- From: Peter Williams <home_pw@msn.com>
- Date: Sat, 7 Jan 2012 12:37:29 -0800
- To: <kidehen@openlinksw.com>, "public-xg-webid@w3.org" <public-xg-webid@w3.org>
- Message-ID: <SNT143-W43F3E76D4F5B7E68923A67929A0@phx.gbl>
One of the differences between MSFT/Novell and SUN/Mzoilla was while all group delivered SSL to US DOD (office brigade), only the first two did it for long enough. Most of the SUN certs stuff was either pro forma (formal wars, which they lost, with MSFT for mindshare) or on contacts, for sepcialized (and indeed higher assurance areas) of DOD (el al). But only the first two stayed focussed oncommodity needs (so what works for DoD offices tends to work for every other class of office, too; and then consumers). yes, obviously, all the militarisms have to get dropped off at the gate, but the commodity support is what matters. In microsoft cases, it was just not proftable (being about evil $$) to maintain some code for a big (but not particularly well paying) customer, and other code base for the rest of us. For that world, the onus was on the smartcard (as the repository of the private key, and point of control over https client tunnel endpoint formation). but, it is useful to see what we can learn. When one does a "logout", does this mean (as one who worked with a great Ukrania/Russian engineer on smartcard middleware for browsers) that one also closes down the channel between browser and smartcard? Does one invoke the smartcard applets' own logout (for the US style of card, using CAC applets in javacard, or otherwise)? Does one make the card reader terminal say something? What happens the card is wireless (as in Apple Near Field cards)? Obviously, one site doing a logout should really not interfere with the SSL channels sourced to the smartcard multiplexing channel endpoints with 100 other sites (as supporting page postback or ajax client-side controls in other tabs/browser instances). Whant happens when the user is conencting to a browser OVER an RDP session, given the nature of RDP is that the card reader on the rdp reader's client is that which the remote browser isntance thinks its talking to? (RDF is able to remotely project local devices, for CCID (smarcard/crypto) enumeration on the remote browser instance). Does this log the user out of windows too, since its hosting the RDP client (and using its own IE to talk to other sites with https). I know folks are only just now getting to grips with real https (and client certs). I dont expect folks to have the kind of knowhow and expeirnece I have (having done nothing else... for years). but, there are some practices its worth copying. The first thing to do, is not assume the worst, and that its all an evil plot (that suppresses open source, PGP, local trust models, or innovation itself). So far on commodity crypto, it Microsoft 10, Evil 0. Date: Sat, 7 Jan 2012 14:45:51 -0500
From: kidehen@openlinksw.com
To: public-xg-webid@w3.org
Subject: Re: wot won Thing, asked W3C Identity Conference
On 1/7/12 11:57 AM, Henry Story wrote:
On 7 Jan 2012, at 17:38, Peter Williams wrote:
The identity conference hosted by W3C aksed
folks to state one thing that could be done by all
browser manufacturers, that makes a difference. The
difference doesnt have to save this world. It just has
to remove a disabling barrier.
For me, its for ALL mainstream browsers to have
something similar to that provided in IE8+: the "New
Session" menu item. This is that which, in the SSL
world, allows me to stay on the same site (e.g. WebID
Realm) and change client certificate, without exiting
the browser. (It may have other properties related to
pseudo-privacy, too)
With all mainstream browser others than IE8+, I have to
exit the browser to use a differnt persona (and even all
instances of the process, in some of the worst cases).
With New Session I dont. I get a new brower window (with
new tab set), enabled with new SSL client authn.
Very nice. It seems that Microsoft has the best
implementation of https at present. With IE you can
- logout (using javascript)
- your sessions
- a nice cert selection box
- supports Want request
All the other browsers have one of those missing
- Firefox has an butt ugly selection box
- Chrome, Opera, and Safari have no way to log out
- Safari does not even let you log out multiple times
(this is a serious security hole)
- Opera and Safari require the server to ask for the
certificate in NEED mode if they are going to send it
One annoyance for IE is lack of the html5 keygen element,
which means implementations are more difficult, but this can
be dealt with.
Now everybody knows I am far from an unconditional M$
supporter (having worked for Sun Microsystems), but I think
here this has to be said quite clearly. The failure of the
other browsers is entirely their own fault at this level.
Yep!
+1000
As a result people here should do the ultimate to do a good
job supporting IE. They still have 50% of the market, and it
would be silly to loose our message 50% for internet users.
+1000
This is how you will ultimately get all the other browsers in line.
Decision makers hate "opportunity costs" that erode business models.
This is the only thing any technical person needs to understand.
Basically, make "opportunity costs" palpable to decision makers by
leveraging the amplifier offered by the WWW + Internet (InterWeb).
You will be amazed how quickly the other browsers will get in line
:-)
This is worth having universally. WebID depends on it,
I'd counsel.
The second thing is ... almost equally useful. But, Im
not allowed two wishes.
Social Web Architect
http://bblfish.net/
--
Regards,
Kingsley Idehen
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen
Received on Saturday, 7 January 2012 20:38:00 UTC