W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: Releasing RWW.IO

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Sun, 04 May 2014 17:29:08 -0400
Message-ID: <5366B124.5070701@openlinksw.com>
To: public-webid@w3.org
On 5/3/14 7:42 AM, Anders Rundgren wrote:
> On 2014-05-03 13:19, Melvin Carvalho wrote:
>> On 3 May 2014 10:08, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>>      Now I have tried it out as well including the micro-blogging.
>> Awesome.  I typed your name "A n d e r" into the channel finder and your webid came up after about 3 letters.  I'm now following you.
>>      It was cool with one exception, TLS CCA (Client Certificate Authentication)
>>      Logging in to http://cimba.co required me to select certificate twice and
>>      from a pretty long list of non-WebID certificates.
>>      Unless W3C gets their act together and creates a web-compliant replacement
>>      for TLS CCA, WebID won't ever catch on.  I have no faith in W3C for taking
>>      any action on this since not even the requirements have ever been discussed.
>>      TLS is a sacred cow.
>> I think there's a slight distinction between WebID and WebID+TLS.
>> WebID itself is independent of the auth mechanism.
> Yes, this enhancement was introduced as a "workaround".

Not a workaround, a point of fundamental clarity.

Conflating things never works. WebID as the moniker for WebID-TLS 
protocol was a piece of poor marketing and technology evangelism. This 
bug has been fixed, and we just need to make this crystal clear to 

A WebID is simply an HTTP URI that denotes an Agent. That's it.

>> One hope was that mozilla labs would help with the UX, as below.
>> http://www.azarask.in/blog/post/identity-in-the-browser-firefox/ <http://www.azarask.in/blog/post/identity-in-the-browser-firefox/>
> That's where it gets wrong, there is no UX problem to solve. It is the
> underpinning TLS CCA scheme that is the sole culprit which is why Google,
> Microsoft, Paypal, RSA, ARM (!), etc. abandoned it in favor of U2F.

Yes, and all this really means is simply this: incorporate as much of 
WebID-TLS into U2F as possible. That's what we will do, as our natural 
instinct, at OpenLink Software.

> Your best option at this stage is probably defining a WebID-U2F profile.

Yep! As per my comments above.
> Personally, I'm not overly interested in U2F, it is much simpler making
> client-side X.509 "web-compatible" by building on the already established
> schemes out there.

Yes, but that's a problem due to the manner in which Browsers have been 
implemented and the impossible politics that swirls around getting them 
to fix this flaw.

> Anders
>>      Fortunately Google hadn't any problems slaughtering this poor creature
>>      when they started their U2F project which have created a hype I haven't
>>      seen before during my 15Y+ in the "id-business".  It didn't take an
>>      eternity either.
>>      Anders
>>      grumpy old fart with a mission



Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter Profile: https://twitter.com/kidehen
Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen

Received on Sunday, 4 May 2014 21:29:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC