Mozilla
Persona Vs WebID-TLS
Over the last years,
web sites are becoming more and more vulnerable to malicious attacks. To
counter these threats and to build a web of trust, they’re always trying to
implement a better authentication system. Currently, most common systems
require a username and a password to identify users. However, handling these
various passwords and usernames for each created account makes them difficult to
remember.
For this issue, new mechanisms and protection systems have been
developed such as Mozilla Persona ,WebID-TLS, OpenID, Facebook login,
Google login, Shibboleth and CAS, etc.
In the following article, we chose to compare Mozilla Persona and WebID-TLS dealing with different aspects. But before this, let’s describe briefly each system.
Mozilla Persona is an authentication system for the web proposed as a new standard for
identity systems. It has been developed by the Identity Team at Mozilla
Foundation in its initial release in July 2011.
Similarly, WebID-TLS is a distributed authentication system for the web
and currently a work-in-progress open standard within the World Wide Web
Consortium. It has been
developed by the WebID Community Group in its initial release in December 2011.
Technical
aspect:
If we
start the comparison between those two systems by dealing with technical aspects,
we can remark that each system is based on a specific protocol. For Mozilla
persona, it’s based on the open BrowserID protocol which is a decentralized identity protocol that makes it possible for
users to prove ownership of email addresses in a secure manner, without
requiring per-site passwords. As for the WebID-TLS, it’s based on the protocol
formerly known as foaf+ssl which
is a secure authentication protocol that enables the building of distributed,
open, and secure social networks.
If we now focus more on how the identity’s verification is ensured with these
two systems, we notice that both are certificate based authentication systems but
we distinguish two dimensions in which they differ: the format of the
certificate and the mechanism of identity’s verification.
First of
all, a certificate is an electronic document that uses
a digital signature to bind a public key with an identity. It may have multiple
formats :
In fact, with Persona, the identity providers such as Yahoo! mail or Gmail generates a JSON certificate while with WebID, the certificate
is given by the identity provider with an X.509 format.
As for the
identity verification, each system uses a mechanism. With Persona, to be sure that the user is really possessing the email-address
that he used to login, the site requires a new document called an
"identity assertion” in addition to certificates.
Indeed, this assertion is a large encoded string which proves that the user owns the
private key associated to the public key embedded
in the certificate. This is called “the assertion signature verification” which
is done by the site.
But what if a
user’s email provider doesn't support Persona? In this case, we speak about a delegated
authentication in which the user’s browser asks a trusted third party (for
instance https://login.persona.org/
) to certify the user’s identity. That makes it simpler for web sites to
support Persona as it takes care of controlling and verifying user identities.
Regarding
the WebID authentication’s system, to be sure that the user is really
possessing the WebId (URI), the service provider (which is usually a Web
application), verifies if the user’s public key embedded in the certificate
and the one located in the Document Profile retrieved at that URI are the same.
However,
because of technical constraints such as implementation difficulties, service
providers can delegate users’ authentication to a third relying party such as https://auth.my-profile.eu/ which will be in charge of
verifying the user’s identity then send back the result to the service
provider.
For a better understanding of this technical aspect, these are two diagrams which describe the mechanism of identity’s verification with Mozilla Persona and webID-TLS:
For a better understanding of this technical aspect, these are two diagrams which describe the mechanism of identity’s verification with Mozilla Persona and webID-TLS:
1. Diagram of the mechanism of identity’s verification with Mozilla Persona |
|
|
Security and Privacy of data aspect:
After having compared between
Mozilla Persona and WebID-TLS regarding the technical aspect, we will deal now
with another aspect which is Security and Privacy of data. As we have seen in
the previous part, the user’s authentication is based on a certificate whose validity
is really critical. In fact, the longer the certificate is valid, the more
likely that something could have gone wrong- for example the user’s computer
could have been stolen and this way, anyone can use the certificate which in
reality doesn’t belong to him.
In this
context, Mozilla Persona currently uses a JSON certificate with a validity
period of 24 hours. With WebID-TLS, there is no limit on the validity
of the X.509 certificate since it depends on
the Id provider who generates it.
Moreover,
Persona preserves your privacy as a user since it lets you maintain complete
control over your identity. It does not trace your web activity; it’s as it creates a wall between your identity and what you do
once connected.
With WebID-TLS,
privacy is also guaranteed since users are able to choose which persons can
access to their information on the web by applying the Access Control Lists
(ACL) defined in the Document Profile.
Facility of use aspect:
If we move now to another aspect which is the facility of use of those two authentication systems, we may wonder if the user interface is friendly enough to be understood by average users in all the steps involved including the account’s creation, the certificate’s selection, …
Obviously, in both: Persona and WebID, the
account’s creation can be done by one click respectively here https://login.persona.org/ or using any WebID provider such as https://my-profile.eu/ . The creation of client certificates
is also simple in both systems. In fact, with Persona, they are generated by
the Id provider such as Gmail, Yahoo… and with WebID, they are generated either
at the same time with the creation of the WebID or using the html5 keygen
element.
