- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Fri, 9 Aug 2013 16:50:18 +0200
- To: Norman Gray <norman@astro.gla.ac.uk>
- Cc: Henry Story <henry.story@bblfish.net>, public-lod <public-lod@w3.org>
- Message-ID: <CAKaEYh+Zw2C7ThnjXSgokBiik3HHL7F2GspDORCnAZWTRSVBMQ@mail.gmail.com>
On 9 August 2013 16:45, Norman Gray <norman@astro.gla.ac.uk> wrote: > > Henry, hello. > > I don't have much more to add here, because I can't fundamentally add much > more than assertion, but I have a couple of brief responses. > > On 2013 Aug 9, at 14:41, Henry Story wrote: > > >> I don't have an easy solution to this -- I can see all the problems > with creating applications which users have to run to generate WebIDs, and > regarding which they then have to be given follow-up instructions. But > doing this in the browser, though technically neat and correct, may have > killing UI/model problems, as described above (because of the invisibility > and passivity of the browser in most people's conception), and these > problems may make this the browser-generation route less successful in the > end. > > > > I am not convinced. The problems with Certificates in the Browser are > entirely to do with the problem of dealing with CAs. > > Clearly a bit of education is needed, and what better than a web site to > do that. > > I think you're very optimistic about what 'a bit of education' can do. > > I've long had X.509, ssh and PGP/GPG keys, I've used the Java X.509 API in > the past, I understand large fractions of the technology and maths of > public key crypto, I've written my own DER codecs and I can (albeit now > only with a crib) read X.509 certificates by eye, using od(1). I am > roughly as educated about certificates as it is possible to be, and I > _still_ get confused about where my damn certificates are, and I still mess > up an annual browser-based certificate renewal request. > > I agree that some of this stuff is 'just' a matter of UI improvements > (though the number and profundity of the UI problems at < > http://www.w3.org/wiki/Foaf%2Bssl/Clients#Further_User_Interface_Issues> > -- and the incompleteness of the list -- is dispiriting). My suggestion > here is that I believe the conceptual difficulties inherent in managing and > conceptualising certificates _within a web browser_, though presumably not > insurmountable, are significantly challenging, in the sense that they will > require a lot more than just a bit of UI tweaking to address. > > I know that I didn't have this problem back when I was coding/working with > certificates daily, as many people in this thread will be still. But now > I'm not, and I'm apparently _very_ promptly back with the naive users. > > >>> > http://www.w3.org/wiki/Foaf%2Bssl/Clients#Further_User_Interface_Issues > >> > >> Oooh, they're awful. I just checked, and I submitted an Apple bug > report about this -- detailing the awfulness and inadequacy of Safari's and > Keychain Access's UIs here -- back in October 2008, which finally received > "We are closing this bug since our engineers are aware of the issue and > will continue to track it" in November 2011, and nothing since. *sigh* > > > > The Chrome and Opera UIs are pretty Good. Apple's too, it's just that it > has a privacy issue. > > I don't think I agree with this, either: the list of failings at that URI > is pretty killing. I can't even log out with a non-working certificate! > > The OS X experience is better (from my point of view) only because the > keychain (separate from the browser), and the standalone Keychain Access > application, means that I have a better conceptual model of where my > certificates are, than I would if they were entirely within the browser. > +1 Bear in mind that TLS is not the *only* way to verify you linked data identity (aka webid). It's just the *first* way that we implemented. > > All the best, > > Norman > > > -- > Norman Gray : http://nxg.me.uk > SUPA School of Physics and Astronomy, University of Glasgow, UK > > >
Received on Friday, 9 August 2013 14:50:49 UTC