IETF Logo Mail Archive

Re: [saag] Liking Linkability

Henry Story <henry.story@bblfish.net> Mon, 22 October 2012 14:04 UTC

Return-Path: <henry.story@bblfish.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0E3B21F869C for <saag@ietfa.amsl.com>; Mon, 22 Oct 2012 07:04:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.316
X-Spam-Level:
X-Spam-Status: No, score=-2.316 tagged_above=-999 required=5 tests=[AWL=-1.208, BAYES_00=-2.599, J_CHICKENPOX_25=0.6, J_CHICKENPOX_43=0.6, MISSING_HEADERS=1.292, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p76JRqyy9V21 for <saag@ietfa.amsl.com>; Mon, 22 Oct 2012 07:04:28 -0700 (PDT)
Received: from mail-bk0-f44.google.com (mail-bk0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id C32DD21F84F3 for <saag@ietf.org>; Mon, 22 Oct 2012 07:04:23 -0700 (PDT)
Received: by mail-bk0-f44.google.com with SMTP id jc3so923126bkc.31 for <saag@ietf.org>; Mon, 22 Oct 2012 07:04:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:x-mailer:x-gm-message-state; bh=XprvKztg3gWYvhJBiITQPVnKYbM8l4c+zgKFUw8qkEk=; b=a4Z7IqGttvLoznGB/clw0+FmGRFGZYX0cKq5Rn4ly69UjhTs/jzngipYwC11wrD85s B1EbXydhz/yOj/Iq0Ewfnu/KYu5gnmoH2jeoi7NHH+iJHUHBm+3nMggouGTfXGVfZgC+ rFwhsFmDf9vpNKfL98tGxVzanpqOhmsWDzfoNO9zsHtZxFp2uGGV+wHm+s4RTQxf4loN EhwAFE0Zlo8DiGWZ2wiNZGcyR8p0QwDEQrZAUvZj7dR+BRO8vj5vdEhD2AAkuQLZz0GV 3qConD4cy4K1JDiVPyxEmiS33SgJ9aYgpLtEijFdzQIz1NFXUjfTCLmGnHslW4yls24K E8Dg==
Received: by 10.204.149.135 with SMTP id t7mr2637306bkv.103.1350914662268; Mon, 22 Oct 2012 07:04:22 -0700 (PDT)
Received: from bblfish.home (AAubervilliers-651-1-132-122.w86-198.abo.wanadoo.fr. [86.198.99.122]) by mx.google.com with ESMTPS id v14sm3728400bkv.10.2012.10.22.07.04.19 (version=SSLv3 cipher=OTHER); Mon, 22 Oct 2012 07:04:20 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_64FCB0C6-821C-408F-B865-0CC321B98461"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Henry Story <henry.story@bblfish.net>
In-Reply-To: <50853CD8.8020005@w3.org>
Date: Mon, 22 Oct 2012 16:04:17 +0200
Message-Id: <5FB468E4-BDD3-4635-ACD0-A23540C08751@bblfish.net>
References: <CCA5E789.2083A%Josh.Howlett@ja.net> <tslzk3jsjv8.fsf@mit.edu> <201210181904.PAA07773@Sparkle.Rodents-Montreal.ORG> <FB9E461D-CA62-4806-9599-054DF24C3FD9@bblfish.net> <CAG5KPzxGz+4MywjP4knfbDr2gyvqUZc1HEBXgtaDfYT+DPg5yg@mail.gmail.com> <8AB0C205-87AE-4F76-AA67-BC328E34AF5E@bblfish.net> <CABrd9SQghpi6_rVQKxYXZDtM5HwvE7Kq7SUw5zi41ZRd3y2h9A@mail.gmail.com> <4324B524-7140-49C0-8165-34830DD0F13B@bblfish.net> <CABrd9SQU1uYVaVPedokHxeYkT=759rkPFfimWK1Z8ATzo3yNFA@mail.gmail.com> <5083CCCF.2060407@webr3.org> <50842789.3080301@openlinksw.com> <50845268.4010509@webr3.org> <5084AC77.8030600@openlinksw.com> <50851512.9090803@webr3.org> <CABrd9SRNVLbWxifQAQ6iuX4qMeFmZVD6rO_q=L348G1UZzr9tg@mail.gmail.com> <50852726.9030102@openlinksw.com> <CABrd9SQ3KTqHq1hOfbLAU5hfgNyqCPK4u+ToEda+VtQ5S0utwA@mail.gmail.com> <5085360E.3080008@openlinksw.com> <50853CD8.8020005@w3.org>
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQkaUH3xnLbX7uqTrn9boEe2dcBXTlVJvI2FRLn0F9jkL0/oYKPlvitlfWSDPP/W9vHpgb2A
Cc: public-identity@w3.org, saag@ietf.org, public-webid@w3.org, "public-privacy@w3.org list" <public-privacy@w3.org>
Subject: Re: [saag] Liking Linkability
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Oct 2012 14:04:29 -0000