Furthermore,
with Persona, the certificate’s selection doesn’t present any problem for the
user since it can be done by the web application in JavaScript.
With WebID-TLS,
the selection dialog is good on Chrome, Safari, Opera and IE which isn’t the
case in Firefox. In fact, there are several important deficiencies, especially
for users who have more than one certificate. The user must choose the adequate
one and this is asked more than one time by the browser. It’s a hard task
especially for someone who isn’t familiar with certificate’s manipulation.
Another criterion
relevant to the facility of use is the possibility of moving certificates from
a computer to another which is not defined yet with Persona as it has not been implemented;
on the contrary, with WebID, we can easily move the certificates between computers;
it's even a standard feature to
import/export client certificates, for instance in PKCSxx format.
When we speak about facility of use,
we can’t ignore the fact that Mozilla Persona makes it easier for users to
remember their usernames since it’s based on email-addresses which users
already know, understand, and naturally associate with online identities. You can use as many e-mail addresses as you
want but you need to remember only one password: the one used to create your
Persona account!
However,
with WebID, the task is harder! Users are forced to learn a new username which
is an unintuitive URI; fortunately, nowadays, there are some exchange means
that facilitate this task for example QR code scanner, NFC…
Besides,
with WebID there is no need to have a password which presents a major advantage
of this system!
So, in summary, Persona offers an
easy way to migrate from a traditional system of authentication based on a
login and password per site to a new one in which you don't have to switch all
at once. You can use your current email-address to create your account and use
it to log in.
But, with
WebID, you must unfortunately switch all at once and you have to master a lot
of prerequisites such as certificate’s manipulation.
Finally what about
the implementation aspect?
For developers, implementing Persona is easier than WebID since it requires to add only a few lines of JavaScript (the login button and callbacks POST to send the assertion to the server) and cURL request (to validate the assertion); which is not the case with WebID: its implementation requires a lot of software’s configuration such as :web server, openssl,...
When it
comes to websites, implementing Persona or WebID eliminates the need of
securely storing users’ passwords in their databases.
After comparing those two systems,
let’s see two use cases in which we give recommendations about the best system
to adopt.
First, when it comes to social media, virtual communities and social
networks, providers are used to rely on traditional login-password
authentication system to manage the security of their unlimited members. As a
result, they end up with manipulating centralized databases containing huge
data and unbounded number of passwords. In this context, both decentralized
method explained below seems to be an efficient solution. However we recommend
the WebID authentication system for a social media provider who hasn’t already
had an authentication policy. Indeed, it’s more practical to deal with an
evolutionary system not just an authentication one. It’s clear that this system
in addition to its secure authentication protocol, aims not only to guarantee
personal data ownership, especially for the Document Profile stored on a
« personal cloud », but also interoperability thanks to the RDF’s
extensibility. This way, WebID+TLS allows users to choose where to store their
data and with whom to communicate and share them. While with Mozilla Persona we
just ensure the authentication part.
Nevertheless, when it comes to Information Technology company’s Chief
Information Officer (CIO) or an IT Director, which would like to implement an
authentication system, we recommend Mozilla persona. In fact, in order to
secure and manage the access to the company’s website, it’s easier and more
efficient to use and implement BrowserID protocol. As a result an employee
wouldn’t have to choose certificate and migrate it from one computer to another
like in WebID system, he will just handle his account with his email address.
Although opinions on these two technologies are different from supporter to
criticizing, both are ultimately useful and in order to choose one instead of
the other depends only on the user’s conditions and requirement (who, when and
why the interested would like to use it?).
So, the choice is yours! |
Ghada MHIRI & Amna BOUZAKOURA
Supervised by:
Mr. Olivier BERGER
In the context of:
A DIS-project in Télécom SudParis (DIS: Integration and Deployment of Information Systems)
Great work !
RépondreSupprimerThanks Badr !
RépondreSupprimerRegarding the case of a deployment inside a company, where you seem to advocate Mozilla Persona, I'm not sure it is the best advice, as you would depend on the availability of the external IdP at Mozilla... which can be problematic if the connexion to its servers is down. Is it possible to get rid of that and run your own IdP ?
RépondreSupprimerAs WebID doesn't need IdPs, or just at the time WebIDs will be generated, which could be done when the IT staff welcomes a new staff member, or delivers him/her a new PC, I tend to think it could be valid solution for enterprise deployment too ?
Also, maybe you could provide a diagram which illustrates where the 2 protocols are similar, or differ, maybe by superpositing the two flows, and aligning the RP, IdP, user, user's browser, etc. ?
RépondreSupprimer