foaf+ssl in Mozilla's Fennec works!

At yesterday's Bar Camp in La Cantine I discovered that Mozilla's Fennec browser for mobile phones can be run on OSX (download 1.0 alpha 1 here). So I tried it out immediately to see how much of the foaf+ssl login would work with it. The answer is all of it, with just a few easy to fix user experience issues. I really am looking forward to trying the Nokia N810 Internet Tablet for real.

Anyway here are quick snapshots of the user experience.

Getting a certificate

First of all the best news is that the <keygen> tag, now documented in html5 works in Fennec. This means that one can get a client certificate in one click without going through the complex dance I described in "howto get a foaf+ssl certificate to your iPhone".

This is how easy it can be. Go to foaf.me.

After filling out the form, you can create yourself an account on foaf.me:

To make your WebId useful all you need to do is click on the "Claim account with SSL certificate" button -- which could certainly be phrased better -- on the account creation successful page:

Once clicked, your browser will start calculating a new public private key pair, send the public key to the server which will turn it into a certificate, and send that back to your browser, which will then add it to they keychain! All you will see of this whole transaction is:

The Fennec message here is a bit misleading: you should not in fact need to keep a backup copy of your certificate. Foaf+ssl certificates are very cheap to produce. And without a link to the keychain from the popup, most users won't know what is being talked about, or how to keep a backup. Also on a cell phone they may well wonder where to put the backup anyway. So in this case it is wrong, and not that helpful. Much better would be to have a popup say: "Your certificate has been installed. Would you like to see it?" Or something like that. Most people won't care.

Using the certificate

You can then test the foaf+ssl certificate on any number of sites. The foaf.me site has a login button for example that when clicked will get the browser to ask the user to choose a certificate. And, this is where the User Interface choices made by the Mozilla team are just simply embarrassing. Not unusable, but just really bad.

No user ever cares about these details! It is confusing. Do you think users have issues with URLs? Well what do you think they are going to make of the old outdated Distinguished Names?

Just compare this with the User Experience on the iPhone

Quite a few bug/enhancement reports have been reported on this issue on the Mozilla site. See for example Bug 396441 - Improve SSL client-authentication UI, and my other enhancement requests.

Still this user interface issue should be really easy to fix, as it is just a question of making things simpler, ie. of reducing the complexity of their code. And clearly on a cell phone that should be a priority.

Another issue I can see on the Fennec demo browser, is that I could not find a way to remove the certificates.... That would be quite an important functionality too.

But in any case using foaf+ssl on Fennec is the easiest of all cell phone browsers to use currently - and one of the rare ones, if not the only one, that works correctly! So kudos for that! Fennec and the Nokia N810 is the place to look for what a secure life without passwords, without user names, and a global distributed social network can look like on a mobile platform.

Comments:

This tutorial shows creation of a brand new foaf.me profile from Fennec. How would I create one and only one profile, and access it from Firefox and Konqueror (maybe from multiple computers) and Fennec?

Should I create one cert for each, or maybe one for computers and one for mobile? In that case, how do I add the public key of the Fennec-created cert into my profile?

Or should I create one cert on the computer and use it on Fennec too? In that case, how do I transfer the cert?

Posted by Nicolas on October 17, 2009 at 11:52 PM CEST #

Hi Nicolas,

foaf.me at the time of this writing does not allow one to have more than one certificate per account. But this is a limitation only of the current implementation of foaf.me.

foaf+ssl allows one to have as many certificates as one wants, one for each browser, one each machine,.... all with the same id. You just need to add the public keys of each certificate to the foaf file.

Btw, foaf.me is open source, so if you have a bit of time, you can make a git clone of it, and add that feature.

But you could also have one and only one cert, and copy it to each device. I am not sure how to extract a X509 cert from fennec, or how to add it, as there does not seem to be a way to access the cert chain.

Posted by Henry Story on October 18, 2009 at 06:49 AM CEST #

Well, I think there are more fundamental problems... Let's imagine for a minute that foaf.me does support multiple certificates. I create a profile from my computer, and create a cert.

There are now several options:
- I copy that cert into the phone. How?
- I create a new cert to use on the phone, but from the computer. Same problem as above; how do I put it on the phone?
- I create a new cert from the phone. How will foaf.me know it's actually me adding a new cert? Asking for authentication with the existing cert? ;)

A different scenario: I create a profile and a cert from the phone. How can I ever login from a computer?

Posted by Nicolas on October 18, 2009 at 06:52 PM CEST #

Nicolas said:

"Let's imagine for a minute that foaf.me does support multiple certificates. I create a profile from my computer, and create a cert. There are now several options:
- I copy that cert into the phone. How?"

On the desktop it is quite easy. Say you have a certificate in Firefox and you want to copy it to Opera. You can do this by going to Preferences->Advanced->Encryption->View Certificates->Your Certificates
(there is a chrome url for this)

There you can check the certificate you want and click "Backup". You can then save it to your hard drive and import it into Opera.

With the phones I don't know how to do this. Partly because I don't have enough money to own more than one phone.

On the iPhone it was possible to do this by mailing the certificate to yourself. See the blog post
http://blogs.sun.com/bblfish/entry/howto_get_a_foaf_ssl

"- I create a new cert to use on the phone, but from the computer. Same problem as above; how do I put it on the phone?"

Again I am not sure how to do this. This seems to depend very much on the phone.

But really you don't need to create a certificate on the deskotp and send it to yourself on the phone. With Fennec you can just create it on the phone directly.

"- I create a new cert from the phone. How will foaf.me know it's actually me adding a new cert? Asking for authentication with the existing cert? ;)"

Ah the trick here would be that your foaf.me server would also have a username password login. You would then use that to login and then create a certificate. So yes, perhaps there is only one site in the world you would need a username/password: your foaf.me server. Also that could be more intelligent and create one time passwords, by SMSing them to your cell phone.

"A different scenario: I create a profile and a cert from the phone. How can I ever login from a computer?"

So you would have to create a password on your foaf.me server. Or send your certificate from your phone, via email to your desktop. It will be interesting to see which of those options is the most popular/secure...

Posted by Henry Story on October 18, 2009 at 08:12 PM CEST #

Two comments:
1. Your objection to the certificate name presented in the certificate selection dialog, which in your example appeared as "FOAF ME Cert http://foaf.me/foafme123's FOAF.ME ID" is an objection to a choice made by the issuer of the certificate itself. The components of the name displayed there come right from the certificate. The same two components are used in all certificates. They are, in order, the Common Name (CN) from the certificate's Subject Name, followed by the CN from the certificate's Issuer Name. A common Name is supposed to be a person's or organization's spoken name, not a URL. The problem is the certificate issuer's decision to put a URL into the certificate's field that is supposed to contain the subject's (user's) name. The solution is not to change the browser, it is to change the issuer to conform to the standards, and do what all the other issuers do.

2. A certificate selection UI that shows no more than a simple user name (e.g., a single field from the certificate) will be a real problem for a user who has numerous certificates from multiple issuers. If you have 10 certificates, and they're all identified with the name "Henry Story" that doesn't really help you to choose one. A proper certificate issuer will issue certs whose names contain ONLY fully verified components, and will not put unverifiable data into certificates. I'll bet J2E is not a verifiable part of your name, so it's not a good plan to rely on modifications to your name to uniquely identify your various certificates.

In short, your UI change ideas seem OK for users of a single certificate issuer whose only application for certificates is yours, but probably works less well in more diverse environments.

Posted by Nelson B on October 22, 2009 at 01:04 PM CEST #

Hi Nelson,

sorry for taking so long to accept your post. I have been very busy recently organising the Social Web Camp in Santa Clara.

On point 1: you are completely right that http://foaf.me, which created the certificates, should not be putting the User's URI in the certificate CN. It should be as you say, his pronounceable name. In fact I would suggest creating names such as "Joe Smith (personal)" or "Joe Smith (professional)"

On point 2: You are right that if a user had different certificates, each where the CN was the same name, then this would be a problem for the user selecting the certificate. But clearly this is not the only solution available to a UI designer. It should be relatively easy to allow
- the user to tag certificates named in the same way, in such a way as to help him distinguish them. The UI could then display things like Joe Smith (Professional) or Joe Smith (personal)
- The UI can show more information about each certificate, but only so much as is required to clearly distinguish the certificates. (So perhaps the CN of the user and of the Issuer).

Once these tricks are built in to the user interface to help the user select among his certificates, then the other details, that most people do not understand, should be hidden but available to anyone who wishes to inspect them, on a click of a button. Opera does this quite nicely.

Posted by Henry Story on October 25, 2009 at 08:10 AM CET #

Post a Comment:
Comments are closed for this entry.
About

bblfish

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today