Re: Browser usability of Certificates - List of issues from Andrei Sambra on 2014-11-21 (public-webid@w3.org from November 2014)

From: Andrei Sambra <andrei.sambra@gmail.com>
Date: Fri, 21 Nov 2014 09:21:04 -0500
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: "henry.story@bblfish.net" <henry.story@bblfish.net>, Mo McRoberts <Mo.McRoberts@bbc.co.uk>, "public-webid@w3.org" <public-webid@w3.org>
Message-ID: <CAFG79egocZ8Ks-Y_E4Y4BEYkL7-t=xzNkLUkOGQh+3-7Kf-Arg@mail.gmail.com>

On Fri, Nov 21, 2014 at 9:18 AM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

>  On 2014-11-21 15:12, Andrei Sambra wrote:
>
>
>
> On Fri, Nov 21, 2014 at 7:37 AM, Anders Rundgren <
> anders.rundgren.net@gmail.com> wrote:
>
>> On 2014-11-21 12:58, henry.story@bblfish.net wrote:
>> <snip>
>>
>>> Ok, in your case as you are creating certificates for the BBC (and its
>>> partners?),
>>> which is a large enough community for these to having meaning. Perhaps
>>> an explanation
>>> of how you use certificates would be useful. Where do people login with
>>> your
>>> Certificates? Only on the BBC site? Or also partner sites?
>>>
>>> In general CA requirements make it impossible to use for any
>>> company smaller than the BBC. Particularly it makes it useless
>>> for individuals or small companies, as without a CA nobody would
>>> recognise their certificate. It would only be useable for their
>>> own site, in which case username/passwords would be all that is
>>> needed.
>>>
>>
>>  Henry,
>> PKI (when it works) is just a better version of username/password.
>>
> Actually it is a lot more than that, and this is probably the "key" (sic)
> element you're missing. PKI does not require servers to create and manage
> usernames/passwords. Instead, it allows for a completely decentralized
> system based on (a certain level) trust. You _cannot_ create
> usernames/passwords apriori for the whole planet. :-)
>
>
> Andrei,
>
> I wasn't referring to WebID or the social web but to the since long time
> deployed PKIs like the US federal government PKI which are isolated trust
> networks.
>
Fair enough. I was simply pointing that PKI is vastly superior to
username/password, not just a better version, all in the context of this
mailing list (IG).

-- Andrei


>
>
> Anders
>
>
>  -- Andrei
>
>>
>> How far a specific certificate takes you is identical to any other login
>> mechanism.
>> Enterprise certificates typically aren't used outside of the enterprise.
>>
>> If your company is using AD, PKI comes for free as a part of the MSFT
>> package.
>> For this market PKI works reasonably well and this is the only market
>> MSFT cares about.
>>
>> Anders
>>
>>
>>
>>
>
>

Received on Friday, 21 November 2014 14:21:52 UTC