1. 10/20/2011Pomcor 1 Deployment and Usability of Cryptographic Credentials Francisco Corella Karen Lewison Pomcor

2. 10/20/2011Pomcor 2 Outline Privacy requires cryptographic credentials The deployment problem User experience Open question: how to explain unlinkability to the user

3. 10/20/2011Pomcor 3 Privacy without Passwords Requires Cryptographic Credentials Levels of Privacy LOP 0: Online identity provider LOP 1: Offline issuer, linkable certificates LOP 2: Issuance-show unlinkability LOP 3: Issuance-show + multi-show unlinkability LOPs 1, 2 and 3 require cryptographic credentials

4. 10/20/2011Pomcor 4 The Deployment Problem PKI certificates are a mature technology, but they have not been widely deployed on the Web for user authentication Why? Because they are not well supported by current Web technology By contrast server certificates have been very successful because they are well supported

5. 10/20/2011Pomcor 5 What ’ s Missing in Current Web Technology Consistent support in browsers Full support in the core Web protocols (HTTP, TLS) Mechanism for issuing credentials automatically to the browser

6. 10/20/2011Pomcor 6 Browser Should Manage and Present Credentials … because user should not have to install any software Browser could associate credentials with different personas (e.g. work email vs. personal email) Syncing credentials between browsers on different devices is easy by equipping each browser with key pairs for encryption and signature

7. 10/20/2011Pomcor 7 Cryptographic Credentials Should be Supported by HTTP and TLS The relying party should ask for specific credentials or attributes in an HTTP response message The browser would then present credentials within TLS, after the handshake, in a separate TLS layer to be specified

8. 10/20/2011Pomcor 8 Credentials Should be Issued Automatically to the Browser Interactive issuance protocols would be run within TLS, in a separate TLS layer to be specified, eliminating HTTP and application overhead TLS would then interleave protocol interactions with transmission of application layer data Cryptographic protocols could use the PRF facility provided by TLS

9. 10/20/2011Pomcor 9 User Experience Browser takes care of all the details User clicks on login button or requests functionality that requires authentication Relying party asks for credentials, which browser locates in its credential store or in smart card, possibly based on currently active persona Browser may or may not ask for permission to present the credentials “ Don ’ t ask again ”

10. 10/20/2011Pomcor 10 Open Question User is entitled to know the privacy provided by each credential How can that be explained to a casual user? Unlinkability is not a trivial concept Unlinkability does not matter if disclosed attributes uniquely identify the user Are LOPs the answer?