W3C home > Mailing lists > Public > public-usable-authentication@w3.org > February 2008

Re: Public-Key authentication for websites

From: James A. Donald <jamesd@echeque.com>
Date: Sun, 17 Feb 2008 07:23:26 +1000
Message-ID: <47B7544E.1050708@echeque.com>
To: Christoph Hack <c.hack@gmx.at>
CC: public-usable-authentication@w3.org

Christoph Hack wrote:
> today Public Keys are very popular and most Internet applications
> support GPG-Keys (e.g. lots of Mail readers and Jabber). Those public
> keys are much more secure and the user doesn't have transmit his
> password and remember it.
> 
> But up to now, there aren't any Web Browsers which support a way to
> ask the user to sign something with his personal GPG Key. (please tell
> me if I'm wrong). But I think if somebody could write a RFC or something
> similar for that, there might be a chance of getting this feature into
> some full-featured browsers :)

It is rather too easy to write stupid RFCs, of which there are a 
disturbingly large supply gumming up the works.

Rather, the correct approach is to take an open source browser and open 
source server, create an addon or fork that supports this with an 
actually usable and convenient user interface, and then write an RFC 
that describes what it takes to be compatible to this existing code.

RFCs that fail to correspond to useful code that is actually in use at 
the time the RFC is written, often never come to correspond to useful 
code, or worse, are actually implemented as broken implementations that 
work "correctly" but fail to solve the problem they were supposed to 
solve - the typical product of design by committee

The other extreme to the no code RFC is the Microsoft style RFC, which 
declares that any conforming code must conform to a vast pile of ill 
defined existing code that no one now quite understands any more.  An 
RFC should sail between these two extremes - which requires a running 
hack, and preferably a hack that has gone through at least one round of 
refactoring to render it somewhat elegant.
Received on Saturday, 16 February 2008 21:23:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:15 GMT