WebID vs BrowserId on stack exchange #2

I spent some time answering a WebID vs BrowserId question on Stack =
exchange.=20

=
http://security.stackexchange.com/questions/5406/what-are-the-main-advanta=
ges-and-disadvantages-of-webid-compared-to-browserid/5424

This is better than the previous question on stack exchange that was =
badly phrased against BrowserId asking for what was wrong with it. I =
answered it, and put the text below. Let me know where I went wrong, so =
I can fix that. It was a lot of work writing it up, so please take that =
into consideration when criticising me for the inevitable errors.

=
--------------------------------------------------------------------------=
------------

note: A lot of these questions on the WebID side are answered in the =
Foaf+ssl FAQ

BrowserID versus WebID: is the distinction real?

BrowserId is an experiment at Mozilla labs, is very new, not fully =
defined (exactly how the e-mail servers public key should be found is =
not specified for example) and not completely implemented (it requires =
browser support to be really distributed). WebId is a specification =
going through a W3C incubator process, and so is evolving.

Furthermore both projects are not clearly incompatible - or rather it is =
a question of semantics only if they are. We can divide how they differ =
by looking at two dimension - identity verification: certificate =
signature verification (BrowserId) or public key of user verification =
(WebId/foaf+ssl) - certificate format: JSON (BrowserId) or X509 =
(foaf+ssl) formats for certificates

Currently BrowserId has been defined by the pair (certificate signature =
verification, JSON certificate) and WebID/foaf+ssl by the pair (user =
public key verification, X509 cert)

But there is no logical reason why one could not have also have the =
other two combinations: - (certificate signature verification, X509 =
cert) - ie a BrowserId auth done with TLS - (user public key =
verifiction, JSON cert) - ie WebID auth done with JSON.

Or one could also have both strategies for each certificate type. That =
is one could verify the certificate signature first and then if needed =
also verify the WebID. This could be useful to get more information =
about the user (a RESTful attribute exchange) and it could also be =
useful to check that the key had not been revoked.

So the question should really be what are the advantages and =
disadvantages of the "pure" BrowserId authentication versus a "pure" =
WebID - known also as foaf+ssl - authentication. Please keep that in =
mind for the rest of this answer.

Comparing Pure BrowserId and WebId/foaf+ssl

Answer stating the way things are in July 2011.

Hows are compromised keys invalidated?

In WebID they are removed from the Profile page. A good user interface =
would make this a one click affair. The user would go to his social =
network and remove a key, which he could remember by name, by the =
computer he had it on, when he generated it, or other human friendly =
ways of remembering things.

BrowserId currently uses a JSON certificate with a time stamp, which the =
protocol currently desires to restrict to being very short term. The =
reason the |(JSON) certificate needs to be very short lived is because =
the only way a certificate is validated by the relying party in the =
current BrowserID spec is by checking its signature with the public key =
of the e-mail provider. But if BrowserId were to be combined with WebID =
(that is the JSON certificate could contain an http(s) Subject Name too) =
then then longer lasting keys could be used, and compromised keys could =
be checked by verifying the key published on the public profile.

How does multi device browser support work?

Both WebID and BrowserId can have multiple public keys.

In WebID each of them gets published in the profile page. You can see =
this in action in "WebId creation and use in 4 minutes" video. So each =
device can have a certificate create by the device.

BrowserId will save the key in the browser/OS keychain when that part is =
integrated in the browser. Since verification only requires the Relying =
Party to check the signature of the certificate it was sent with the =
public key of the e-mail provider there is no problem if different =
devices have different certificates.

If those result in multiple public keys, how are they linked?

In BrowserId the public key of the user's certificate is only used to =
verify that the client has the corresponding private key in the =
authentication process. There is no linking going on.

With WebID the different public keys can be published on the Profile =
page and can this be linked there. Some of those keys could be described =
as long lasting and so also used for signing and decryption.

Is the linking required to be done for every consumer?

In WebID - if WebID does not also offer a BrowserId like feature - then =
yes. Every profile published the public key. The profile may be nothing =
more than the publication of that key.

How is support in current browsers?

All desktop browsers support X509 certificate selection. Cell phones are =
more patchy. So they all support WebID since 1998 or so. (with a few =
exceptions like early versions of Chrome)

For BrowserId to work in a decentralised way it needs browser support. =
This is currently missing from all browsers.

