W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: Releasing RWW.IO

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sat, 03 May 2014 10:56:13 +0200
Message-ID: <5364AF2D.30205@gmail.com>
To: Tim Holborn <timothy.holborn@gmail.com>
CC: Andrei Sambra <andrei.sambra@gmail.com>, public-webid <public-webid@w3.org>, "public-rww@w3.org" <public-rww@w3.org>, Henry Story <henry.story@bblfish.net>
On 2014-05-03 10:24, Tim Holborn wrote:
> WebID TLS certs may need browser support in future, but, im betting if the method works, itll likely get that browser support (one way or another). 
>
> It does not provide an entire solution however, it is simply a constituent of a solution IMHO.

If this project had started a year ago I would agree but it did actually started 5-6 years ago:
http://www.w3.org/2008/09/msnws/papers/foaf+ssl.html

The actual problem is that the W3C and the WebID folks didn't consider the fact that
X.509-based client authentication already was widely established for things like e-government services
and on-line banking but that these schemes practically without exception rely on proprietary
browser plugins to get away from the limitations of TLS CCA.

When I suggested doing something about this I immediately became a "Persona Non Grata".
When Google did the same (through U2F) they became the undisputed king on consumer authentication.
Yes, the world is indeed rather "sheepish" but Google is a fairly good shepherd.

The previous king always claimed that the Internet ends at the AD (Active Directory) border.
When they finally realized it did not, they had no option but joining the U2F bandwagon.


>
> If youd done enough testing, youd have too many WebID Certificates. Right-up until the point, where you set-up your own cert; manage it effectively, which in-turn means you only need one Cert


It doesn't work like that, the problem is fully universal and not limited to WebID.

Anders
definitely a very bad guy


>
> Ive still not sorted that out yet.
>
> i think perhaps a back-up (or export) button on RWW.io might be a good idea, somewhere in the todo list.
>
> timh.
>
> On 3 May 2014, at 6:08 pm, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>
>> Now I have tried it out as well including the micro-blogging.
>> It was cool with one exception, TLS CCA (Client Certificate Authentication)
>>
>> Logging in to http://cimba.co required me to select certificate twice and
>> from a pretty long list of non-WebID certificates.
>>
>> Unless W3C gets their act together and creates a web-compliant replacement
>> for TLS CCA, WebID won't ever catch on.  I have no faith in W3C for taking
>> any action on this since not even the requirements have ever been discussed.
>> TLS is a sacred cow.
>>
>> Fortunately Google hadn't any problems slaughtering this poor creature
>> when they started their U2F project which have created a hype I haven't
>> seen before during my 15Y+ in the "id-business".  It didn't take an
>> eternity either.
>>
>> Anders
>> grumpy old fart with a mission
>>
>>
Received on Saturday, 3 May 2014 08:56:52 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC