W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: Releasing RWW.IO

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sat, 3 May 2014 14:28:48 +0200
Message-ID: <CAKaEYhK9tU5XvbC7VAk1=PYHJf8aN0MnRa7DxRUpdBm-ys6K6w@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: Tim Holborn <timothy.holborn@gmail.com>, Andrei Sambra <andrei.sambra@gmail.com>, public-webid <public-webid@w3.org>, "public-rww@w3.org" <public-rww@w3.org>, Henry Story <henry.story@bblfish.net>
On 3 May 2014 10:56, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:

> On 2014-05-03 10:24, Tim Holborn wrote:
> > WebID TLS certs may need browser support in future, but, i’m betting if
> the method works, it’ll likely get that browser support (one way or
> another).
> >
> > It does not provide an entire solution however, it is simply a
> constituent of a solution IMHO.
>
> If this project had started a year ago I would agree but it did actually
> started 5-6 years ago:
> http://www.w3.org/2008/09/msnws/papers/foaf+ssl.html
>

Do note that a webid is just an HTTP URI that gives a user profile in
turtle.  Also note that facebook supports this, which is a billion
profiles, I think.  WebID can work with facebook connect if you want want
to store your key in your browser.


>
> The actual problem is that the W3C and the WebID folks didn't consider the
> fact that
> X.509-based client authentication already was widely established for
> things like e-government services
> and on-line banking but that these schemes practically without exception
> rely on proprietary
> browser plugins to get away from the limitations of TLS CCA.
>
> When I suggested doing something about this I immediately became a
> "Persona Non Grata".
> When Google did the same (through U2F) they became the undisputed king on
> consumer authentication.
> Yes, the world is indeed rather "sheepish" but Google is a fairly good
> shepherd.
>

"Persona Non Grata" where?   Anyone offering to to build a webid-u2f bridge
would be a plus, imho.


>
> The previous king always claimed that the Internet ends at the AD (Active
> Directory) border.
> When they finally realized it did not, they had no option but joining the
> U2F bandwagon.
>
>
> >
> > If you’d done enough testing, you’d have too many WebID Certificates.
> Right-up until the point, where you set-up your own cert; manage it
> effectively, which in-turn means you only need one Cert…
>
>
> It doesn't work like that, the problem is fully universal and not limited
> to WebID.
>
> Anders
> definitely a very bad guy
>
>
> >
> > I’ve still not sorted that out yet.
> >
> > i think perhaps a back-up (or export) button on RWW.io might be a good
> idea, somewhere in the todo list.
> >
> > timh.
> >
> > On 3 May 2014, at 6:08 pm, Anders Rundgren <
> anders.rundgren.net@gmail.com> wrote:
> >
> >> Now I have tried it out as well including the micro-blogging.
> >> It was cool with one exception, TLS CCA (Client Certificate
> Authentication)
> >>
> >> Logging in to http://cimba.co required me to select certificate twice
> and
> >> from a pretty long list of non-WebID certificates.
> >>
> >> Unless W3C gets their act together and creates a web-compliant
> replacement
> >> for TLS CCA, WebID won't ever catch on.  I have no faith in W3C for
> taking
> >> any action on this since not even the requirements have ever been
> discussed.
> >> TLS is a sacred cow.
> >>
> >> Fortunately Google hadn't any problems slaughtering this poor creature
> >> when they started their U2F project which have created a hype I haven't
> >> seen before during my 15Y+ in the "id-business".  It didn't take an
> >> eternity either.
> >>
> >> Anders
> >> grumpy old fart with a mission
> >>
> >>
>
>
>
Received on Saturday, 3 May 2014 12:29:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC