W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: Releasing RWW.IO

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Sat, 3 May 2014 21:29:00 +1000
Message-Id: <F6F057A3-C1FA-4BFD-8784-BC1C18041172@gmail.com>
Cc: Andrei Sambra <andrei.sambra@gmail.com>, public-webid <public-webid@w3.org>, "public-rww@w3.org" <public-rww@w3.org>, Henry Story <henry.story@bblfish.net>
To: Anders Rundgren <anders.rundgren.net@gmail.com>


Sent from my iPad

> On 3 May 2014, at 6:56 pm, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
> 
>> On 2014-05-03 10:24, Tim Holborn wrote:
>> WebID TLS certs may need browser support in future, but, i’m betting if the method works, it’ll likely get that browser support (one way or another). 
>> 
>> It does not provide an entire solution however, it is simply a constituent of a solution IMHO.
> 
> If this project had started a year ago I would agree but it did actually started 5-6 years ago:
> http://www.w3.org/2008/09/msnws/papers/foaf+ssl.html
> 
Could be worse http://motherboard.vice.com/read/americas-nuclear-arsenal-still-runs-off-floppy-disks

> The actual problem is that the W3C and the WebID folks didn't consider the fact that
> X.509-based client authentication already was widely established for things like e-government services
> and on-line banking but that these schemes practically without exception rely on proprietary
> browser plugins to get away from the limitations of TLS CCA.
> 
> When I suggested doing something about this I immediately became a "Persona Non Grata".
> When Google did the same (through U2F) they became the undisputed king on consumer authentication.
> Yes, the world is indeed rather "sheepish" but Google is a fairly good shepherd.
> 
> The previous king always claimed that the Internet ends at the AD (Active Directory) border.
> When they finally realized it did not, they had no option but joining the U2F bandwagon.
> 
> 
>> 
>> If you’d done enough testing, you’d have too many WebID Certificates. Right-up until the point, where you set-up your own cert; manage it effectively, which in-turn means you only need one Cert…
> 
> 
> It doesn't work like that, the problem is fully universal and not limited to WebID.
> 
> Anders
> definitely a very bad guy
> 
> 
>> 
>> I’ve still not sorted that out yet.
>> 
>> i think perhaps a back-up (or export) button on RWW.io might be a good idea, somewhere in the todo list.
>> 
>> timh.
>> 
>>> On 3 May 2014, at 6:08 pm, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>>> 
>>> Now I have tried it out as well including the micro-blogging.
>>> It was cool with one exception, TLS CCA (Client Certificate Authentication)
>>> 
>>> Logging in to http://cimba.co required me to select certificate twice and
>>> from a pretty long list of non-WebID certificates.
>>> 
>>> Unless W3C gets their act together and creates a web-compliant replacement
>>> for TLS CCA, WebID won't ever catch on.  I have no faith in W3C for taking
>>> any action on this since not even the requirements have ever been discussed.
>>> TLS is a sacred cow.
>>> 
>>> Fortunately Google hadn't any problems slaughtering this poor creature
>>> when they started their U2F project which have created a hype I haven't
>>> seen before during my 15Y+ in the "id-business".  It didn't take an
>>> eternity either.
>>> 
>>> Anders
>>> grumpy old fart with a mission
> 
Received on Saturday, 3 May 2014 11:29:35 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC