Re: TLS-CCA. Was: Browser UI & privacy - a discussion with Ben Laurie from Henry Story on 2012-10-06 (public-identity@w3.org from October 2012)

From: Henry Story <henry.story@bblfish.net>
Date: Sat, 6 Oct 2012 11:09:27 +0200
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: Ron Garret <ron@flownet.com>, Anders Rundgren <anders.rundgren@telia.com>, public-identity@w3.org
Message-Id: <00562856-F48B-4F8C-BAAB-05FC162B6BD7@bblfish.net>

On 6 Oct 2012, at 09:29, Melvin Carvalho <melvincarvalho@gmail.com> wrote:

> 
> 
> On 6 October 2012 09:13, Ron Garret <ron@flownet.com> wrote:
> 
> On Oct 5, 2012, at 11:49 PM, Melvin Carvalho wrote:
> 
>> 
>> 
>> On 6 October 2012 08:16, Anders Rundgren <anders.rundgren@telia.com> wrote:
>> On 2012-10-05 20:47, Henry Story wrote:
>> 
>> >> WebCrypto could very well become a better mousetrap than TLS CCA.
>> >
>> > By WebCrypto you mean using javascript. That does not really change anything.
>> 
>> It does because it liberates WebID from a scheme (TLS CCA) that in its current
>> form is doomed as a consumer solution.
>> 
>> TLS CCA is actually quite popular and useful for creating secure tunnels between
>> servers.  However, as a web solution for end-users TLS CCA has essentially not
>> taken a single step forward since 1996!  Well, the "underpinnings" have changed
>> considerably but that doesn't help much since its "behavior" remains neanderthalish.
>> The latter is presumably "by design".
>> 
>> I'm surprised that you find the current key generation mechanisms useful.  No major
>> user of consumer-PKI I have heard of actually use them.  "<keygen>" as featured in
>> Chrome was also designed in the 90'ties.  This is a very touchy issue since
>> 
>>    http://www.ietf.org/mail-archive/web/pkix/current/msg31241.html
>> 
>> caused the PKIX chairs to remove me from the list!
>> 
>> Anders, did you ever look at this?
>> 
>> http://lists.w3.org/Archives/Public/public-xg-webid/2011May/0047.html
>> 
>> A full javascript solution to WebID including crypto libraries.
>> 
>> May be interesting to this group.
> 
> As long as Forge has entered the conversation I would also like to point to my own identity project:
> 
> http://dswi.net/
> 
> DSSID uses Forge for its crypto, but it uses a different protocol specifically designed to be simple for clients to integrate with.  Note: this code is not ready for production use.  Feedback and comments are welcome.
> 
> Wow, looks really nice.
> 
> If im not mistaken, it's quite similar to a web version of SSH?
> 
> Does this sole harry's unlinkability problem too?

Can you explain what Harry's unlinkeability problem is, why it is a problem, and if 
one should even be concerned by it?

My question would have been rather, if there is not a centralisation
dimension in http://dswi.net/ . Does it not currently require one to go through a central
server?


>  
> 
> rg
> 
> 

Social Web Architect
http://bblfish.net/

Attachments

application/pkcs7-signature attachment: smime.p7s

Received on Saturday, 6 October 2012 09:10:07 UTC