W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

RE: self-signed

From: Mo McRoberts <Mo.McRoberts@bbc.co.uk>
Date: Tue, 19 Apr 2011 22:01:53 +0100
Message-ID: <4EA804DC019F8849B3304E28D3AA20FE015CE439@bbcxues15.national.core.bbc.co.uk>
To: "Kingsley Idehen" <kidehen@openlinksw.com>, <public-xg-webid@w3.org>

On 19 Apr 2011, at 21:49, Kingsley Idehen wrote:

> On 4/19/11 4:14 PM, Mo McRoberts wrote:
>> You yourself gave a key example of this right at the beginning of the thread: you had certificates
>> with unsupported schemes, and they didn't work. You were confused as a result, and thought there
>>  was a bug. You're a smart, experienced, technically-savvy user — how's my grandmother going
>>  to cope with that situation?

> Which is why implementers should deliver clear messages when they hit faults related to a URI that
> serve as WebID in a Cert.. That's basically the essence of the matter. This issue is a few steps away
> from grandma as she shouldn't really care about such details.  Not caring doesn't mean HTTP scheme
> specificity couldn't adversely affect her ability to control her own vulnerability (privacy) in cyberspace, 
> at the very least. 

Okay then — excuse my ignorance — please outline to me, how _exactly_ it will work when:

a) Grandma has a "WebID" certificate containing only a SAN with a mailto: URI

and

b) the server (with a "Log in with your WebID!” button) only supports http: and https: URIs

What *exactly* do you think should happen in this instance?

>From my personal perspective, from my understanding of WebID (and from the point of view of the project I work on and whether WebID can be a part of it), this situation simply shouldn't be something which arises outside of experimental environments.


> It isn't so simple when the protocols in use are ambiguous about their essence. To me, URI agnosticism
> is crucial re. WebID viability. Any task that negates this is broken. Again, that doesn't mean every
> implementation has to support multiple schemes, it simply means that on implementation should
> make a scheme specific fatal fault assertion about a Cert. based on the scheme of the WebID that 
> it bears. Indicating an inability to understand the scheme of the WebID is much better than inferring
>  that the WebID is invalid.

A failure's a failure from an end-user's perspective. The “why” is only important if you understand enough to diagnose. Indicating an inability to understand the scheme of the WebID is _only_ better than inferring that the WebID is invalid if you're a developer, for the most part. In either case, the damned thing doesn't work, the tech's rendered worthless.

M.

-- 
Mo McRoberts - Data Analyst - Digital Public Space,
Zone 1.08, BBC Scotland, 40 Pacific Quay, Glasgow G51 1DA,
Room 7066, BBC Television Centre, London W12 7RJ,
0141 422 6036 (Internal: 01-26036) - PGP key 0x663E2B4A

http://www.bbc.co.uk/
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.
					
Received on Tuesday, 19 April 2011 21:04:22 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:24 UTC