W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: UI for client cert selection (Was: Releasing RWW.IO)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Mon, 05 May 2014 11:19:28 +0200
Message-ID: <536757A0.7050607@gmail.com>
To: Jiří Procházka <ojirio@gmail.com>, Tim Berners-Lee <timbl@w3.org>
CC: public-webid <public-webid@w3.org>, "public-rww@w3.org" <public-rww@w3.org>
On 2014-05-05 10:33, Jiří Procházka wrote:
> On 05/04/2014 05:13 AM, Anders Rundgren wrote:
<snip>

Hi Jiří,

> Hi everyone. Anders, I might be wrong, but I think the banking/e-gov use
> case is quite different from the major WebID use case - WebID as a
> single sign-on (SSO) solution.
> 
> I think the banks supply their own proprietary browser plugins because
> the problem they are solving is safely using the certificate established
> just for their use (one website), 

100% agreed. The question here is therefore why they *rejected* the built-in
HTTPS Client Certificate Authentication support which fully addresses this
[principally] simple use-case?

> while WebID needs a widely available
> client software with certificate selection UI which the users trust (so
> it is not supplied by websites), because they need to be able to trust
> it with their certificate which they use potentially on 100s of
> websites. 

100% agreed.

> Also doing something like the banks do (one-website
> certificates), would be impractical for WebID even if it was done by a
> standardized browser plugin, as there would be new UI/communication
> headache with binding the certificate generated for a particular
> website, with the WebID profile hosting solution of choice.

I'm not suggesting changing a *single line* of the WebID concept, I'm merely claiming
that the currently only fully specified authentication alternative is at an X-road.

That you can use "any" authentication scheme won't make WebID an SSO solution
which was I think at least Henry had in mind and IMO remains a very noble goal!

Since the banks and WebID as far as I can tell, can use *exactly the same solution*,
I believe that there could be a way reaching "critical mass" for a new scheme,
something which I'm pretty sure WebID (or the banks) alone won't ever achieve.

The EU banks have invested more than $1Bn in X.509 technology for client authentication
and will therefore very unlikely switch to U2F (in its current incarnation).

Best
Anders


> 
> Best regards,
> JP
> 
>> Due to this and a bunch of other issues related to HTTPS Client Cert Auth, I believe that we need a somewhat bigger "patch" to actually get anywhere.
>>
>> FWIW, I hereby submit a concept and sample implementation which I believe could be a suitable replacement both for the TLS-solution in WebID-TLS as well as for the proprietary systems used in the EU:
>> http://webpki.org/papers/PKI/webauth.pdf
>>
>> I encourage other developers in this space to do the same.
>> The W3C may then run a "beauty contest" and select a concept for standardization :-)
>>
>> Cheers
>> AndersR
>>
>>
>>>
>>> timbl
>>>
>>>
>>>
>>>
>>>
>>
>>
> 
Received on Monday, 5 May 2014 09:20:00 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC