Re: Microsoft's Information Cards. Was: UI for client cert selection (Was: Releasing RWW.IO)

There is another aspect that most people tend not to see right away. X.509
certs and the whole PKI system has suffered several blows recently, with
less and less people trusting the CA system. I'm pretty sure that banks are
aware of this when they consider whether to deploy X.509 client certs for
their customers.

Compared to PKI, WebID-TLS (even with its UI issues) still remains a strong
candidate, since it doesn't rely on CAs, but instead on the WOT and
asymmetric crypto (which was proven to work well so far).

-- Andrei


On Mon, May 5, 2014 at 12:09 PM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> Around 2005 Microsoft announced its pretty cool Information Card concept
> with
> the hope that for example banks would adopt it.
>
> I told Microsoft folks early on that banks in the EU have already put their
> money on X.509 certificates but unfortunately they can't use the solution
> featured in Windows and IE.  If you fix that, they may indeed jump on the
> Information Card bandwagon.
>
> Microsoft did neither listen to me nor checked with the banks what the
> problem
> could possibly be.
>
> Six years later they were forced withdrawing the entire Information Card
> concept
> from the market due to lack of adoption. It goes without saying that they
> haven't
> considered making X.509 client authentication useful for bank-users even
> in the most
> recent incarnations of Windows; they have rather opted for U2F like the
> competition.
>
> What I wanted to say with this is that "denial" is a human and natural
> reaction,
> but if the condition stays forever, it becomes a problem.
>
> In the WebID-TLS case the "defection" to U2F by all platform vendors
> except Apple
> and Mozilla indicates that it's time to "Kill Your Darlings" and move on.
>
> Anders
>
>