- From: Henry Story <henry.story@bblfish.net>
- Date: Mon, 22 Oct 2012 12:33:06 +0200
- To: Ben Laurie <benl@google.com>
- Cc: public-identity@w3.org, "public-privacy@w3.org list" <public-privacy@w3.org>, public-webid@w3.org, saag@ietf.org
- Message-Id: <7F0FE9D3-995B-4B32-97CB-3B82F590FE92@bblfish.net>
[cutting down on the mailing lists] On 22 Oct 2012, at 11:54, Ben Laurie <benl@google.com> wrote: > Where we came in was me pointing out that if you disconnect your > identities by using multiple WebIDs, then you have a UI problem, and > since then the aim seems to have been to persuade us that multiple > WebIDs are not needed. There is a happy medium on UI experience. For the UI experience there are two seperate issues, one of which I proposed a fix for and the other of which is a browser UI issue. A. Number of WebIDs ------------------- 1. WebID per web site: You don't want to have one WebID per site you go to, since the point of WebID is to allow you to authenticate across sites using the same ID ( in the case of TLS, a URL embedded in an X509 Certificate's SAN field ). 2. One and only one WebID for the whole internet per person WebID does not force any such restrictions (neither would OpenId or BrowserId for that matter ). 3. As many WebID's for the whole web as the user feels worth investing in The first sentence of the spec says so ( http://webid.info/spec/ ) [[ The WebID protocol enables secure, efficient and maximally user friendly authentication on the Web. It enables people to authenticate onto any site by simply clicking on one of the certificates proposed to them by their browser. These certificates can be created by any Web Site for their users in one click. The identifier, known as the WebID, is a URI whose sense can be found in the associated Profile Page, a type of web page that any Social Network user is familiar with. ]] ( so we are looking for help improving the wording) Finally, (3) above does not mean that the user can only use WebID. He can still use all the existing technologies for authenticating to web sites where he wishes to have non cross-site linkable identities - e.g. cookies, with username password for example if needed, ... UI Experience ------------- There are two elements to the UI experience 1. Certificate selection If the server requesting the certificate from the user makes a CertificateRequest by leaving the certificate_authorities field blank ( or null, not sure what the correct wording is ) as explained by the spec currently http://www.w3.org/2005/Incubator/webid/spec/#requesting-the-client-certificate then users with multiple certificates - some of which may not be WebID enabled - then those users will be presented with a selection box containing certificates that are not in fact ones the server will accept - leading to confusion and a bad UI. I just proposed on the WebID mailing list that WebID certificate chains be signed (at some point) by CN=WebID,O=∅ to solve this issue. http://lists.w3.org/Archives/Public/public-webid/2012Oct/0188.html 2. Transparency of Identity It is not clear currently when you go to a web site if you are authenticated or not, or with what identities you are. Even Google Chromes' Profile feature does not do so. This is something I really hope they will fix by inspiring themselves from Aza Raskin's work http://www.azarask.in/blog/post/identity-in-the-browser-firefox/ I hope this helps, Henry Social Web Architect http://bblfish.net/
Attachments
- application/pkcs7-signature attachment: smime.p7s
Received on Monday, 22 October 2012 10:33:46 UTC