Re: TLS-CCA. Was: Browser UI & privacy - a discussion with Ben Laurie from Melvin Carvalho on 2012-10-06 (public-identity@w3.org from October 2012)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sat, 6 Oct 2012 09:29:13 +0200
To: Ron Garret <ron@flownet.com>
Cc: Anders Rundgren <anders.rundgren@telia.com>, Henry Story <henry.story@bblfish.net>, public-identity@w3.org
Message-ID: <CAKaEYh+GSCD7DmfVJR5hnU6V-F-9yt_BbEAjb89ZVNhSsBqhqA@mail.gmail.com>

On 6 October 2012 09:13, Ron Garret <ron@flownet.com> wrote:

>
> On Oct 5, 2012, at 11:49 PM, Melvin Carvalho wrote:
>
>
>
> On 6 October 2012 08:16, Anders Rundgren <anders.rundgren@telia.com>wrote:
>
>> On 2012-10-05 20:47, Henry Story wrote:
>>
>> >> WebCrypto could very well become a better mousetrap than TLS CCA.
>> >
>> > By WebCrypto you mean using javascript. That does not really change
>> anything.
>>
>> It does because it liberates WebID from a scheme (TLS CCA) that in its
>> current
>> form is doomed as a consumer solution.
>>
>> TLS CCA is actually quite popular and useful for creating secure tunnels
>> between
>> servers.  However, as a web solution for end-users TLS CCA has
>> essentially not
>> taken a single step forward since 1996!  Well, the "underpinnings" have
>> changed
>> considerably but that doesn't help much since its "behavior" remains
>> neanderthalish.
>> The latter is presumably "by design".
>>
>> I'm surprised that you find the current key generation mechanisms useful.
>>  No major
>> user of consumer-PKI I have heard of actually use them.  "<keygen>" as
>> featured in
>> Chrome was also designed in the 90'ties.  This is a very touchy issue
>> since
>>
>>    http://www.ietf.org/mail-archive/web/pkix/current/msg31241.html
>>
>> caused the PKIX chairs to remove me from the list!
>>
>
> Anders, did you ever look at this?
>
> http://lists.w3.org/Archives/Public/public-xg-webid/2011May/0047.html
>
> A full javascript solution to WebID including crypto libraries.
>
> May be interesting to this group.
>
>
> As long as Forge has entered the conversation I would also like to point
> to my own identity project:
>
> http://dswi.net/
>
> DSSID uses Forge for its crypto, but it uses a different protocol
> specifically designed to be simple for clients to integrate with.  Note:
> this code is not ready for production use.  Feedback and comments are
> welcome.
>

Wow, looks really nice.

If im not mistaken, it's quite similar to a web version of SSH?

Does this sole harry's unlinkability problem too?


>
> rg
>
>

Received on Saturday, 6 October 2012 07:29:41 UTC