- From: Norman Gray <norman@astro.gla.ac.uk>
- Date: Fri, 9 Aug 2013 15:45:45 +0100
- To: Henry Story <henry.story@bblfish.net>
- Cc: public-lod <public-lod@w3.org>
Henry, hello. I don't have much more to add here, because I can't fundamentally add much more than assertion, but I have a couple of brief responses. On 2013 Aug 9, at 14:41, Henry Story wrote: >> I don't have an easy solution to this -- I can see all the problems with creating applications which users have to run to generate WebIDs, and regarding which they then have to be given follow-up instructions. But doing this in the browser, though technically neat and correct, may have killing UI/model problems, as described above (because of the invisibility and passivity of the browser in most people's conception), and these problems may make this the browser-generation route less successful in the end. > > I am not convinced. The problems with Certificates in the Browser are entirely to do with the problem of dealing with CAs. > Clearly a bit of education is needed, and what better than a web site to do that. I think you're very optimistic about what 'a bit of education' can do. I've long had X.509, ssh and PGP/GPG keys, I've used the Java X.509 API in the past, I understand large fractions of the technology and maths of public key crypto, I've written my own DER codecs and I can (albeit now only with a crib) read X.509 certificates by eye, using od(1). I am roughly as educated about certificates as it is possible to be, and I _still_ get confused about where my damn certificates are, and I still mess up an annual browser-based certificate renewal request. I agree that some of this stuff is 'just' a matter of UI improvements (though the number and profundity of the UI problems at <http://www.w3.org/wiki/Foaf%2Bssl/Clients#Further_User_Interface_Issues> -- and the incompleteness of the list -- is dispiriting). My suggestion here is that I believe the conceptual difficulties inherent in managing and conceptualising certificates _within a web browser_, though presumably not insurmountable, are significantly challenging, in the sense that they will require a lot more than just a bit of UI tweaking to address. I know that I didn't have this problem back when I was coding/working with certificates daily, as many people in this thread will be still. But now I'm not, and I'm apparently _very_ promptly back with the naive users. >>> http://www.w3.org/wiki/Foaf%2Bssl/Clients#Further_User_Interface_Issues >> >> Oooh, they're awful. I just checked, and I submitted an Apple bug report about this -- detailing the awfulness and inadequacy of Safari's and Keychain Access's UIs here -- back in October 2008, which finally received "We are closing this bug since our engineers are aware of the issue and will continue to track it" in November 2011, and nothing since. *sigh* > > The Chrome and Opera UIs are pretty Good. Apple's too, it's just that it has a privacy issue. I don't think I agree with this, either: the list of failings at that URI is pretty killing. I can't even log out with a non-working certificate! The OS X experience is better (from my point of view) only because the keychain (separate from the browser), and the standalone Keychain Access application, means that I have a better conceptual model of where my certificates are, than I would if they were entirely within the browser. All the best, Norman -- Norman Gray : http://nxg.me.uk SUPA School of Physics and Astronomy, University of Glasgow, UK
Received on Friday, 9 August 2013 14:46:17 UTC