Re: Federation protocols from Melvin Carvalho on 2013-06-01 (public-fedsocweb@w3.org from June 2013)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sat, 1 Jun 2013 18:49:45 +0200
To: Miles Fidelman <mfidelman@meetinghouse.net>
Cc: "public-fedsocweb@w3.org" <public-fedsocweb@w3.org>
Message-ID: <CAKaEYh+6wt=6kGdQx8sufoTfHR2dYy-BOAD4w+jTcFb9Z6HRFg@mail.gmail.com>

On 1 June 2013 18:40, Miles Fidelman <mfidelman@meetinghouse.net> wrote:

> Melvin Carvalho wrote:
>
>>
>>
>> Yes, that's a nice idea, and something I have been doing for many years.
>>  But there are two issues with this going mainstream.
>>
>> 1.  Only a small minority of web servers run SSL with the option to
>> accept client side certificates.
>>
>> 2. The user experience for X.509 is not ideal in current browsers, and
>> there will be some lead time before that is improved.  I personally talked
>> to the head of services at canonical and mark shuttleworth about this very
>> idea, but it was felt it was not yet user friendly enough to be adopted.
>>
>> So in the short to medium term at least we need stop gap.
>>
>
> So... you consider:
> - modify HTTP to add a new header
>

It's one route, but you need not modify HTTP, arbitrary headers are
allowed.  You just need consensus on a name and text.

> - modify HTTP in a way that makes very little or no sense from a protocol
> layering perspective
>

Your opinion.  You did not state your preferred layer.

> - modify HTTP in a way that duplicates perfectly good existing mechanisms
>

Please do let me know if you are aware of an existing header, that was my
original question.

> - push that all through at least some basic level of standardization
>

Adding a header is a pretty easy thing to do.  You just need a name and
some text.  HTTP was designed to allow this.

> AND
> - expect browser makers to implement it
>

They already do.  All AJAX requests allow a header to be set.

> - expect a significant number of web servers to implement
>

All web servers do already support arbitrary headers.

>
> And you consider that a short term stopgap measure?
>
> The reality is that folks don't use the existing mechanisms because they
> don't care, not because it's difficult.  People who care, or who are
> required to, already have and use perfectly reasonable options, on huge
> scales.  In particular, I'll note:
> - MS Active Directory (pretty much universal in the enterprise space)
> - X.509 certificates w/ LDAP (pretty much universal in the Federal space)
>

I'm totally for using X.509 certificates for this and have been arguing
several years for their adoption.  The bigcos are blocking it so far due to
UX.  We were unable to get status.net to support it even though we had
people ready to work on the code.  By all means do try and get X.509
deployed, I'll write code for it, and support your messaging, but expect
pushback due to the X.509 user experience.

>
> Creating yet another mechanism, to address non-existent demand, is a waste
> of time.
>
> Miles
>
>
> --
> In theory, there is no difference between theory and practice.
> In practice, there is.   .... Yogi Berra
>
>
>

Received on Saturday, 1 June 2013 16:50:15 UTC