Re: Simple WebID, WebID+TLS Protocol, and ACL Dogfood Demo

On 9 Aug 2013, at 16:50, Henry Story <henry.story@bblfish.net> wrote:

> 
> On 9 Aug 2013, at 16:45, Norman Gray <norman@astro.gla.ac.uk> wrote:
> 
>> 
>> Henry, hello.
>> 
>> I don't have much more to add here, because I can't fundamentally add much more than assertion, but I have a couple of brief responses.
>> 
>> On 2013 Aug 9, at 14:41, Henry Story wrote:
>> 
>>>> I don't have an easy solution to this -- I can see all the problems with creating applications which users have to run to generate WebIDs, and regarding which they then have to be given follow-up instructions.  But doing this in the browser, though technically neat and correct, may have killing UI/model problems, as described above (because of the invisibility and passivity of the browser in most people's conception), and these problems may make this the browser-generation route less successful in the end.
>>> 
>>> I am not convinced. The problems with Certificates in the Browser are entirely to do with the problem of dealing with CAs. 
>>> Clearly a bit of education is needed, and what better than a web site to do that. 
>> 
>> I think you're very optimistic about what 'a bit of education' can do.
>> 
>> I've long had X.509, ssh and PGP/GPG keys, I've used the Java X.509 API in the past, I understand large fractions of the technology and maths of public key crypto, I've written my own DER codecs and I can (albeit now only with a crib) read X.509 certificates by eye, using od(1).  I am roughly as educated about certificates as it is possible to be, and I _still_ get confused about where my damn certificates are, and I still mess up an annual browser-based certificate renewal request.
>> 
>> I agree that some of this stuff is 'just' a matter of UI improvements (though the number and profundity of the UI problems at <http://www.w3.org/wiki/Foaf%2Bssl/Clients#Further_User_Interface_Issues> -- and the  incompleteness of the list -- is dispiriting).  My suggestion here is that I believe the conceptual difficulties inherent in managing and conceptualising certificates _within a web browser_, though presumably not insurmountable, are significantly challenging, in the sense that they will require a lot more than just a bit of UI tweaking to address.
>> 
>> I know that I didn't have this problem back when I was coding/working with certificates daily, as many people in this thread will be still.  But now I'm not, and I'm apparently _very_ promptly back with the naive users.
> 
> UI improvements are being made in the browser vendors. As we gain more users we'll have more political clout to push for more
> improvements. For the moment not enough people use certificates for them to be bothered. So it's a question of getting going, 
> and then the best browsers will gain market share.

Also bear in mind that WebID over TLS can also be used by robots and software agents that won't have any 
trouble with TLS certificates either client or server side. For example you can do this with WebID+LDP+Web Access Control 
as shown in the examples here:

   https://github.com/stample/rww-play

The advantage of TLS here is that 
  1. it is very efficient
  2. it is not liable to denial of service attacks like protocols such as Mozilla Persona that use/need JavaScript
  3. it does not require a thick client

All the best,

	Henry

Social Web Architect
http://bblfish.net/

Received on Friday, 9 August 2013 15:07:54 UTC