Re: Releasing RWW.IO

On 5/3/14 7:42 AM, Anders Rundgren wrote:
> On 2014-05-03 13:19, Melvin Carvalho wrote:
>>
>>
>> On 3 May 2014 10:08, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>>
>>      Now I have tried it out as well including the micro-blogging.
>>
>>
>> Awesome.  I typed your name "A n d e r" into the channel finder and your webid came up after about 3 letters.  I'm now following you.
>>   
>>
>>      It was cool with one exception, TLS CCA (Client Certificate Authentication)
>>
>>      Logging in to http://cimba.co required me to select certificate twice and
>>      from a pretty long list of non-WebID certificates.
>>
>>      Unless W3C gets their act together and creates a web-compliant replacement
>>      for TLS CCA, WebID won't ever catch on.  I have no faith in W3C for taking
>>      any action on this since not even the requirements have ever been discussed.
>>      TLS is a sacred cow.
>>
>>
>> I think there's a slight distinction between WebID and WebID+TLS.
>>
>> WebID itself is independent of the auth mechanism.
> Yes, this enhancement was introduced as a "workaround".

Not a workaround, a point of fundamental clarity.

Conflating things never works. WebID as the moniker for WebID-TLS 
protocol was a piece of poor marketing and technology evangelism. This 
bug has been fixed, and we just need to make this crystal clear to 
everyone.

A WebID is simply an HTTP URI that denotes an Agent. That's it.


>
>> One hope was that mozilla labs would help with the UX, as below.
>>
>> http://www.azarask.in/blog/post/identity-in-the-browser-firefox/ <http://www.azarask.in/blog/post/identity-in-the-browser-firefox/>
> That's where it gets wrong, there is no UX problem to solve. It is the
> underpinning TLS CCA scheme that is the sole culprit which is why Google,
> Microsoft, Paypal, RSA, ARM (!), etc. abandoned it in favor of U2F.

Yes, and all this really means is simply this: incorporate as much of 
WebID-TLS into U2F as possible. That's what we will do, as our natural 
instinct, at OpenLink Software.


>
> Your best option at this stage is probably defining a WebID-U2F profile.

Yep! As per my comments above.
>
> Personally, I'm not overly interested in U2F, it is much simpler making
> client-side X.509 "web-compatible" by building on the already established
> schemes out there.

Yes, but that's a problem due to the manner in which Browsers have been 
implemented and the impossible politics that swirls around getting them 
to fix this flaw.


Kingsley
>
> Anders
>
>>
>>      Fortunately Google hadn't any problems slaughtering this poor creature
>>      when they started their U2F project which have created a hype I haven't
>>      seen before during my 15Y+ in the "id-business".  It didn't take an
>>      eternity either.
>>
>>      Anders
>>      grumpy old fart with a mission
>>
>>
>>
>
>


-- 

Regards,

Kingsley Idehen 
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter Profile: https://twitter.com/kidehen
Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen