[foaf-protocols] issue of initiating client auth for parallel SSL sessionids

peter williams home_pw at msn.com
Wed Mar 2 06:27:10 CET 2011



Here, with this initiative coming from the foaf project, folks prpobably
want to see "some" of the user-centric flavor be retained. I don't feel
folks are exactly on anti-corporate rants; but they are concerned about the
"politics of control." Should a lowly user 



yes lowly. And, it's worth discussing this, and figure what's relevant
technically. How can the space not fall into the openid  trap? (The market
was too ignorant to bother keeping the technology freely interoperable?)


I tend to campaign for users, who are often treated as "lowly" in the eyes
of many a larger corporation - who views them as mere subscribers, to be
governed. Or not, should they break a rule.


One of the things I used to campaign for in the openid world was two of its
founding aspirations: that users could run their own idp on a blog site
(analogous to minting a self-signed cert), and that dominant relying party
sites would generally enable the user to bind several idps to their
resource-server account (N to 1). The goal of the latter was to establish a
balance of power, that should any one huge corporate entity (like paypal IDP
say) choose to suspend a user now denying that user a login page (to paypal,
as seems paypal's appropriate right), this act would have little or no
impact on the users access to all the *other* websso sites to which the user
had account-linked the (former) paypal name. One simply abandoned paypal,
and used one of the n-1 identities at all the non-paypal destinations. 


Little or none of that world of "balanced governance" is practiced, in the
openid world. Apparently, there is "no demand" for it.


Now, in the webid world (which builds on the UCI centric self-signed
certificate world that is actually ubiquitous, world side and world both the
Sudanese on $2 a day and the German/French/Canadian/. on $2 a minute pay),
the user is not lowly - having as much power as a huge corporation in the
crypto-based identity space. 


It's much fairer that openid, and the balance of power seems more just -
when you look at it at web scale (for multiple billions of folk). Though
individuals often choose to cede control to crypto-governing bodies (e.g.
VeriSign for server certs), they clearly don't have to, to have a global web
presence. (It's really easy and pretty low cost to mint a https server site
at Microsoft Azure, with a self-signed web server cert, taking 10m). This
option to "do away with" VeriSign (and build a pgp net of self-signed certs)
keeps a certain power reserved to the individuals, and seems to guard
against abuse of power by VeriSigns of the world. Properly, VeriSign keeps
itself in check, to keep its brand in good standing with users - something
which pleases me, since I used to associate with it.


Crypto politics is fun. As always, the goal is to find the right balance -
which openid didn't find (despite capturing the biggest home page in the
world as an IDP). Another goal is to ensure the debate allows the balance
point to always evolve, so certs and crypto go from censored munition with
government harassing of crypto programmers (just 11 years ago) opposed to
mandatory key escrow, to where we are now (self-signed certs for https in
the cloud, as a norm).


Of course, something had to give (and what gave was the world of SSL MITM,
which allows a capture and deception point). But, one has to give to



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20110301/45cda751/attachment-0001.htm 

More information about the foaf-protocols mailing list