W3C home > Mailing lists > Public > public-identity@w3.org > August 2011

Re: WebID and HTTPS Client Certificate Authentication

From: Dave Raggett <dsr@w3.org>
Date: Sun, 07 Aug 2011 20:47:05 +0100
Message-ID: <4E3EEBB9.2090201@w3.org>
To: Henry Story <henry.story@bblfish.net>
CC: Anders Rundgren <anders.rundgren@telia.com>, "public-identity@w3.org" <public-identity@w3.org>
On 06/08/11 10:44, Henry Story wrote:
> On 6 Aug 2011, at 10:39, Anders Rundgren wrote:
>
>> I believe we have entered another phase of web development were alternative
>> routes to standardization are becoming more common due to the slowness and
>> political difficulties associated with SDO processes.
>>
>> That just about everybody is connected to the Internet and can update
>> their SW platform in minutes makes the new ecosystem highly dynamic.
>>
>> It isn't even necessary getting everything completely right from scratch.
>> My experiences @ TrustedComputingGroup indicates that the traditional way
>> of developing stuff for the masses is simply put contra-productive.
>>
>> IMO "all bets are off" regarding the final solution for secure and
>> ubiquitous access to the Internet.  It presumably lies in the hands of
>> browser vendors and service providers.
> Yes, but if you look at it you will see that the problem they will all face is the problem of  reference, not the problem of cryptography. It is the problem of trust of CAs that will always come back. So unless one works on that - a semantic web task - the issues will always come back. People are always mesmerised by syntax, thinking it is a syntactic problem they are confronting, when in fact it is at a different layer: distributed trust semantics.

I agree with the issue of trust. CA's don't really reflect the trust 
models we have for people and organizations.

For businesses, I would like to see credentials provided by national or 
regional bodies such as Companies House in the UK, as well as 
organizations charged with responsibilities for oversight of particular 
industry segments. For individuals, you would have government issued 
credentials, as well as scoped credentials such as for current 
membership as a student at a given university.

Strong credentials are needed for privacy friendly authentication where 
the relying party is given a proof that the authenticated party has 
certain attributes in a strong credential, but via a process satisfying 
the principle of minimal disclosure of personal information for the task 
in hand. I plan to work on extending webkit and Mozilla to support this, 
as working code is always more compelling than just talk. However, to 
realize the trust models we need to discuss what is needed to support a 
culture of credentials that match up to real world requirements.

-- 
  Dave Raggett<dsr@w3.org>  http://www.w3.org/People/Raggett
Received on Sunday, 7 August 2011 19:47:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 7 August 2011 19:47:32 GMT