Re: W3C Web Identity Standardization Woes from Dick Hardt on 2012-02-08 (public-identity@w3.org from February 2012)

From: Dick Hardt <dick.hardt@gmail.com>
Date: Wed, 8 Feb 2012 15:47:21 -0700
To: Ron Garret <ron@flownet.com>
Cc: Anders Rundgren <anders.rundgren@telia.com>, public-identity@w3.org, Harry Halpin <hhalpin@w3.org>
Message-Id: <7916CD84-E4B2-43FE-8FEC-3B166A345EF9@gmail.com>

The belief that your solution is *the* solution is in nearly all cases a failing solution. (I'm not singling you out Ron, the *you* in my statement is generic)

Harry: while Anders delivery could be improved, there are a number of important points hinted out in his message which from my experience are critical to the success of the WG's mission.

-- Dick

On Feb 8, 2012, at 11:10 AM, Ron Garret wrote:

> +1.  The belief that something is infeasible is in nearly all cases a self-fulfilling prophecy.
> 
> On Feb 8, 2012, at 6:40 AM, Harry Halpin wrote:
> 
>> Anders,
>> 
>>  Again, if you believe in your below statements, I kindly suggest you join another mailing list. Furthermore, there is no new information in your email, just the same opinion you re-iterated earlier a number of times.
>> 
>>         cheers,
>>              harry
>> 
>> 
>> On 02/08/2012 06:30 AM, Anders Rundgren wrote:
>>> 		
>>> 
>>> I hope you don't get too upset but I believe the last 12 months have shown that
>>> standardization of security and identity solutions on the web, particularly for
>>> schemes that introduce changes in the client-platform, is more or less infeasible.
>>> 
>>> Why is that?  The interest in cooperating among the very few vendors that own
>>> the web is minimal.  In addition, the majority of all efforts in this space fail
>>> like Microsoft's Information Cards initiative.
>>> 
>>> Regarding DomCrypt, I see this as a Mozilla project which the other vendors can
>>> take up or not depending if they find it useful.
>>> 
>>> DomCrypt also shows the difficulty running open processes.  It has been claimed
>>> that DomCrypt could be "extended" to support smart cards.   No document or
>>> writeup has though been provided showing how this would work.  IMO smart
>>> cards using non-domain-restricted credentials such as PIV must not be exposed
>>> on the web; they can only be used by trusted applications such as TLS.
>>> 
>>> Anders
>>> 
>> 
>> 
> 
>

Received on Wednesday, 8 February 2012 22:47:56 UTC