- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Sat, 3 May 2014 14:28:48 +0200
- To: Anders Rundgren <anders.rundgren.net@gmail.com>
- Cc: Tim Holborn <timothy.holborn@gmail.com>, Andrei Sambra <andrei.sambra@gmail.com>, public-webid <public-webid@w3.org>, "public-rww@w3.org" <public-rww@w3.org>, Henry Story <henry.story@bblfish.net>
- Message-ID: <CAKaEYhK9tU5XvbC7VAk1=PYHJf8aN0MnRa7DxRUpdBm-ys6K6w@mail.gmail.com>
On 3 May 2014 10:56, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: > On 2014-05-03 10:24, Tim Holborn wrote: > > WebID TLS certs may need browser support in future, but, i’m betting if > the method works, it’ll likely get that browser support (one way or > another). > > > > It does not provide an entire solution however, it is simply a > constituent of a solution IMHO. > > If this project had started a year ago I would agree but it did actually > started 5-6 years ago: > http://www.w3.org/2008/09/msnws/papers/foaf+ssl.html > Do note that a webid is just an HTTP URI that gives a user profile in turtle. Also note that facebook supports this, which is a billion profiles, I think. WebID can work with facebook connect if you want want to store your key in your browser. > > The actual problem is that the W3C and the WebID folks didn't consider the > fact that > X.509-based client authentication already was widely established for > things like e-government services > and on-line banking but that these schemes practically without exception > rely on proprietary > browser plugins to get away from the limitations of TLS CCA. > > When I suggested doing something about this I immediately became a > "Persona Non Grata". > When Google did the same (through U2F) they became the undisputed king on > consumer authentication. > Yes, the world is indeed rather "sheepish" but Google is a fairly good > shepherd. > "Persona Non Grata" where? Anyone offering to to build a webid-u2f bridge would be a plus, imho. > > The previous king always claimed that the Internet ends at the AD (Active > Directory) border. > When they finally realized it did not, they had no option but joining the > U2F bandwagon. > > > > > > If you’d done enough testing, you’d have too many WebID Certificates. > Right-up until the point, where you set-up your own cert; manage it > effectively, which in-turn means you only need one Cert… > > > It doesn't work like that, the problem is fully universal and not limited > to WebID. > > Anders > definitely a very bad guy > > > > > > I’ve still not sorted that out yet. > > > > i think perhaps a back-up (or export) button on RWW.io might be a good > idea, somewhere in the todo list. > > > > timh. > > > > On 3 May 2014, at 6:08 pm, Anders Rundgren < > anders.rundgren.net@gmail.com> wrote: > > > >> Now I have tried it out as well including the micro-blogging. > >> It was cool with one exception, TLS CCA (Client Certificate > Authentication) > >> > >> Logging in to http://cimba.co required me to select certificate twice > and > >> from a pretty long list of non-WebID certificates. > >> > >> Unless W3C gets their act together and creates a web-compliant > replacement > >> for TLS CCA, WebID won't ever catch on. I have no faith in W3C for > taking > >> any action on this since not even the requirements have ever been > discussed. > >> TLS is a sacred cow. > >> > >> Fortunately Google hadn't any problems slaughtering this poor creature > >> when they started their U2F project which have created a hype I haven't > >> seen before during my 15Y+ in the "id-business". It didn't take an > >> eternity either. > >> > >> Anders > >> grumpy old fart with a mission > >> > >> > > >
Received on Saturday, 3 May 2014 12:29:17 UTC