W3C home > Mailing lists > Public > public-webid@w3.org > December 2013

Future of TLS CCA. Was: Signalling WebID Certificates - the CN=WebID, O={} CA

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sun, 08 Dec 2013 17:00:29 +0100
Message-ID: <52A4979D.5050208@gmail.com>
To: Henry Story <henry.story@bblfish.net>
CC: public-webid WebID Group <public-webid@w3.org>
Henry,
I suggest that we ditch this thread and recapture it two years from now.

At that time I expect TLS CCA's "market-share" for PKI-based user authentication
on the web has gone down from its current level (20%?) to maybe half.

At the same time I also expect the SDO world having "progressed" consumer-PKI
approximately zero for the very simple reason that the next step will have
to go one level down in the platform (like Google's U2F) and that's a big
no no for open discussions.  That for example Google's open source project
Android, doesn't publish the wallet code is a proof of that statement.

Consumer-PKI may very well have progressed through _other_ means than
traditional standardization :-)

Feel free telling us you expect to happen in this time-frame and who is
going to do it.

Cheers
Anders

On 2013-12-08 11:54, Henry Story wrote:
> 
> On 7 Dec 2013, at 17:45, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
> 
>> On 2013-12-07 16:56, Henry Story wrote:
>>
>>>   certificate_authorities
>>>      A list of the distinguished names [X501] of acceptable
>>>      certificate_authorities, represented in DER-encoded format.  These
>>>      distinguished names may specify a desired distinguished name for a
>>>      root CA or for a subordinate CA; thus, this message can be used to
>>>      describe known roots as well as a desired authorization space.  If
>>>      the certificate_authorities list is empty, then the client MAY
>>>      send any certificate of the appropriate ClientCertificateType,
>>>      unless there is some external arrangement to the contrary.
>>>
>>> Now there may be other ways to solve the problem. That is why I sent a mail 
>>> to the current IETF TLS mailing list, to check if there were
>>> other possibilities current or ones that were being prepared for
>>> future specs.
>>
>> The TLS WG have expressed no interests in such issues.
>>
>> Not even implementations care about the spec extract you refer to:
>> https://code.google.com/p/android/issues/detail?id=38393
> 
> Bugs get fixed. As we deploy WebID more there will be more backlash
> against such bugs, and so they'll get fixed faster.
> 
>>
>> The TLS credential filtering is clearly inferior but the TLS WG seems to take pride in ignoring consumers in similarity to many other IETF groups.
>> PKIX latest certificate enrollment protocol (EST) does neither address the web, nor address mobile banking using "Apps".
>> It remains a mystery (to me at least) what EST is actually targeting.
>>
>> Possibly the whole space consumer-PKI is outside of the range of current SDOs.
>> W3C's WebCrypto failed on this one as well so it seems that this is close to a "Universal Truth".
> 
> There is a lot of change going on since Snowden's revelations. So I think
> you are going to need to revise a lot of your assumptions.
> See:
>   http://www.economist.com/blogs/babbage/2013/11/internet-after-snowden
> 
> And Bruce Schneier's talk at the IETF special meeting
>   http://www.youtube.com/watch?v=oV71hhEpQ20
> 
> Henry
> 
>>
>> Cheers
>> Anders
>>
> 
> Social Web Architect
> http://bblfish.net/
> 
Received on Sunday, 8 December 2013 16:00:57 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:52 UTC