The WebID Protocol & Browsers
Position Paper for W3C Workshop on Identity in the Browser 24/25th May 2011, Mountain View (USA)
Presented by members of the W3C WebID Incubator Group
Authors: Jeff Sayre & Henry Story
Due No Later Than April 27, 2011
1. Position Statement
The browser is the interface to the web and should also serve as the interface to a user’s identity. Identity selection and deselection should be a one-click gesture to cryptographically secure authentication across the entire web. It should put the user in control of the information he shares with each site. And it should be available now.
The WebID protocol achieves all of the above. It works in all browsers now using the widely-deployed TLS protocol and client-side certificates--but with a twist. It ties those certificates into the web in a RESTful manner allowing identities to be linked together in a secure social web of trust, and without requiring Central Authorities. Creating short lived, throwaway ids is as easy as building longer term ones.
After explaining how the WebID protocol works, and listing its advantages, we will suggest a roadmap for future improvements in the browser that can be deployed incrementally.
2. WebID Overview
The WebID protocol is very simple and efficient. It requires only one more connection than the original resource request, and the results of this connection can be cached.
Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Exponent: 65537 (0x10001)
X509v3 Subject Alternative Name:
3. Advantages of WebID
Issues of identity and privacy have been growing increasingly serious as the web has become social over the last decade. Remembering login details has grown into a serious security issue as more sites asked for them than people had the ability to remember. And the inability to easily share restricted information across websites has become a visible problem to 100s of millions of people as they started finding themselves and those they wished to communicate with split across siloed services.
Specifically, WebID offers the following advantages.
3.1 Overcoming Password Fatigue
Passwords are difficult to remember or they are bad, which is their problem. The easy solution is for people to re-use them, thereby making phishing attacks the biggest threat on the web, thereby limiting the number of sites people use in fear, and thus leading to a reduction in diversity on the web. WebID uses TLS client certificates and public key cryptography as shipped in current browser in a way that enables the same certificate to be used across sites securely.
3.2 Comparison to OpenID
OpenID reduces the account multiplication issue by allowing users to login to every site using the same global indentifier. WebID was inspired by OpenID but improves it in a number of meaningful ways:
(See the WebID W3C wiki for further advantages)
These protocol simplifications create a cascade of additional benefits. The most interesting is that by being completely compliant with Web Architecture the trust can be moved from the Identity Provider to the Web of relations, solving the trust problem - the biggest issue of WebID - by decentralising it.
TLS-client certificates have been available in the browser since 1996, but their usage has been limited to a small number of sites. The site which generates the certificate is usually the same as the one that consumes it, giving the user little advantage over username/passwords layered on server-side https.
What is missing in the current usage of TLS is the global naming system that OpenID takes advantage of with URIs, and that allows one to potentially authenticate to all sites. What failed TLS was that X500 names were not Universal Identifiers and could not be used to form a interlinked web. So they could not be used successfully to authenticate to remote sites. By webifying TLS we enable the creation of a distributed linked web of trust.
4. Browser Support & Benefits
All current browser-based authentication methods fail to give full control over identity to the user. We declare that browsers MUST give the user full visible control of their identity. With TLS, as with cookies, one should be able to see clearly which identity one is logged in under and be able to easily become anonymous again. The Firefox Weave group have shown very elegantly how this could look, by making use of the URL bar’s existing role as guarantor of server identity and extending it to client identity.
Here the user can see what persona he presents to the site or if he is anonymous. It also permits the user to change identity or to log out. The browser could then make use of the information found in the WebID profile, linked to from the X509 certificate, such as finding a link to a picture which can then be displayed, or linking to the account management page as shown above.
This WebID anchor can then be used by browsers to improve the user experience
WebID is fully integrated with TLS. It complements client-side certificates in a manner very similar to the way the IETF Dane Working Group is using DNSsec to improve security of server certificates and enabling massive server side TLS deployment. Both of these technologies should help bring about an increasingly secure Web, whilst avoiding the dystopia of excessive centralisation.
5. Interest to Web Services
WebID allows users to authenticate cheaply and securely to any website in the world, without needing to fill out any new forms, whilst giving that site conditional access to their social graph ( see Sketch of a RESTful photo Printing service ). This will allow innumerable applications to be built that improve relations between individuals and their friends, co-workers, employers, and vendors across domain and organizational boundaries.
Best of all WebID uses only open and well established standards. With a little extra effort on the User Interface, browser vendors could help grow the web into a fully global distributed and secure Social Web.
6. Additional Resources