- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Sun, 08 Dec 2013 17:00:29 +0100
- To: Henry Story <henry.story@bblfish.net>
- CC: public-webid WebID Group <public-webid@w3.org>
Henry, I suggest that we ditch this thread and recapture it two years from now. At that time I expect TLS CCA's "market-share" for PKI-based user authentication on the web has gone down from its current level (20%?) to maybe half. At the same time I also expect the SDO world having "progressed" consumer-PKI approximately zero for the very simple reason that the next step will have to go one level down in the platform (like Google's U2F) and that's a big no no for open discussions. That for example Google's open source project Android, doesn't publish the wallet code is a proof of that statement. Consumer-PKI may very well have progressed through _other_ means than traditional standardization :-) Feel free telling us you expect to happen in this time-frame and who is going to do it. Cheers Anders On 2013-12-08 11:54, Henry Story wrote: > > On 7 Dec 2013, at 17:45, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: > >> On 2013-12-07 16:56, Henry Story wrote: >> >>> certificate_authorities >>> A list of the distinguished names [X501] of acceptable >>> certificate_authorities, represented in DER-encoded format. These >>> distinguished names may specify a desired distinguished name for a >>> root CA or for a subordinate CA; thus, this message can be used to >>> describe known roots as well as a desired authorization space. If >>> the certificate_authorities list is empty, then the client MAY >>> send any certificate of the appropriate ClientCertificateType, >>> unless there is some external arrangement to the contrary. >>> >>> Now there may be other ways to solve the problem. That is why I sent a mail >>> to the current IETF TLS mailing list, to check if there were >>> other possibilities current or ones that were being prepared for >>> future specs. >> >> The TLS WG have expressed no interests in such issues. >> >> Not even implementations care about the spec extract you refer to: >> https://code.google.com/p/android/issues/detail?id=38393 > > Bugs get fixed. As we deploy WebID more there will be more backlash > against such bugs, and so they'll get fixed faster. > >> >> The TLS credential filtering is clearly inferior but the TLS WG seems to take pride in ignoring consumers in similarity to many other IETF groups. >> PKIX latest certificate enrollment protocol (EST) does neither address the web, nor address mobile banking using "Apps". >> It remains a mystery (to me at least) what EST is actually targeting. >> >> Possibly the whole space consumer-PKI is outside of the range of current SDOs. >> W3C's WebCrypto failed on this one as well so it seems that this is close to a "Universal Truth". > > There is a lot of change going on since Snowden's revelations. So I think > you are going to need to revise a lot of your assumptions. > See: > http://www.economist.com/blogs/babbage/2013/11/internet-after-snowden > > And Bruce Schneier's talk at the IETF special meeting > http://www.youtube.com/watch?v=oV71hhEpQ20 > > Henry > >> >> Cheers >> Anders >> > > Social Web Architect > http://bblfish.net/ >
Received on Sunday, 8 December 2013 16:00:57 UTC