Is the user interface easy enough to be understood by average users =
(including creation, selection, revocation from the current computer, =
and global revocation of an identity)?

Creation: In both this is a one click affair. With WebID X509 =
certificates can be generated using the html5 keygen element, and an IE =
ActiveX workaround. The user just needs to click a big button - see the =
WebID & Browsers video or the above "webId creation and use" one. User =
Interfaces could be improved of course with better web designers.
Selection:
WebId: Selection is excellent on Chrome, Safari, Opera and IE but ugly - =
though not impossible to use in Firefox. Why they don't bother to fix =
that is a mystery. Please vote up bug 396441 - Improve SSL =
client-authentication UI. There is a lot that can be done to improve the =
UI, but imperfect browsers has never stopped creative web people from =
using it creatively.
BrowerId: selection can be designed by the web site, though this may =
create more security risks, and will not provide a consistent =
authentication UI across sites (hence a possible physching risk)
Revocation from current computer
WebID: removing of X509 certificates from the current computer is =
something that should be avoided, and certainly the UI for that should =
be improved.
BrowserId: revocation from the current computer is not defined yet as it =
has not been implemented.
Global revocation of identity
WebID: this just requires the Profile Page to return one of the HTTP =
error codes if the identity needs to be completely removed, or an HTTP =
redirect if the profile moves, or a semantic identity relation between =
the old and the new identity, or just the removal of one of the public =
keys from the profile if a certificate has been stolen.
BrowserId protects itself with short lived (JSON based) certificates
Is there a centralized organisations which can track users?

WebID: it can be completely decentralised. You could place your WebId on =
your FreedomBox and so could all your friends. You could also place it =
on some anonymous server if you trusted that service.
BrowserId: when the JSON certificate store is integrated with the =
browser - and one no longer needs to use browserid.org then each e-mail =
provider could participate. Since Freedom Boxes can also be e-mail =
providers they can also be authorities.
Are there decentralized organisations which can track users?

Examples of what that would look like?

How detailed can the tracking be?

With BrowserId the Relying Party fetches the public key of the e-mail =
provider. All that provider should know is that some server made a GET =
request. This is something that may be worth integrating into WebID. On =
the other hand the Relying Party ends up with an e-mail address that =
could be misused for spamming.

With WebID - a request by the Relying party is made on the Profile Page. =
This request could be done anonymously, via a proxy or even an ip-proxy.

How easy is it for a consumer to get the implementation right?

WebID over TLS requires more to set up for the relying party, including =
an SSL server. That server should not do the usual authentication of =
client side certificates. On the other hand it is more secure, since it =
forces TLS. There are a lot of TLS tools that have been tested over =
time, and that keep being tested.

BrowserId does not require TLS on the Relying Party so it is easier to =
setup. On the other hand there are man in the middle attacks possible if =
TLS is not set up.

( But at this point one should notice that there is no deep reason why =
BrowserID and WebID cannot both use the new proposed JSON certificate =
format and combine their strengths. It is quite possible to do the =
BrowserId )

How does it work on Internet terminals on which you don't have =
permissions to install software on (assuming you accept the risk of it =
being compromised)?

Internet terminals are always dangerous. Only crypto keys could make =
those safe, by completely placing the key in hardware. see WebId and the =
Crypto Stick. Of course very short lived keys are the solution if either =
WebID or BrowserId has to be used. Both can have short term keys. =
Perhaps OpenId is better here combined with one time passwords passed by =
a cell phone.=
0
Henry
7/18/2011 1:39:25 PM
mozilla.dev.identity 1643 articles. 4 followers. Post Follow

0 Replies
411 Views

Similar Articles

[PageSpeed] 38

Reply:

Similar Artilces:

WebID vs BrowserId on stack exchange
I spent some time answering a WebID vs BrowserId question on Stack = exchange.=20 http://bit.ly/o8c3uP This is better than the previous question on stack exchange that was = phrased with a strong bias BrowserId essentially how it compared badly = with othe famous Identity Protocols. "What are the downsides of = BrowserID compared to OpenID/OAuth/Facebook?" = http://security.stackexchange.com/questions/5323/what-are-the-downsides-of= -browserid-compared-to-openid-oauth-facebook/5390 So I answered the question there. The answer is too big to get into the = mozi...

