- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Sat, 03 May 2014 10:56:13 +0200
- To: Tim Holborn <timothy.holborn@gmail.com>
- CC: Andrei Sambra <andrei.sambra@gmail.com>, public-webid <public-webid@w3.org>, "public-rww@w3.org" <public-rww@w3.org>, Henry Story <henry.story@bblfish.net>
On 2014-05-03 10:24, Tim Holborn wrote: > WebID TLS certs may need browser support in future, but, i’m betting if the method works, it’ll likely get that browser support (one way or another). > > It does not provide an entire solution however, it is simply a constituent of a solution IMHO. If this project had started a year ago I would agree but it did actually started 5-6 years ago: http://www.w3.org/2008/09/msnws/papers/foaf+ssl.html The actual problem is that the W3C and the WebID folks didn't consider the fact that X.509-based client authentication already was widely established for things like e-government services and on-line banking but that these schemes practically without exception rely on proprietary browser plugins to get away from the limitations of TLS CCA. When I suggested doing something about this I immediately became a "Persona Non Grata". When Google did the same (through U2F) they became the undisputed king on consumer authentication. Yes, the world is indeed rather "sheepish" but Google is a fairly good shepherd. The previous king always claimed that the Internet ends at the AD (Active Directory) border. When they finally realized it did not, they had no option but joining the U2F bandwagon. > > If you’d done enough testing, you’d have too many WebID Certificates. Right-up until the point, where you set-up your own cert; manage it effectively, which in-turn means you only need one Cert… It doesn't work like that, the problem is fully universal and not limited to WebID. Anders definitely a very bad guy > > I’ve still not sorted that out yet. > > i think perhaps a back-up (or export) button on RWW.io might be a good idea, somewhere in the todo list. > > timh. > > On 3 May 2014, at 6:08 pm, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: > >> Now I have tried it out as well including the micro-blogging. >> It was cool with one exception, TLS CCA (Client Certificate Authentication) >> >> Logging in to http://cimba.co required me to select certificate twice and >> from a pretty long list of non-WebID certificates. >> >> Unless W3C gets their act together and creates a web-compliant replacement >> for TLS CCA, WebID won't ever catch on. I have no faith in W3C for taking >> any action on this since not even the requirements have ever been discussed. >> TLS is a sacred cow. >> >> Fortunately Google hadn't any problems slaughtering this poor creature >> when they started their U2F project which have created a hype I haven't >> seen before during my 15Y+ in the "id-business". It didn't take an >> eternity either. >> >> Anders >> grumpy old fart with a mission >> >>
Received on Saturday, 3 May 2014 08:56:52 UTC