- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Fri, 28 Sep 2012 22:27:49 +0200
- To: Ben Laurie <benl@google.com>
- Cc: Henry Story <henry.story@bblfish.net>, public-webid <public-webid@w3.org>
- Message-ID: <CAKaEYhJG4rJsWY+RmUOaCjDmX=cRJxYjLKnoN9gZOCjW_X89CA@mail.gmail.com>
On 27 September 2012 10:51, Ben Laurie <benl@google.com> wrote: > On 26 September 2012 17:10, Henry Story <henry.story@bblfish.net> wrote: > > > > On 26 Sep 2012, at 17:54, Ben Laurie <benl@google.com> wrote: > > > >> On 26 September 2012 14:24, Henry Story <henry.story@bblfish.net> > wrote: > >>> Here is how that would look if we were to imagine a user (me) using > Google+. > >>> > >>> One day I go to google plus on my desktop browser and Google Plus > entices me to > >>> "Use WebID and login securely across the web" > >>> I click on that banner, and pronto, a certificate is created and > transferred to > >>> my browser. (ok perhaps you add an intermediate page with helpful > explanations > >>> and cool demos) > >>> > >>> Next I am walking down the street with my Android. Google+ is clever > enough to notice that my android does not have a certificate - it does a > TLS request for a client certificate, but receives none - and so asks me > >>> "Hi Henry, get a WebID certificate for your phone too" > >>> I click the banner and oops I have a certificate in Android. > >>> > >>> Once I have a certificate for a device, I can log into any web site > that supports WebID in one click. I can also determine for any site how > much information I wish to give that site about me - using access control > on information at my profile. Someting we need to work on still. > >> > >> You seem to have missed out a step - how do these web sites know about > >> my new WebID? > > > > In the scenario described I get my (personal) WebID from Google+ . If I > were employed by the W3C I would then get a professional WebID by doing the > same procedure on my W3C profile page. > > > > So I then go to say the WebSite of a friend of mine who has his personal > web server, at a domain > > joe.name . When I arrive on the front page of https://joe.name/ that > site does not ask me to log in, > > it gives me public information that joe is happy for anyone to know. > Then perhaps I want to login, so I click > > the login button, and this sets up a procedure described in the spec > > > > > http://www.w3.org/2005/Incubator/webid/spec/#connecting-at-the-application-layer > > > > which starts with a TLS renegotiation and a request for the client > certificate as explained in the TLS spec. > > How does joe.name know this certificate represents you? > > > If that results in no certificate a pop up can appear, and any number of > other authentication systems can be proposed to the user. > > > >> > >> Also, if I've been using WebID to log into google for some time, and > >> my Android phone is new, how do I get logged into G+ in order for > >> Google to notice that I do not have a cert? > > > > You use a password there for Google+ . Luckily you' only need one or two > passwords, so those > > could be really long and easy to remember - and also dead safe. I don't > think I heard that anyone had trouble connecting to Google+ at present with > any number of devices, even though people have to remember passwords to do > so? > > People forget passwords all the time, even though they have to use > them regularly. The problem gets much worse for passwords that are > used rarely. > > > The issue we are trying to deal with is having to remember a password > for all the other sites, and the duplication of information that comes with > that, the lack of security this duplication brings, the centralisation of > information that are the consequences of the difficulty of having all of > the above be easy to use - and so the consequent loss of privacy. WebID > solves the privacy problem, because it no longer requires centralisation of > all information on one mega server, and it allows cross domain > identification and cooperation. It helps create a Social Web, as opposed to > a social network. (you will find more on that on my home page) > > I totally understand the goals, and I have no argument with them. My > concerns are purely around usability. But apparently you don't want to > hear that - you think you have a usable solution. So what's your > explanation for lack of adoption? > What about users that wish to take their identity with them across multiple sites, and are happy to reveal who they are on registration / login? In this case you would have one certificate, which is generally what I do, would you consider that a usable solution?
Received on Friday, 28 September 2012 20:28:17 UTC