VS 2005 Vs VS 2008 #2
Hi, Can anyone let me know the updates in VS 2008 over VS 2005.    Hi, for example: http://weblogs.asp.net/cschittko/archive/2007/10/08/visual-studio-2005-or-2008-what-s-more-risk.aspxThanks,Teemu KeiskiFinland, EU...

Difference between vs 2.1.2 and vs 3.0.9
Hi, I'm new to dnn and wondering what are the major differences between the two versions? I noticed that version 3 works only with SQL server. What else is new in it? I need this portal for a small community website and I also might implement it for my family website as well. Also, is there any good photoalbum product out there that I can use with it? Thanks for your help. I'd break down the main differences between them into two categories: UI and Plugability (although a core member might want to expound more). 1) UI. In DNN2, a lot of the slick UI elements were h...

Primary Identity Authorities in BrowserID #2
Based on all the feedback, I've updated and published the rough proposal = for how existing identity providers can become primary identity = authorities for BrowserID: http://lloyd.io/primary-identity-authorities-in-browserid I consider this to be a proposed starting point from which prototyping = can begin, and expect lots of changes and improvements before the = implementation lands in BrowserID proper. Thanks for the careful feedback and help (and I look forward to more), lloyd ...

The 3 stack layers of BrowserID and WebID
On 19 Jul 2011, at 04:56, Ben Adida wrote: >>> We have different requirements. >>=20 >> Not sure we do. >=20 > At the very least we have different sub-requirements. You want to > leverage TLS client-side certs. We specifically don't. Good so this is a big misunderstanding - and a very understandable one = of course. WebID leverages TLS and X509 certificates because that is = what is available in all current browsers and because it works, not = because we love TLS or X509. Mozilla labs can change the technologies = in one browser, so you can...

imanager 1.2.2 vs 2.0.1
hi 1.2.2 has the iprint stuff for creating/managing/etc iprint 2.0.1 does not. Where did it go? Phil, having the iPrint snapins is not a question of the iManager version. It is a question if you have the snapins itself or not :) If you tell us what iManager version you have on which platform and where you got ti from we might be able to help. -- Regards, Kai Reichert Novell Support Forum Sysop Computers can never replace human stupidity. The title says it all. It shows up in 1.2.2 It does not show up in 2.0.1 "Kai Reichert" <kai.reichert@spam...

VS.NET 2005 vs VS.NET 2003 #2
why there is no datagrid anymore when i drag the tables in design view? it's the gridview,and where is the data adapter. How will i connect the tables now? Here are a couple videos on the new Data model in VS2005.  I think you will find it much easier to use.  I have watch the first one, but the second is by Fritz Onion.  I think there is an Advanced Data Binding Video in the same series done by him as well. ASP.NET HOW DO I Video Series: Data MSDN Webcast: Essential ASP.NET for the Web Developer (Part 5 of 15): Introduction to Data Binding (Level 200) Hope this helpsTh...

identity column vs Oracle 7.2
We have a trigger on insert for an Oracle table which generates a sequential number for a column. We would like to bring back that number to the dw. We declared the appropriate identity column in the update properties of the dw, but even as we issue a GetItemNumber( row, column) at the UpdateEnd event we just get a null. Is it possible to bring back a sequential number from Oracle to PB datawindow after an update?? On Thu, 28 Aug 1997 15:45:31 -0400, "Andres & Debbie Rubiano" <arubiano@mail.msy.bellsouth.net> wrote: >We have a trigger on insert for an Ora...

ASP.NET 2.0 Vs VB.NET 2.0 (Web Application VS Desktop Application)
Hello every body,  I am going to develope my final year project "A information system" but I dont know that what I have to choose (desktop or web application) can u tell me the advantages of asp.net over vb.net (desktop or web application) please specify the main and atteractive resons  Thank you. web = no install, cross platform compatibility. desktop = richer UI experience (subjective) and better user interaction. From the standpoint of a web developer: Web applications are usually easier to deploy.  Whenever you release a new version of your code, y...

iManager 2.0.2 vs iManager 2.7 / eGuide role
Hi, I have iManager 2.0.2 (netware 6.5) and iManager 2.7 (netware 6.5) in my network. I can manage eGuide roles and task in iManager 2.0.2, but I can't see the same in iManager 2.7! Any idea how I can manager the roles and task with iManager 2.7? -- weshwesh1 ------------------------------------------------------------------------ eGuide is no longer a supported piece of software ( http://support.novell.com/lifecycle/lcSearchResults.jsp?st=-1&sl=e&sg=-1&pid=1000 ) as such, Novell did not bother to include eGuide support in iManager 2.7. -- Ma...