On 22 Oct 2012, at 14:32, Harry Halpin <hhalpin@w3.org> wrote:

> On 10/22/2012 02:03 PM, Kingsley Idehen wrote:
>> On 10/22/12 7:26 AM, Ben Laurie wrote:
>>> On 22 October 2012 11:59, Kingsley Idehen <kidehen@openlinksw.com> wrote:
>>>> On 10/22/12 5:54 AM, Ben Laurie wrote:
>>>>> Where we came in was me pointing out that if you disconnect your
>>>>> identities by using multiple WebIDs, then you have a UI problem, and
>>>>> since then the aim seems to have been to persuade us that multiple
>>>>> WebIDs are not needed.
>>>> Multiple WebIDs (or any other cryptographically verifiable identifier) are a
>>>> must.
>>>> 
>>>> The issue of UI is inherently subjective. It can't be used to objectively
>>>> validate or invalidate Web-scale verifiable identifier systems such as
>>>> WebID or any other mechanism aimed at achieving the same goals.
>>> Ultimately what matters is: do users use it correctly? This can be tested :-)
>>> 
>>> Note that it is necessary to test the cases where the website is evil,
>>> too - something that's often conveniently missed out of user testing.
>>> For example, its pretty obvious that OpenID fails horribly in this
>>> case, so it tends not to get tested.
>> 
>> Okay.
>>> 
>>>> Anyway, Henry, I,  and a few others from the WebID IG (hopefully) are going
>>>> to knock up some demonstrations to show how this perceived UI/UX
>>>> inconvenience can be addressed.
>>> Cool.
>> 
>> Okay, ball is in our court to now present a few implementations that address the UI/UX concerns.
>> 
>> Quite relieved to have finally reached this point :-)
> 
> No, its not a UI/UX concern, although the UI experience of both identity on the Web and with WebID in particular is quite terrible, I agree.

It completely depends on the browsers: 
http://www.w3.org/wiki/Foaf%2Bssl/Clients/CertSelection
If you are on Linux just file a bug request to your browser if you are unhappy, or even better hack up a good UI. It's easy: just make it simpler.

> 
> My earlier concern was an information flow concern that causes the issue with linkability, which WebID shares to a large extent with other server-side information-flow.

Including BrowserId. Which has 2 tokens that can be used to identify the user across sites:

  - an e-mail address ( useful for spamming )
  - a public key, which can be used to authenticate across sites


> As stated earlier, as long as you trust the browser, BrowserID does ameliorate this.

No it does not improve linkability at all. Certainly not if you think the site you are authenticating to is the one you should be worried about, because just using a public key
by itself is enough for Linkability in the strict (paranoid) sense. That is if you 
consider the site you are logging into to as the attacker, then by giving two sites
a public key where you have proven you control the private key is enough for them to know that
the same agent visited both sites. That is because the cert:key relation is inverse functional.

So in simple logical terms if you go to site1.org and identify with a public key pk,
and they create a local identifier for you <http://site1.org/u123>, and then you go site s2.net and identify with the same public key pk  and they give you an identifier <http://s2.net/lsdfs> 
(these need not be public) and then they exchange their information, then each of the sites would have the following relations ( written in http://www.w3.org/TR/Turtle )

 @prefix cert: <http://www.w3.org/ns/auth/cert#>

 <http://site1.org/u123> cert:key pk .
 <http://s2.net/lsdfs>   cert:key pk .

because cert:key is defined as an InverseFunctionalProperty 
( as you can see by going http://www.w3.org/ns/auth/cert#key )

Then it follows from simple owl reasoning that

  <http://site1.org/u123> == <http://s2.net/lsdfs> .

One cannot get much simpler logical reasoning that this, Harry.


> There is also this rather odd conflation of "linkability" of URIs with hypertext and URI-enabled Semantic Web data" and linkability as a privacy concern.

I am not conflating these.

My point from the beginning is that Linkability is both a good thing and a bad thing. 

As a defender of BrowserId you cannot consistently attack WebID for linkability concerns and find BrowserId not to have that same problem. So I hate to reveal this truth to you: but we have to fight this battle together.

And the battle is simple: the linkability issue is only an issue if you think the site you
are authenticating to is the enemy. If you believe that you are in relation with a site that
is under a legal and moral duty to be respectful of the communication you are having with it,
then you will find that the linkability of information with that site and across sites is exactly what you want in order to reduce privacy issues that arise out of centralised systems.

> 
> I do think many people agree stronger cryptographic credentials for authentication are a good thing, and BrowserID is based on this and OpenID Connect has (albeit not often used) options in this space.  I would again, please suggest that the WebID community take on board comments in a polite manner and not cc mailing lists.

All my communications have been polite, and I don't know why you select out the WebID community.
As for taking on board comments, why, just the previous e-mail you responded to was a demonstration that we are: CN=WebID,O=∅



>> 
>> 
>> 
> 

Social Web Architect
http://bblfish.net/

v2.23.0 | Report a Bug | By Email