Re: [TLS] HTTPS client-certificate-authentication in browsers

Henry Story <henry.story@bblfish.net> Wed, 27 July 2011 07:46 UTC

Return-Path: <henry.story@bblfish.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D59421F8666 for <tls@ietfa.amsl.com>; Wed, 27 Jul 2011 00:46:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.43
X-Spam-Level:
X-Spam-Status: No, score=-3.43 tagged_above=-999 required=5 tests=[AWL=0.169, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0KJYldYf+CxH for <tls@ietfa.amsl.com>; Wed, 27 Jul 2011 00:46:46 -0700 (PDT)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id AE66221F85B2 for <tls@ietf.org>; Wed, 27 Jul 2011 00:46:45 -0700 (PDT)
Received: by wwe5 with SMTP id 5so731905wwe.13 for <tls@ietf.org>; Wed, 27 Jul 2011 00:46:44 -0700 (PDT)
Received: by 10.216.14.85 with SMTP id c63mr54259wec.67.1311752804670; Wed, 27 Jul 2011 00:46:44 -0700 (PDT)
Received: from bblfish.home (AAubervilliers-651-1-201-28.w83-114.abo.wanadoo.fr [83.114.32.28]) by mx.google.com with ESMTPS id k84sm847953weq.46.2011.07.27.00.46.41 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 27 Jul 2011 00:46:43 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1244.3)
Content-Type: text/plain; charset="us-ascii"
From: Henry Story <henry.story@bblfish.net>
In-Reply-To: <E1Qlwl1-0003tZ-Bf@login01.fos.auckland.ac.nz>
Date: Wed, 27 Jul 2011 09:46:38 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <0ACE11A7-2DF7-4658-8E4D-79E25DBDBFDA@bblfish.net>
References: <E1Qlwl1-0003tZ-Bf@login01.fos.auckland.ac.nz>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, tls@ietf.org
X-Mailer: Apple Mail (2.1244.3)
Cc: WebID XG <public-xg-webid@w3.org>
Subject: Re: [TLS] HTTPS client-certificate-authentication in browsers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2011 07:46:47 -0000

On 27 Jul 2011, at 07:34, Peter Gutmann wrote:

> Matt McCutchen <matt@mattmccutchen.net> writes:
> 
>> Your reference to people with PhDs in computer science is misleading: a PhD
>> is a highly specialized degree that does not necessarily imply broad computing
>> ability.
> 
> "OK, so you have a PhD. Just don't touch anything" :-).  That was just the
> first study, and I mentioned the PhD thing to avoid the "it was carried out on
> students, they're not representative" criticism.  Other studies were carried
> out on IT students (which I'd say is actually a good sample of very tech-savvy
> users, so they'd be non-representative in being too good a fit rather than too
> bad a fit), and possibly on random samples of people (I'd have to trawl
> through the refs again to see who all the subjects were).  From memory I don't
> think any were done on the Joe-Sixpack demographic, probably because the
> outcome would be a foregone conclusion ("Failure to enrol: 100%").

Yes, and the reason for this is very simple: every Joe six-pack is intelligent
enough to see that client side certificates gives him no advantage over 
username passwords! Why? For two reasons:

  - Most client side certificates only work only with one site (unless you are in
    the army, or a few places like that)
  - For that site you need a password anyway - in case you loose your certificate

Joe Six Pack has a lot of work, following what's going on TV and following complex
scores between football teams to be bothered learning something that gives no advantage.

( And here we are assuming that the testers would have understood how to make it easy 
  to do 1 click certificate creation, how to do logout properly, and how to develop a 
   web site that takes into account the special features of TLS - which I highly doubt. )

OpenId has the same problem: most sites ask you to login with an OpenID and then once you
have ask you for a username and password! Well how is anyone going to get the point of
OpenId if that is going to be the way they are introduced to it? 

Notice that Facebook Connect by giving access to a social graph provides in their 
authentication system an advantage that cannot be simply bypassed by the Relying Party:
no relying party is going to ask all the logged in users to enter all their social network
right after authentication. 

So this is where WebIDs advantage is: it decentralised Facebook Connect by tying it
to Client Side Certificates - removing one of its most problematic features. But
http://webid.info/ ties an identity into the social web. WebID allows the same CCA
to be used on ANY webiste that implements it, and at the same time to help that
site ( the Relying Party as they are known in this ugly jargon ) to get access to
the social graph of the user - if that user is interested in presenting it.

No as soon as you have those advantages, then the benefit to Joe Sixpack becomes obvious.
He can now login as a fan to any of the football league sites in one click, and comment
on discussions, play games, organise meetings, order tickets for football matches and 
so on. He can create a football social network that is not centralised in one country
or by one organisation. He can use his football fan credentials to login to a football
producer site - in one click - to explain what is wrong with the football they are making.
And if there is a beer advert on TV with a special offer for Fans he can get that in 
one click. 

That is how you convince football fans. Once you have convinced them, you can convince the
developers who are also football fans, because you have convinced their managers who 
can see the point in this. And you also convince the EFF because otherwise Facebook is
going to completely take over all authentication on the web and we really have a big 
brother situation. WebID is Freedom Box friendly.

Henry

- http://webid.info/
- http://www.freedomboxfoundation.org/


> 
> Peter.
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

Social Web Architect
http://bblfish.net/