- From: r-jo via GitHub <sysbot+gh@w3.org>
- Date: Thu, 30 Nov 2023 09:30:25 +0000
- To: public-webauthn@w3.org
hi i dont have time for this now, but i read your reply in 5 seconds in my email so i must add my part - i was frustrated because the tech is good but it is messed up, i spent plenty of time implementing it, studying it (only profis will do it, not small websites so it cannot be this way a success) and in the end I will not use this (but ECDSA in the browser instead)... so yes, take our frustration please, you were easy years, you present a product and we "RP"s are the users actually and if U think it is sh** I want to say it out loud... you never had a boss to say it? I think if he is right, sometimes it is good to say it... churchill said: I did not have time to write a short speech, now I did not have time to write a nice and short comment, it was long and rude maybe - it was long also because the problem is complex... I think if googlers and microsoft people etc. cannot get it, it must be complex... I am specialised to solve complex problems and I am an RP and I took the time to implement this sh** so you could take the useful infos from what I wrote and be happy, your welcome! really. I mean it. without thinking high of myself (you can take 0 or 100% of it, you can analyse what I wrote etc. it is actually valuable) - well I dont play the persuasion game, I play the truth game... you will never be successful if something is too complex, not clear for the users (RP) etc. I tried to help how to improve it... and some points are really extreme like these usernames, flat out logically wrong, bad interfaces etc. - not having a challenge? I do not have time to check it out but I think somebody wrote that I wrote this and you took it from him/her, the only thing I find important and actually implemented is the challenge... the whole thing is nothing else than ECDSA with server challenge and I think the other parts are of no use for normal RPs but maybe for nobody (counter maybe but comeon) - well Googleux just moves like I say, accounts are collected and represented together... imagine just have one google account and email aliases.. vow... the logic should be inside if they want it... more google accounts is cheating with 15gb of drive space etc... I said of course you are allowed to have multiple accounts, nobody can stop you (without real id checks etc) but this SHOULD not be the default thinking and IF somebody has multiple accounts it is NOT a problem to sweat a little bit like managing the multiple passkeys in their pass manager... - again, I spent a lot of time with this thats why a remember after months what the main problem is: 1. passkeys are pass manager related and plenty of people will never use it and implicitly making them use pass managers will be a mess, you should be transparent about it, solve pass managers first... be transparent about it... and again, a passkey has actually some but much less advantage against passwords in a pass manager... I would say I actually prefer a scheme like bitcoin: they changed to complex backupable english words (Iwould just use 25 character string like a widows thingy) and derive ecdsa private key... so you have a paper or otherways backupable secret bt you actually use ecdsa with pass manager all the time... passkey will have the problem even if well implemented/speced that some people jsut want to have more control (not my father but like my mother) and for these people RP must have a different auth method than passkeys... or passkeys have to become backupable 2. too complex because of ubikey people and device based original design... it sounds laughable but you really just start again fresh without yubikeys and get rid of anything else than ECDSA, actually what apple did and google and forced it... 3. and really this username thing is actually complex, I wrote about this in stackoverflow but I dont check my account because I have to work hard and I get nothing out of this as it seems... just frustration... but the problem is the LOGIC with anonym user IDs renders the 2 username fields disturbing and pointless, it is in the power of the user/pass manager to manage this, still it is there for RPs to give a default value... you actually did the right thing to implement anonym user IDs (google I guess and appple) but then some other guys came who wanted to stick to usernames and emails because traditionally this is the thing (WRONG) and you wanted both the right thing and keep thsi username thing to make the transition so passkeys smooth... but it is a LIE to RPs because it is another model and everybody should learn this new model: managing usernames and stuff is for the users and pass managers to distinguish between multiple accounts IF they have them which they should not! so the RPs should write one-account logic without usernames and yes it would be great to have this by google etc... do you have more apple IDs? it is just like email not anonym and you want anonym accounts etc... then you need an alias email for the same account -- GitHub Notification of comment by r-jo Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1915#issuecomment-1833396226 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 30 November 2023 09:30:27 UTC