Re: UI for client cert selection (Was: Releasing RWW.IO) from Jiří Procházka on 2014-05-05 (public-webid@w3.org from May 2014)

From: Jiří Procházka <ojirio@gmail.com>
Date: Mon, 05 May 2014 15:22:04 +0200
To: Anders Rundgren <anders.rundgren.net@gmail.com>, Tim Berners-Lee <timbl@w3.org>
CC: public-webid <public-webid@w3.org>, "public-rww@w3.org" <public-rww@w3.org>
Message-ID: <5367907C.7080706@gmail.com>

On 05/05/2014 11:19 AM, Anders Rundgren wrote:
> On 2014-05-05 10:33, Jiří Procházka wrote:
>> On 05/04/2014 05:13 AM, Anders Rundgren wrote:
> <snip>
> 
> Hi Jiří,
> 
>> Hi everyone. Anders, I might be wrong, but I think the banking/e-gov use
>> case is quite different from the major WebID use case - WebID as a
>> single sign-on (SSO) solution.
>>
>> I think the banks supply their own proprietary browser plugins because
>> the problem they are solving is safely using the certificate established
>> just for their use (one website), 
> 
> 100% agreed. The question here is therefore why they *rejected* the built-in
> HTTPS Client Certificate Authentication support which fully addresses this
> [principally] simple use-case?
> 
>> while WebID needs a widely available
>> client software with certificate selection UI which the users trust (so
>> it is not supplied by websites), because they need to be able to trust
>> it with their certificate which they use potentially on 100s of
>> websites. 
> 
> 100% agreed.
> 
>> Also doing something like the banks do (one-website
>> certificates), would be impractical for WebID even if it was done by a
>> standardized browser plugin, as there would be new UI/communication
>> headache with binding the certificate generated for a particular
>> website, with the WebID profile hosting solution of choice.
> 
> I'm not suggesting changing a *single line* of the WebID concept, I'm merely claiming
> that the currently only fully specified authentication alternative is at an X-road.
> 
> That you can use "any" authentication scheme won't make WebID an SSO solution
> which was I think at least Henry had in mind and IMO remains a very noble goal!
> 
> Since the banks and WebID as far as I can tell, can use *exactly the same solution*,
> I believe that there could be a way reaching "critical mass" for a new scheme,
> something which I'm pretty sure WebID (or the banks) alone won't ever achieve.
> 
> The EU banks have invested more than $1Bn in X.509 technology for client authentication
> and will therefore very unlikely switch to U2F (in its current incarnation).

Right, in short: now it is best for the banks to have their own
implementations which they vouch for to their clients, but we want to be
working towards a solution with secure implemenatations across all
platforms and browsers, supporting both the use case of the banks and
the SSO WebID scenario.

What I don't understand is how your proposal fits into this and what it
actually is, as what I have seen in the PDF are basically just 2 JSON
structures... what are you proposing to be done? How it relates to
WebID-TLS? What exactly are the non-UX issues of HTTPS CCA?

Best,
JP

Received on Monday, 5 May 2014 13:22:46 UTC