W3C home > Mailing lists > Public > public-xg-webid@w3.org > January 2012

RE: wot won Thing, asked W3C Identity Conference

From: Peter Williams <home_pw@msn.com>
Date: Sat, 7 Jan 2012 12:37:29 -0800
Message-ID: <SNT143-W43F3E76D4F5B7E68923A67929A0@phx.gbl>
To: <kidehen@openlinksw.com>, "public-xg-webid@w3.org" <public-xg-webid@w3.org>


One of the differences between MSFT/Novell and SUN/Mzoilla was while all group delivered SSL to US DOD (office brigade), only the first two did it for long enough. Most of the SUN certs stuff was either pro forma (formal wars, which they lost, with MSFT for mindshare) or on contacts, for sepcialized (and indeed higher assurance areas) of DOD (el al). But only the first two stayed focussed oncommodity needs (so what works for DoD offices tends to work for every other class of office, too; and then consumers). yes, obviously, all the militarisms have to get dropped off at the gate, but the commodity support is what matters. In microsoft cases, it was just not proftable (being about evil $$) to maintain some code for a big (but not particularly well paying) customer, and other code base for the rest of us. For that world, the onus was on the smartcard (as the repository of the private key, and point of control over https client tunnel endpoint formation). but, it is useful to see what we can learn. When one does a "logout", does this mean (as one who worked with a great Ukrania/Russian engineer on smartcard middleware for browsers) that one also closes down the channel between browser and smartcard? Does one invoke the smartcard applets' own logout (for the US style of card, using CAC applets in javacard, or otherwise)? Does one make the card reader terminal say something? What happens the card is wireless (as in Apple Near Field cards)? Obviously, one site doing a logout should really not interfere with the SSL channels sourced to the smartcard multiplexing channel endpoints with 100 other sites (as supporting page postback or ajax client-side controls in other tabs/browser instances). Whant happens when the user is conencting to a browser OVER an RDP session, given the nature of RDP is that the card reader on the rdp reader's client is that which the remote browser isntance thinks its talking to? (RDF is able to remotely project local devices, for CCID (smarcard/crypto) enumeration on the remote browser instance). Does this log the user out of windows too, since its hosting the RDP client (and using its own IE to talk to other sites with https). I know folks are only just now getting to grips with real https (and client certs). I dont expect folks to have the kind of knowhow and expeirnece I have (having done nothing else... for years). but, there are some practices its worth  copying. The first thing to do, is not assume the worst, and that its all an evil plot (that suppresses open source, PGP, local trust models, or innovation itself). So far on commodity crypto, it Microsoft 10, Evil 0.           Date: Sat, 7 Jan 2012 14:45:51 -0500
From: kidehen@openlinksw.com
To: public-xg-webid@w3.org
Subject: Re: wot won Thing, asked W3C Identity Conference


  


    
  
  
    On 1/7/12 11:57 AM, Henry Story wrote:
    

      
        On 7 Jan 2012, at 17:38, Peter Williams wrote:
        
        
            
              The identity conference hosted by W3C aksed
                folks to state one thing that could be done by all
                browser manufacturers, that makes a difference. The
                difference doesnt have to save this world. It just has
                to remove a disabling barrier.

                 

                For me, its for ALL mainstream browsers to have
                something similar to that provided in IE8+: the "New
                Session" menu item. This is that which, in the SSL
                world, allows me to stay on the same site (e.g. WebID
                Realm) and change client certificate, without exiting
                the browser. (It may have other properties related to
                pseudo-privacy, too)

                 

                With all mainstream browser others than IE8+, I have to
                exit the browser to use a differnt persona (and even all
                instances of the process, in some of the worst cases).

                 

                With New Session I dont. I get a new brower window (with
                new tab set), enabled with new SSL client authn.

              
            
          
        

        
        Very nice. It seems that Microsoft has the best
          implementation of https at present.  With IE you can
         - logout (using javascript)
         - your sessions
         - a nice cert selection box
         - supports Want request
        

        
        All the other browsers have one of those missing
         - Firefox has an butt ugly selection box
         - Chrome, Opera, and Safari  have no way to log out 
         - Safari does not even let you log out multiple times
          (this is a serious security hole)
         - Opera and Safari require the server to ask for the
          certificate in NEED mode if they are going to send it
        

        
        One annoyance for IE is lack of the html5 keygen element,
          which means implementations are more difficult, but this can
          be dealt with.
        

        
        Now everybody knows I am far from an unconditional M$
          supporter (having worked for Sun Microsystems), but I think
          here this has to be said quite clearly. The failure of the
          other browsers is entirely their own fault at this level.  

        
      
    
    

    Yep!

    

    +1000

    
      
        

        
        As a result people here should do the ultimate to do a good
          job supporting IE. They still have 50% of the market, and it
          would be silly to loose our message 50% for internet users. 

        
      
    
    

    +1000

    

    This is how you will ultimately get all the other browsers in line.
    Decision makers hate "opportunity costs" that erode business models.
    This is the only thing any technical person needs to understand.
    Basically, make "opportunity costs" palpable to decision makers by
    leveraging the amplifier offered by the  WWW + Internet (InterWeb).
    You will be amazed how quickly the other browsers will get in line
    :-)

    

    
      

        
            
               

                This is worth having universally. WebID depends on it,
                I'd counsel.

                 

                The second thing is ... almost equally useful. But, Im
                not allowed two wishes.

              
            
          
      
      

      
        
            
                
                    
                        
                                  Social Web Architect

                                    http://bblfish.net/
                                
                      
                  
              
          
      
      

    
    

    

    -- 

Regards,

Kingsley Idehen	      
Founder & CEO 
OpenLink Software     
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen




 		 	   		  
Received on Saturday, 7 January 2012 20:38:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 7 January 2012 20:38:00 GMT