- From: Timothy Holborn <timothy.holborn@gmail.com>
- Date: Sat, 3 May 2014 21:29:00 +1000
- To: Anders Rundgren <anders.rundgren.net@gmail.com>
- Cc: Andrei Sambra <andrei.sambra@gmail.com>, public-webid <public-webid@w3.org>, "public-rww@w3.org" <public-rww@w3.org>, Henry Story <henry.story@bblfish.net>
Sent from my iPad > On 3 May 2014, at 6:56 pm, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: > >> On 2014-05-03 10:24, Tim Holborn wrote: >> WebID TLS certs may need browser support in future, but, i’m betting if the method works, it’ll likely get that browser support (one way or another). >> >> It does not provide an entire solution however, it is simply a constituent of a solution IMHO. > > If this project had started a year ago I would agree but it did actually started 5-6 years ago: > http://www.w3.org/2008/09/msnws/papers/foaf+ssl.html > Could be worse http://motherboard.vice.com/read/americas-nuclear-arsenal-still-runs-off-floppy-disks > The actual problem is that the W3C and the WebID folks didn't consider the fact that > X.509-based client authentication already was widely established for things like e-government services > and on-line banking but that these schemes practically without exception rely on proprietary > browser plugins to get away from the limitations of TLS CCA. > > When I suggested doing something about this I immediately became a "Persona Non Grata". > When Google did the same (through U2F) they became the undisputed king on consumer authentication. > Yes, the world is indeed rather "sheepish" but Google is a fairly good shepherd. > > The previous king always claimed that the Internet ends at the AD (Active Directory) border. > When they finally realized it did not, they had no option but joining the U2F bandwagon. > > >> >> If you’d done enough testing, you’d have too many WebID Certificates. Right-up until the point, where you set-up your own cert; manage it effectively, which in-turn means you only need one Cert… > > > It doesn't work like that, the problem is fully universal and not limited to WebID. > > Anders > definitely a very bad guy > > >> >> I’ve still not sorted that out yet. >> >> i think perhaps a back-up (or export) button on RWW.io might be a good idea, somewhere in the todo list. >> >> timh. >> >>> On 3 May 2014, at 6:08 pm, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: >>> >>> Now I have tried it out as well including the micro-blogging. >>> It was cool with one exception, TLS CCA (Client Certificate Authentication) >>> >>> Logging in to http://cimba.co required me to select certificate twice and >>> from a pretty long list of non-WebID certificates. >>> >>> Unless W3C gets their act together and creates a web-compliant replacement >>> for TLS CCA, WebID won't ever catch on. I have no faith in W3C for taking >>> any action on this since not even the requirements have ever been discussed. >>> TLS is a sacred cow. >>> >>> Fortunately Google hadn't any problems slaughtering this poor creature >>> when they started their U2F project which have created a hype I haven't >>> seen before during my 15Y+ in the "id-business". It didn't take an >>> eternity either. >>> >>> Anders >>> grumpy old fart with a mission >
Received on Saturday, 3 May 2014 11:29:36 UTC