W3C home > Mailing lists > Public > public-xg-webid@w3.org > November 2011

RE: [foaf-protocols] HTTP request header field for acceptable authentication methods

From: Peter Williams <home_pw@msn.com>
Date: Sat, 5 Nov 2011 11:36:30 -0700
Message-ID: <SNT143-W2AC39E9EF1AB02B29D1D792DB0@phx.gbl>
CC: <bergi@axolotlfarm.org>, <julian.reschke@greenbytes.de>, <http-auth@ietf.org>, <fielding@gbiv.com>, <foaf-protocols@lists.foaf-project.org>, "public-xg-webid@w3.org" <public-xg-webid@w3.org>, <ietf-http-wg@w3.org>, <public-rww@w3.org>

The issue of webid, browserid (and the 5 other latest schemes doing the same thing) has become religious, at the cultish level. One sees the cc: trick, as folks seek to make their case. To be fair, browserid community is a bit more disciplined than others, on keeping a lid on broadcast-based prosletizing. All I see is 5 new unverified schemes with about a max of 1000 users each (mostly developers), vying for attention in the usual vendor space. Each denies the legitimacy of the other, including such as gmail or yahoo or openid or SAML or ws-fedp, or OAUTH, or OAUTH v2,  or anything else. AS a consumer of such assertions, I reject any  scheme  proposal IF IT HAS THAT POSTURE. The posture means its too immature for adoption by the likes of us (mainstream). We are really not interested in another Google Wave. There seems nothing to be done to stop the endless pursuit of assertion protocols. Any scheme that half-works simply induces a counter-scheme to become designed, as folks seek to impose some or other twist on what MUST now be trusted. This seems to be lobbyist-based, as some new infrastrcuture business sees $$ in controlling user logon. For browserid, someone believes that only email providers enable scalable verification. For our users , half of them use gmail and gmail already does the equivalent of a browserid assertion and validation. Its called openid v2. For me, its was trivial to integrate openid (i.e. Google), as Microsoft's ACS ideneity gateway did 100% of the work for us. Integrating microsoft gateway was pretty trivial, too. It want hard to pursuade the security auditor that our work was "reasonable." If it helps, perhaps note that we are service provider. We are logically an adoptee of schemes such as browser, assuming they deliver a 100 million users to our door - since we need the problem solved "at a national level". its just the nature of real estate. We have even decided to get out of the login and authentication business (after 40 years). Nothing helped make anyone happy - despite having delivered password management, securid tokencodes, phone-based SMS, passmark anti-fraud neural networks, and even biometrics. We are even designed our own secure USB key, for a while. No user community was/is happy. Every subgroup wants some twist, to suit their personal hot button issue. The user community is almost as fragmented as the vendor community. Of course, noone will pay anything, as its someones else responsibility. Whats more (in our unusual space), no ads are allowed - so even that funding trick is unavailable. Folks cannot even trade off their privacy for free security technology. If anyone cares (and I rarely find folks in the religious phase of a movement could give a damn, wanting only to preach to those likely to be "converted") we have stopped accepting any of the third-party schemes, unless its gatewayed to us by the Microsoft Azure ACS service. Fpr the next year or two, they are the gatekeeper on the n schemes, rewriting the n assertion blob formats into one. Its not that there is anything special about the Microsoft Azure service to us, other than its scheme agnostic. What it does is make identity verification less of a "miserable affair", removing the posturing and the carping that is getting in the way of delivering service values. Hope the feedback on the list's tone helps. > CC: bergi@axolotlfarm.org; julian.reschke@greenbytes.de; http-auth@ietf.org; fielding@gbiv.com; foaf-protocols@lists.foaf-project.org; public-xg-webid@w3.org; ietf-http-wg@w3.org; public-rww@w3.org
> From: mnot@mnot.net
> Subject: Re: [foaf-protocols] HTTP request header field for acceptable	authentication methods
> Date: Sat, 5 Nov 2011 12:55:26 +1100
> To: home_pw@msn.com
> 
> Not sure why you're asking me; perhaps the cc list needs to be trimmed? 
> 
> On 05/11/2011, at 12:45 PM, Peter Williams <home_pw@msn.com> wrote:
> 
> > So what is webid vs webid-tls?
> > 
> > Does webid tls exclude ssl v3?
> > 
> > I ask as only very specific agendas call for the elimination of ssl v3. Only .001%  of the users know the difference, and less than half of those can accurately state it.
> > 
> > 
> > On Nov 4, 2011, at 2:28 AM, "Mark Nottingham" <mnot@mnot.net> wrote:
> > 
> >> 
> >> On 04/11/2011, at 9:34 AM, bergi wrote:
> >>> 
> >>> Authentication Scheme
> >>> 
> >>> I was thinking about this a little bit more and now I'm not sure if we
> >>> should use WebID or WebID-TLS or even something else. From the
> >>> terminology point of view WebID-TLS would fit better.
> >>> 
> >>> HTTPBis, part 7, section 2.3 [1] points to a link on the IANA web site
> >>> which is dead [2]. I haven't found a new URL. Somebody knows if this
> >>> page has moved somewhere else?
> >> 
> >> That link is dead because HTTPbis hasn't been through the entire process yet; the IANA registries will be established later on.
> >> 
> >> Cheers,
> >> 
> >> --
> >> Mark Nottingham   http://www.mnot.net/
> >> 
> >> 
> >> 
> >> _______________________________________________
> >> foaf-protocols mailing list
> >> foaf-protocols@lists.foaf-project.org
> >> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
 		 	   		  
Received on Saturday, 5 November 2011 18:39:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 5 November 2011 18:39:43 GMT