- From: Jiří Procházka <ojirio@gmail.com>
- Date: Mon, 05 May 2014 15:22:04 +0200
- To: Anders Rundgren <anders.rundgren.net@gmail.com>, Tim Berners-Lee <timbl@w3.org>
- CC: public-webid <public-webid@w3.org>, "public-rww@w3.org" <public-rww@w3.org>
- Message-ID: <5367907C.7080706@gmail.com>
On 05/05/2014 11:19 AM, Anders Rundgren wrote: > On 2014-05-05 10:33, Jiří Procházka wrote: >> On 05/04/2014 05:13 AM, Anders Rundgren wrote: > <snip> > > Hi Jiří, > >> Hi everyone. Anders, I might be wrong, but I think the banking/e-gov use >> case is quite different from the major WebID use case - WebID as a >> single sign-on (SSO) solution. >> >> I think the banks supply their own proprietary browser plugins because >> the problem they are solving is safely using the certificate established >> just for their use (one website), > > 100% agreed. The question here is therefore why they *rejected* the built-in > HTTPS Client Certificate Authentication support which fully addresses this > [principally] simple use-case? > >> while WebID needs a widely available >> client software with certificate selection UI which the users trust (so >> it is not supplied by websites), because they need to be able to trust >> it with their certificate which they use potentially on 100s of >> websites. > > 100% agreed. > >> Also doing something like the banks do (one-website >> certificates), would be impractical for WebID even if it was done by a >> standardized browser plugin, as there would be new UI/communication >> headache with binding the certificate generated for a particular >> website, with the WebID profile hosting solution of choice. > > I'm not suggesting changing a *single line* of the WebID concept, I'm merely claiming > that the currently only fully specified authentication alternative is at an X-road. > > That you can use "any" authentication scheme won't make WebID an SSO solution > which was I think at least Henry had in mind and IMO remains a very noble goal! > > Since the banks and WebID as far as I can tell, can use *exactly the same solution*, > I believe that there could be a way reaching "critical mass" for a new scheme, > something which I'm pretty sure WebID (or the banks) alone won't ever achieve. > > The EU banks have invested more than $1Bn in X.509 technology for client authentication > and will therefore very unlikely switch to U2F (in its current incarnation). Right, in short: now it is best for the banks to have their own implementations which they vouch for to their clients, but we want to be working towards a solution with secure implemenatations across all platforms and browsers, supporting both the use case of the banks and the SSO WebID scenario. What I don't understand is how your proposal fits into this and what it actually is, as what I have seen in the PDF are basically just 2 JSON structures... what are you proposing to be done? How it relates to WebID-TLS? What exactly are the non-UX issues of HTTPS CCA? Best, JP
Received on Monday, 5 May 2014 13:22:45 UTC