Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME"

[Henry Story <henry.story@bblfish.net>]

On 25 Sep 2012, at 18:12, Ben Laurie <benl@google.com> wrote:

> On 25 September 2012 17:06, Henry Story <henry.story@bblfish.net> wrote:
>> 
>> On 25 Sep 2012, at 17:45, Ben Laurie <benl@google.com> wrote:
>> 
>>> On 25 September 2012 16:07, Henry Story <henry.story@bblfish.net> wrote:
>>>> 
>>>> On 25 Sep 2012, at 16:45, Stephen Kent <kent@bbn.com> wrote:
>>>> 
>>>>> Henry,
>>>>> 
>>>>>>> WebID is not in the charter for this WG. If you want to discuss S/MIME and WebID, you are free to do so elsewhere, of course. There is no need for you to Cc this WG on that work.
>>>>>> Neither I suppose is TLS, or MIME btw, or many other standards that are discussed on this list. But knowing that they exist has always been important to IETF practice. It's called: not re-inventing the wheel. But I see you have a problem with that. Sorry to have hurt your feelings.
>>>>> If you were to read the DANE charter (https://datatracker.ietf.org/wg/dane/charter/)
>>>>> you would see that TLS is cited 5 times, so your supposition above is wrong with regard to
>>>>> its first assertion.
>>>> 
>>>> Thanks. But not MIME - So the point holds well enough :-)
>>>> 
>>>> Anyway, the webid spec
>>>> 
>>>>   http://www.w3.org/2005/Incubator/webid/spec/
>>>> 
>>>> also is very clearly tied to TLS, and would benefit a lot from DANE being deployed. So my interest in DANE is not a side issue. The strongest pushback against WebID ( and so using client certificates ) is the cost of server certificates for most players.
>>> 
>>> You mean people who aren't using HTTPS to secure logins care about WebID?
>> 
>> People who are not using HTTPS to secure logins won't have very secure logins (even passwords require protection). I am speaking about pushback from people who are serious about security (not counting the TOR type super security folks - but I will show that WebID works there too).
>> 
>>> 
>>>> ( the next strongest is the inability to logout from all but Firefox browsers )
>>> 
>>> Am I really the only one who cares about usability?
>> 
>> Firefox usability (of client certs) sucks. All the others are pretty good, and could easily be made better by a little work from the browser vendors. I demonstrate that very clearly in the video on http://webid.info/ . Now why browser vendors like Firefox don't do the few weeks work to get useability working is beyond me. I think it is partly because they don't understand how useable they could make client certificates with WebID.
> 
> Sigh. Why do I have to go over this every time?

I really don't know. I keep answering your questions precisely. Perhaps you are asking them rhetorically to help me the difficult bits to new audiences? :-)

> Usability in the
> browser is only part of the problem, the rest are things like moving
> between machines, dealing with revocation, migrating existing accounts
> and so on.


But that is exactly what WebID makes simple:
  - moving between machines: 
     + create different certificates on each machine ( use a one time passwords to log in if you want high security)
      here is a video that shows this: http://www.youtube.com/watch?v=S4dlMTZhUDc
    ( + use crypto keys if you wanted to be seriously secure )
  - dealing with revocation is easy: remove the public key from the WebID profile
   you can see how easy it is to do this on this live server https://my-profile.eu/
   (that's a one click event)
  - migrating existing accounts: you have HTTP redirects for that
 
I think the reason people never consider 1. is that they keep thinking of certificates as things you use to log into only one web site. So of course if that is what it were for, then having a certificate to login AND a password would be weird. But our position is the opposite: the purpose of a certificate is to login to any web site you wish to - usually not your home server.

Ok, so now someone is going to barge in and say this is off topic, probably just in time to avoid you having to answer the above points :-)
   But I hope those who are open to new ideas will see that there is something odd in how there is a simple working solution to a serious problem that is making the headlines every week, and how slow it is to get these ideas to move along - even amongst IETF members who have everything to gain from this working out.

   Henry

Social Web Architect
http://bblfish.net/