Mozilla Persona Vs WebID-TLS

            Over the last years, web sites are becoming more and more vulnerable to malicious attacks. To counter these threats and to build a web of trust, they’re always trying to implement a better authentication system. Currently, most common systems require a username and a password to identify users. However, handling these various passwords and usernames for each created account makes them difficult to remember.

For this issue, new mechanisms and protection systems have been developed such as Mozilla Persona ,WebID-TLS, OpenID, Facebook login, Google login, Shibboleth and CAS, etc.

        
    In the following article, we chose to compare Mozilla Persona and WebID-TLS dealing with different aspects. But before this, let’s describe briefly each system.

Mozilla Persona is an authentication system for the web proposed as a new standard for identity systems. It has been developed by the Identity Team at Mozilla Foundation in its initial release in July 2011.

Similarly, WebID-TLS is a distributed authentication system for the web and currently a work-in-progress open standard within the World Wide Web Consortium. It has been developed by the WebID Community Group in its initial release in December 2011.

Technical aspect:

            If we start the comparison between those two systems by dealing with technical aspects, we can remark that each system is based on a specific protocol. For Mozilla persona, it’s based on the open BrowserID protocol which is a decentralized identity protocol that makes it possible for users to prove ownership of email addresses in a secure manner, without requiring per-site passwords. As for the WebID-TLS, it’s based on the protocol formerly known as foaf+ssl which is a secure authentication protocol that enables the building of distributed, open, and secure social networks.

If we now focus more on how the identity’s verification is ensured with these two systems, we notice that both are certificate based authentication systems but we distinguish two dimensions in which they differ: the format of the certificate and the mechanism of identity’s verification.

First of all, a certificate is an electronic document that uses a digital signature to bind a public key with an identity. It may have multiple formats :

In fact, with Persona, the identity providers such as Yahoo! mail or Gmail generates a JSON certificate while with WebID, the certificate is given by the identity provider with an X.509 format.

As for the identity verification, each system uses a mechanism. With Persona, to be sure that the user is really possessing the email-address that he used to login, the site requires a new document called an "identity assertion” in addition to certificates.

Indeed, this assertion is a large encoded string which proves that the user owns the private key associated to the public key embedded in the certificate. This is called “the assertion signature verification” which is done by the site.

But what if a user’s email provider doesn't support Persona? In this case, we speak about a delegated authentication in which the user’s browser asks a trusted third party (for instance https://login.persona.org/  ) to certify the user’s identity. That makes it simpler for web sites to support Persona as it takes care of controlling and verifying user identities.

Regarding the WebID authentication’s system, to be sure that the user is really possessing the WebId (URI), the service provider (which is usually a Web application), verifies if the user’s public key embedded in the certificate and the one located in the Document Profile retrieved at that URI are the same.

However, because of technical constraints such as implementation difficulties, service providers can delegate users’ authentication to a third relying party such as https://auth.my-profile.eu/  which will be in charge of verifying the user’s identity then send back the result to the service provider.

For a better understanding of this technical aspect, these are two diagrams which describe the mechanism of identity’s verification with Mozilla Persona and webID-TLS:

1. Diagram of the mechanism of identity’s verification with Mozilla Persona

	2. Diagram of the mechanism of identity’s verification with WebID+TLS

Security and Privacy of data aspect:

            After having compared between Mozilla Persona and WebID-TLS regarding the technical aspect, we will deal now with another aspect which is Security and Privacy of data. As we have seen in the previous part, the user’s authentication is based on a certificate whose validity is really critical. In fact, the longer the certificate is valid, the more likely that something could have gone wrong- for example the user’s computer could have been stolen and this way, anyone can use the certificate which in reality doesn’t belong to him.

In this context, Mozilla Persona currently uses a JSON certificate with a validity period of 24 hours. With WebID-TLS, there is no limit on the validity of the X.509 certificate since it depends on the Id provider who generates it.

Moreover, Persona preserves your privacy as a user since it lets you maintain complete control over your identity. It does not trace your web activity; it’s as it creates a wall between your identity and what you do once connected.

With WebID-TLS, privacy is also guaranteed since users are able to choose which persons can access to their information on the web by applying the Access Control Lists (ACL) defined in the Document Profile.

