Re: Simple WebID, WebID+TLS Protocol, and ACL Dogfood Demo

On 9 August 2013 16:45, Norman Gray <norman@astro.gla.ac.uk> wrote:

>
> Henry, hello.
>
> I don't have much more to add here, because I can't fundamentally add much
> more than assertion, but I have a couple of brief responses.
>
> On 2013 Aug 9, at 14:41, Henry Story wrote:
>
> >> I don't have an easy solution to this -- I can see all the problems
> with creating applications which users have to run to generate WebIDs, and
> regarding which they then have to be given follow-up instructions.  But
> doing this in the browser, though technically neat and correct, may have
> killing UI/model problems, as described above (because of the invisibility
> and passivity of the browser in most people's conception), and these
> problems may make this the browser-generation route less successful in the
> end.
> >
> > I am not convinced. The problems with Certificates in the Browser are
> entirely to do with the problem of dealing with CAs.
> > Clearly a bit of education is needed, and what better than a web site to
> do that.
>
> I think you're very optimistic about what 'a bit of education' can do.
>
> I've long had X.509, ssh and PGP/GPG keys, I've used the Java X.509 API in
> the past, I understand large fractions of the technology and maths of
> public key crypto, I've written my own DER codecs and I can (albeit now
> only with a crib) read X.509 certificates by eye, using od(1).  I am
> roughly as educated about certificates as it is possible to be, and I
> _still_ get confused about where my damn certificates are, and I still mess
> up an annual browser-based certificate renewal request.
>
> I agree that some of this stuff is 'just' a matter of UI improvements
> (though the number and profundity of the UI problems at <
> http://www.w3.org/wiki/Foaf%2Bssl/Clients#Further_User_Interface_Issues>
> -- and the  incompleteness of the list -- is dispiriting).  My suggestion
> here is that I believe the conceptual difficulties inherent in managing and
> conceptualising certificates _within a web browser_, though presumably not
> insurmountable, are significantly challenging, in the sense that they will
> require a lot more than just a bit of UI tweaking to address.
>
> I know that I didn't have this problem back when I was coding/working with
> certificates daily, as many people in this thread will be still.  But now
> I'm not, and I'm apparently _very_ promptly back with the naive users.
>
> >>>
> http://www.w3.org/wiki/Foaf%2Bssl/Clients#Further_User_Interface_Issues
> >>
> >> Oooh, they're awful.  I just checked, and I submitted an Apple bug
> report about this -- detailing the awfulness and inadequacy of Safari's and
> Keychain Access's UIs here -- back in October 2008, which finally received
> "We are closing this bug since our engineers are aware of the issue and
> will continue to track it" in November 2011, and nothing since.  *sigh*
> >
> > The Chrome and Opera UIs are pretty Good. Apple's too, it's just that it
> has a privacy issue.
>
> I don't think I agree with this, either: the list of failings at that URI
> is pretty killing.  I can't even log out with a non-working certificate!
>
> The OS X experience is better (from my point of view) only because the
> keychain (separate from the browser), and the standalone Keychain Access
> application, means that I have a better conceptual model of where my
> certificates are, than I would if they were entirely within the browser.
>

+1

Bear in mind that TLS is not the *only* way to verify you linked data
identity (aka webid).  It's just the *first* way that we implemented.


>
> All the best,
>
> Norman
>
>
> --
> Norman Gray  :  http://nxg.me.uk
> SUPA School of Physics and Astronomy, University of Glasgow, UK
>
>
>

Received on Friday, 9 August 2013 14:50:49 UTC