Re: Releasing RWW.IO

Hi,

On Sat, May 3, 2014 at 7:42 AM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> On 2014-05-03 13:19, Melvin Carvalho wrote:
> >
> >
> >
> > On 3 May 2014 10:08, Anders Rundgren <anders.rundgren.net@gmail.com<mailto:
> anders.rundgren.net@gmail.com>> wrote:
> >
> >     Now I have tried it out as well including the micro-blogging.
> >
> >
> > Awesome.  I typed your name "A n d e r" into the channel finder and your
> webid came up after about 3 letters.  I'm now following you.
> >
> >
> >     It was cool with one exception, TLS CCA (Client Certificate
> Authentication)
> >
> >     Logging in to http://cimba.co required me to select certificate
> twice and
> >     from a pretty long list of non-WebID certificates.
> >
> >     Unless W3C gets their act together and creates a web-compliant
> replacement
> >     for TLS CCA, WebID won't ever catch on.  I have no faith in W3C for
> taking
> >     any action on this since not even the requirements have ever been
> discussed.
> >     TLS is a sacred cow.
> >
> >
> > I think there's a slight distinction between WebID and WebID+TLS.
> >
> > WebID itself is independent of the auth mechanism.
>
> Yes, this enhancement was introduced as a "workaround".
>

Not at all. You must still be reasoning in terms of WebID = TLS CCA. WebID
is all about identifiers and identity (it's written in the spec, really),
whereas WebID-TLS deals with authentication. It was never an "enhancement",
nor a "workaround".

-- Andrei


>
> >
> > One hope was that mozilla labs would help with the UX, as below.
> >
> > http://www.azarask.in/blog/post/identity-in-the-browser-firefox/ <
> http://www.azarask.in/blog/post/identity-in-the-browser-firefox/>
>
> That's where it gets wrong, there is no UX problem to solve. It is the
> underpinning TLS CCA scheme that is the sole culprit which is why Google,
> Microsoft, Paypal, RSA, ARM (!), etc. abandoned it in favor of U2F.
>
> Your best option at this stage is probably defining a WebID-U2F profile.
>
> Personally, I'm not overly interested in U2F, it is much simpler making
> client-side X.509 "web-compatible" by building on the already established
> schemes out there.
>
> Anders
>
> >
> >
> >     Fortunately Google hadn't any problems slaughtering this poor
> creature
> >     when they started their U2F project which have created a hype I
> haven't
> >     seen before during my 15Y+ in the "id-business".  It didn't take an
> >     eternity either.
> >
> >     Anders
> >     grumpy old fart with a mission
> >
> >
> >
>
>

Received on Saturday, 3 May 2014 13:44:26 UTC