- From: James A. Donald <jamesd@echeque.com>
- Date: Sun, 17 Feb 2008 07:23:26 +1000
- To: Christoph Hack <c.hack@gmx.at>
- CC: public-usable-authentication@w3.org
Christoph Hack wrote: > today Public Keys are very popular and most Internet applications > support GPG-Keys (e.g. lots of Mail readers and Jabber). Those public > keys are much more secure and the user doesn't have transmit his > password and remember it. > > But up to now, there aren't any Web Browsers which support a way to > ask the user to sign something with his personal GPG Key. (please tell > me if I'm wrong). But I think if somebody could write a RFC or something > similar for that, there might be a chance of getting this feature into > some full-featured browsers :) It is rather too easy to write stupid RFCs, of which there are a disturbingly large supply gumming up the works. Rather, the correct approach is to take an open source browser and open source server, create an addon or fork that supports this with an actually usable and convenient user interface, and then write an RFC that describes what it takes to be compatible to this existing code. RFCs that fail to correspond to useful code that is actually in use at the time the RFC is written, often never come to correspond to useful code, or worse, are actually implemented as broken implementations that work "correctly" but fail to solve the problem they were supposed to solve - the typical product of design by committee The other extreme to the no code RFC is the Microsoft style RFC, which declares that any conforming code must conform to a vast pile of ill defined existing code that no one now quite understands any more. An RFC should sail between these two extremes - which requires a running hack, and preferably a hack that has gone through at least one round of refactoring to render it somewhat elegant.
Received on Saturday, 16 February 2008 21:23:42 UTC