of the situation there. Perhaps opening a wiki page on the WebID wiki would be a good start.

The ESW Wiki has a section on Clients
http://esw.w3.org/Foaf%2Bssl/Clients

As a follow up to a longer article on identity in the browser
http://blogs.sun.com/bblfish/entry/identity_in_the_browser_firefox

I posted ideas in the guise of a bug report in Issue 29784 on Google Chromium
http://code.google.com/p/chromium/issues/detail?id=29784

A major benefit of client certs will of course be especially valuable on cell phones, or any device where typing is difficult. The iPhone experiment a few years ago was an eye opener. It helped make WebID self explanatory in 1 minute. http://blogs.sun.com/bblfish/entry/one_click_global_sign_on
Sadly the iPhone OS then broke SSL client certs, and this stopped functioning.
Related Actions Items:
No related actions
Related emails:
  1. closed 9 issues (from henry.story@bblfish.net on 2011-11-25)
  2. RE: Web Tracking and User Privacy: The Next Steps. (from home_pw@msn.com on 2011-03-10)
  3. Re: Web Tracking and User Privacy: The Next Steps. (from henry.story@bblfish.net on 2011-03-10)
  4. RE: issue of initiating client auth for parallel SSL sessionids (from home_pw@msn.com on 2011-02-28)
  5. RE: issue of initiating client auth for parallel SSL sessionids (from ryan-webid@sleevi.com on 2011-02-27)
  6. Re: minutes of todays teleconf (from henry.story@bblfish.net on 2011-02-22)
  7. RE: Anonymity in the browser - was: nasty nasty bug in chrome (from home_pw@msn.com on 2011-02-12)
  8. RE: browser change; little, nothing or a lot? (from home_pw@msn.com on 2011-02-12)
  9. Anonymity in the browser - was: nasty nasty bug in chrome (from henry.story@bblfish.net on 2011-02-12)
  10. Re: browser change; little, nothing or a lot? (from henry.story@bblfish.net on 2011-02-12)
  11. Re: [foaf-protocols] privacy considerations: can a nosy https: site probe user identity without explicit permission? (from corani@gmail.com on 2011-02-11)
  12. Re: privacy considerations: can a nosy https: site probe user identity without explicit permission? (from henry.story@bblfish.net on 2011-02-11)
  13. privacy considerations: can a nosy https: site probe user identity without explicit permission? (from henry.story@bblfish.net on 2011-02-11)
  14. Re: nasty nasty bug in chrome (from henry.story@bblfish.net on 2011-02-09)
  15. Re: Account Management in Firefox 5 (from henry.story@bblfish.net on 2011-02-08)
  16. Re: WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec] (from henry.story@bblfish.net on 2011-02-02)
  17. Re: WebID and browsers (from henry.story@bblfish.net on 2011-01-31)
  18. WebID-ISSUE-14 (bblfish): WebID and Browsers [use cases] (from sysbot+tracker@w3.org on 2011-01-31)

Related notes:

The "Web Security Context: User Interface Guidelines" [1] recommendation makes a good case as to why security chrome has to be very much controlled by the browser, as it is otherwise too easy to set up phishing attacks.

If a browser can connect using a certificate to the webid published in the certificate, and if this publishes the same public key as is in the certificate then the browser can use the information from that profile page to improve the selection mechanism for that certificate by using info at the SAN and at the IAN. This controlled method of allowing certificate selection mechanisms to be site controlled would allow flexibility without compromising security.



[1] http://www.w3.org/TR/wsc-ui/#keepchromevisible-goodpractice

Henry Story, 8 Feb 2011, 16:31:20

The WebID XG wrote up a paper for the Identity in the Browser conference that brought together most of what we could think of. It is here:

http://www.w3.org/2011/identity-ws/papers/idbrowser2011_submission_22/webid.html
We should perhaps add to that the possibility of javascript logout that works in Firefox and (IE?) and that the cryptography api group has decided to take that on.

Henry Story, 25 Nov 2011, 13:25:18

Display change log ATOM feed


Henry Story <Henry.Story@bblfish.net>, Chair, Dominique Hazaƫl-Massieux <dom@w3.org>, Staff Contact
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 14.html,v 1.1 2019/12/03 13:24:53 carcone Exp $