2.1 vs 2.1.3
Am I correct to assume that iFolder 2.1 will not run properly on 2k3 iis6? Would that account for "page cannot be found" errors when trying to access the admin page (https://myserver/ifolderServer/admin)? How do I go about getting 2.1.3? Can't find it in the downloads section of the support site. Will 2.1 run on win2k3 running apache? Thanks for your input! Duplicate. Check the other article for answers. Samuel Klawitter wrote: > Am I correct to assume that iFolder 2.1 will not run properly on 2k3 > iis6? > > Would that account for &qu...

Identity Manager tab missing
I've the titular setup working correctly except for the missing tab. All the IDM options work from the Identity Manager Role/Task (such as Object Inspector), but when I go to Modify User I don't have an Identity Manager tab. I updated all the RBS configurations that needed updating. I'm at a loss for what to do next. -- nate_spears ------------------------------------------------------------------------ nate spears wrote: >2.6 plugins What do you calll 2.6 plugins? Plzgins for iManager 2.6 do not work on iManager 2.7.x. Are did you make a typo an...

Migration Path for a Hosted Exchange using version 2.0 solution (with MPS 1.0) to Hosted Exchange solution 3.0 (with MPS 2.0)
In the version 2.0 they just deployed Active Directory an Exchange provising with run with Window 2000 and Exchange 2000 and MPS (Microsoft Provisioning System) 1.0My actual assumed path to migrateFix mangled Exch2k objectsExtend Windows 2000 schema (native mode) to Windows 2003 schema, prepare Windows 200 domain to Window 2003 domainFix DNS zones acording Windows 2003 modelUgrade W2k domain controlers to Windows 2003Extend Windows 2003 schema for Exch2k3 and prepare hosting forest and Domain for Exchange 2k3Question Here In this moment of the upgrade path they still running MPS 1.0, Anyone...

/dev/hda vs /dev/hdb
Before I go and delete a bunch more files, this is right, right? Primary IDE channel: 2 HDDs Secondary IDE channel: 1 CD-DVD The HDD on the primary channel with the master jumper is /dev/hda The HDD on the primary channel jumpered to slave is /dev/hdb Gonna try this: dd if=/dev/hda of=/dev/hdb Wanting to clone HDD. Going the wrong direction would not be pretty. :) Greg wrote: > Before I go and delete a bunch more files, this is right, right? > > Primary IDE channel: 2 HDDs > > Secondary IDE channel: 1 CD-DVD > > The HDD on the primary channe...

Web resources about - WebID vs BrowserId on stack exchange #2 - mozilla.dev.identity

BrowserID: A Better Way to Sign In
BrowserID Home How it works Developers Sign In Sign Out New to BrowserID? Learn more Account Manager Your Email Addresses edit done Password ...

mozilla/browserid · GitHub
browserid - Persona is a secure, distributed, and easy to use identification system.

Explained: BrowserID: what it is and why you should care
BrowserID: what it is and why you should care BrowserID is a method, presented in July 2011, to use email addresses to prove an identity and ...

Mozilla unveils a new ‘Persona’ for its BrowserID easy login technology
Mozilla has announced Persona, a new public-facing name for its BrowserID technology, which aims to make it easier to sign in to websites and ...

Mozilla Corporation - LinkedIn
Welcome to the company profile of Mozilla Corporation on LinkedIn. Mozilla is a thriving community of intelligent, principled and passionate ...

BrowserID and me
... and User Data at Mozilla. This is an awesome and challenging responsibility, and I’ve been busy. When I took on this new responsibility, BrowserID ...

Black Duck Software Media Coverage
Read more about how Black Duck is helping organizations make better software faster and for less money by harnessing the power of open source ...

Google Paying Mozilla $900M in Search Deal: ATD
Google will pay Mozilla $300 million a year for the next three years in a search deal it renewed earlier this week. The deal will give Mozilla ...

Haskellers
Haskell Language English Japanese Spanish Hebrew Russian Ukrainian The meeting place for professional Haskell programmers Overview Groups Find ...

Identity at Mozilla
This past year we’ve been building the core of a Web-scale identity system. We’ve been calling it BrowserID: our name both for the technology1 ...

Resources last updated: 1/23/2016 7:45:14 AM