Facility of use aspect:

         
   If we move now to another aspect which is the facility of use of those two authentication systems, we may wonder if the user interface is friendly enough to be understood by average users in all the steps involved including the account’s creation, the certificate’s selection, …

  Obviously, in both: Persona and WebID, the account’s creation can be done by one click respectively here https://login.persona.org/ or using any WebID provider such as https://my-profile.eu/ . The creation of client certificates is also simple in both systems. In fact, with Persona, they are generated by the Id provider such as Gmail, Yahoo… and with WebID, they are generated either at the same time with the creation of the WebID or using the html5 keygen element.

Furthermore, with Persona, the certificate’s selection doesn’t present any problem for the user since it can be done by the web application in JavaScript.

With WebID-TLS, the selection dialog is good on Chrome, Safari, Opera and IE which isn’t the case in Firefox. In fact, there are several important deficiencies, especially for users who have more than one certificate. The user must choose the adequate one and this is asked more than one time by the browser. It’s a hard task especially for someone who isn’t familiar with certificate’s manipulation.

Another criterion relevant to the facility of use is the possibility of moving certificates from a computer to another which is not defined yet with Persona as it has not been implemented; on the contrary, with WebID, we can easily move the certificates between computers; it's even  a standard feature to import/export client certificates, for instance in PKCSxx format.

When we speak about facility of use, we can’t ignore the fact that Mozilla Persona makes it easier for users to remember their usernames since it’s based on email-addresses which users already know, understand, and naturally associate with online identities.  You can use as many e-mail addresses as you want but you need to remember only one password: the one used to create your Persona account!

However, with WebID, the task is harder! Users are forced to learn a new username which is an unintuitive URI; fortunately, nowadays, there are some exchange means that facilitate this task for example QR code scanner, NFC…

Besides, with WebID there is no need to have a password which presents a major advantage of this system!

So, in summary, Persona offers an easy way to migrate from a traditional system of authentication based on a login and password per site to a new one in which you don't have to switch all at once. You can use your current email-address to create your account and use it to log in.

But, with WebID, you must unfortunately switch all at once and you have to master a lot of prerequisites such as certificate’s manipulation.

            Finally what about the implementation aspect?

           
 For developers, implementing Persona is easier than WebID since it requires to add only a few lines of JavaScript (the login button and callbacks POST to send the assertion to the server) and cURL request (to validate the assertion); which is not the case with WebID: its implementation requires a lot of software’s configuration such as :web server, openssl,...

When it comes to websites, implementing Persona or WebID eliminates the need of securely storing users’ passwords in their databases.

            After comparing those two systems, let’s see two use cases in which we give recommendations about the best system to adopt.

First, when it comes to social media, virtual communities and social networks, providers are used to rely on traditional login-password authentication system to manage the security of their unlimited members. As a result, they end up with manipulating centralized databases containing huge data and unbounded number of passwords. In this context, both decentralized method explained below seems to be an efficient solution. However we recommend the WebID authentication system for a social media provider who hasn’t already had an authentication policy. Indeed, it’s more practical to deal with an evolutionary system not just an authentication one. It’s clear that this system in addition to its secure authentication protocol, aims not only to guarantee personal data ownership, especially for the Document Profile stored on a « personal cloud », but also interoperability thanks to the RDF’s extensibility. This way, WebID+TLS allows users to choose where to store their data and with whom to communicate and share them. While with Mozilla Persona we just ensure the authentication part.

Nevertheless, when it comes to Information Technology company’s Chief Information Officer (CIO) or an IT Director, which would like to implement an authentication system, we recommend Mozilla persona. In fact, in order to secure and manage the access to the company’s website, it’s easier and more efficient to use and implement BrowserID protocol. As a result an employee wouldn’t have to choose certificate and migrate it from one computer to another like in WebID system, he will just handle his account with his email address.

Although opinions on these two technologies are different from supporter to criticizing, both are ultimately useful and in order to choose one instead of the other depends only on the user’s conditions and requirement (who, when and why the interested would like to use it?).

So, the choice is yours!

Authors:

Ghada MHIRI & Amna BOUZAKOURA

Supervised by:

Mr. Olivier BERGER

In the context of:

A DIS-project in Télécom SudParis (DIS: Integration and Deployment of Information Systems)