W3C home > Mailing lists > Public > public-credentials@w3.org > March 2016

Re: Verifiable Claims Telecon Minutes for 2016-03-29

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Wed, 30 Mar 2016 20:51:47 +0200
To: Henry Story <henry.story@bblfish.net>
Cc: Carvalho Melvin <melvincarvalho@gmail.com>, Manu Sporny <msporny@digitalbazaar.com>, Kaliya IDwoman <kaliya-id@identitywoman.net>, Credentials CG <public-credentials@w3.org>
Message-ID: <56FC2043.9090902@gmail.com>
On 2016-03-30 19:47, Henry Story wrote:
>
>> On 30 Mar 2016, at 15:55, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>>
>> On 2016-03-30 16:49, Melvin Carvalho wrote:
>>>
>>>
>>> On 30 March 2016 at 16:39, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>>>
>>>     In addition to technical issues it is also interesting nothing that new developments
>>>     in this space are likely to get limited support from the (browser) platform vendors:
>>>     https://lists.w3.org/Archives/Public/www-tag/2016Mar/0001.html
>>>
>>>     Apparently it is not enough to be the inventor of the Web and being knighted by the Queen
>>>     to keep even the old stuff intact!
>>>
>>>
>>> A correction to this, firefox have confirmed that they WILL follow the TAG recent advice and not deprecate any used functionality until there is a suitable replacement.
>>
>> Suitable replacement?  Since the core issue (when you connect all the dots out there in various lists and forums...), rather is the deprecation of client certificates on the Web, the only imaginable replacement is FIDO alliance tokens and technologies.
>
> If you look carefully, client certificates have not been deprecated. Hardware supported certificates are supported still.
> What has been removed by Chrome is the easy low cost generation of client certificates via keygen. keygen was a bit
> broken, true, but it should be easy to fix those, one way or another.
>
> See https://github.com/w3ctag/client-certificates
>
> There is of course a lot of potential to improve certificates. X509 is not a be all end all. It works, but there is huge room for
> improvement.

If we stick to X509 client certificates and browsers, no such improvements are in sight.  The client-certificates write-up is a political paper to show "good will".

The deprecation I refer to is for example mentioned here:
https://lists.w3.org/Archives/Public/public-webappsec/2015Sep/0093.html

"and it puts authentication at a layer (the TLS handshake) where it is fundamentally
  problematic to the commonplace scalability and performance architecture of
anything but  hobbyist-level applications"

Anders



>
>>
>> Creating "a better keygen" is clearly not considered.
>>
>>>
>>>     Personally, I advocate for solutions that make third-party extensions of the Web (browser)
>>>     architecture a reality because then you can iterate and experiment a bit before launching
>>>     new schemes, regardless if it is a proprietary product or a standard-to-be.
>>>
>>>     Anders
>>>
>>>
>>>
>>>
>>
>
Received on Wednesday, 30 March 2016 18:52:32 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 18:52:33 UTC