WebID and HTTPS Client Certificate Authentication from Anders Rundgren on 2011-08-06 (public-identity@w3.org from August 2011)

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Sat, 06 Aug 2011 09:20:05 +0200
To: "public-identity@w3.org" <public-identity@w3.org>
Message-ID: <4E3CEB25.2000105@telia.com>

Dear List;

I would like to express why I feel that WebID (/long-term NB/) is worth a better client solution than HTTPS CCA (Client Certificate Authentication).

The innovation going on in the TLS space is hardly of any interest outside a small circle of cryptographers. From a user's point-of-view /HTTPS CCA pretty much behaves like when it was introduced
some 15 years ago/.

There has been some efforts in the IETF to improve the client-certificate GUI but I doubt that Microsoft (who championed it), have any plans implementing it. If you look deeper into the subject
you'll soon find that it won't deliver much value unless you begin to muck around in the middleware layer and then it becomes really difficult since this involves third-party SW.

>From a developer's point-of-view I feel that HTTPS CCA is a quirky technology since/it is clearly at odds with the web session concept/. If you would like to mix and match passwords and CCA in the
same web application it gets rather messy. Due to automatic reauthentication performed by browsers, "logout" must be solved using highly dubious methods that haven't gotten any serious consideration
by any standards group I'm aware of.

A particular issue with WebID is that you (if you use CCA) must /tweak the web-server to accept any certificate/. For MOD-SSL hackers this is probably piece of cake but it surely isn't a standard
feature in for example Java Servlet containers such as Tomcat and Glassfish. /Using application-level CCA authentication you can run HTTPS in a completely plain vanilla (server only authentication)
fashion/.

Since CCA on the web probably has less than a 0.1% "market-share", the incentive for improvements seems to be lacking. Sweden's BankID who have three million users, recently introduced version #3 of
their browser PKI client that (for many reasons) use an application-level CCA authentication scheme.

The biggest bank used HTTPS CCA for decade but have now adopted BankID's PKI-client since they have given up on the browser vendors' abysmal support of client-side PKI, from enrollment to usage. Ref:
http://lists.w3.org/Archives/Public/public-html/2009Sep/0663.html

Anders

Received on Saturday, 6 August 2011 07:20:42 UTC