- From: Miles Fidelman <mfidelman@meetinghouse.net>
- Date: Sat, 01 Jun 2013 12:40:51 -0400
- CC: "public-fedsocweb@w3.org" <public-fedsocweb@w3.org>
Melvin Carvalho wrote: > > > Yes, that's a nice idea, and something I have been doing for many > years. But there are two issues with this going mainstream. > > 1. Only a small minority of web servers run SSL with the option to > accept client side certificates. > > 2. The user experience for X.509 is not ideal in current browsers, and > there will be some lead time before that is improved. I personally > talked to the head of services at canonical and mark shuttleworth > about this very idea, but it was felt it was not yet user friendly > enough to be adopted. > > So in the short to medium term at least we need stop gap. So... you consider: - modify HTTP to add a new header - modify HTTP in a way that makes very little or no sense from a protocol layering perspective - modify HTTP in a way that duplicates perfectly good existing mechanisms - push that all through at least some basic level of standardization AND - expect browser makers to implement it - expect a significant number of web servers to implement And you consider that a short term stopgap measure? The reality is that folks don't use the existing mechanisms because they don't care, not because it's difficult. People who care, or who are required to, already have and use perfectly reasonable options, on huge scales. In particular, I'll note: - MS Active Directory (pretty much universal in the enterprise space) - X.509 certificates w/ LDAP (pretty much universal in the Federal space) Creating yet another mechanism, to address non-existent demand, is a waste of time. Miles -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
Received on Saturday, 1 June 2013 16:41:14 UTC