W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: Microsoft's Information Cards. Was: UI for client cert selection (Was: Releasing RWW.IO)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Mon, 05 May 2014 22:22:20 +0200
Message-ID: <5367F2FC.6040301@gmail.com>
To: Andrei Sambra <andrei.sambra@gmail.com>
CC: public-webid <public-webid@w3.org>
On 2014-05-05 21:28, Andrei Sambra wrote:
> There is another aspect that most people tend not to see right away. X.509 certs and the whole PKI system has suffered several blows recently, with less and less people trusting the CA system. I'm pretty sure that banks are aware of this when they consider whether to deploy X.509 client certs for their customers.

Since the banks I'm talking about issue their own client certificates as well as running the associated CA, there is hardly a *technical* problem to solve here.
It could be an issue for banks when acting as TTPs but these customer (typically government agencies) do not really have an option except also becoming issuers.

> Compared to PKI, WebID-TLS (even with its UI issues) still remains a strong candidate, since it doesn't rely on CAs, but instead on the WOT and asymmetric crypto (which was proven to work well so far).

How you create certificates is IMO independent subsequent authentication method.   WOT may be just fine for WebID, but banks and governments do not rely on such concepts.

It is sad to hear that the WebID group is fixated by the UI issue, particularly since not even that part will likely get any resolution.

I'm sure that if we "Buried the Hatchet" and rather combined our areas of interest we could actually succeed coming up with a usable and universal scheme which BTW is the only way to ever get platform vendor attention.   The bank-PKI-users are probably at least 50M, with 25M only in Korea which I think it at least FOUR MAGNITUDES bigger than the user-base for WebID-TLS.


> -- Andrei
> On Mon, May 5, 2014 at 12:09 PM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>     Around 2005 Microsoft announced its pretty cool Information Card concept with
>     the hope that for example banks would adopt it.
>     I told Microsoft folks early on that banks in the EU have already put their
>     money on X.509 certificates but unfortunately they can't use the solution
>     featured in Windows and IE.  If you fix that, they may indeed jump on the
>     Information Card bandwagon.
>     Microsoft did neither listen to me nor checked with the banks what the problem
>     could possibly be.
>     Six years later they were forced withdrawing the entire Information Card concept
>     from the market due to lack of adoption. It goes without saying that they haven't
>     considered making X.509 client authentication useful for bank-users even in the most
>     recent incarnations of Windows; they have rather opted for U2F like the competition.
>     What I wanted to say with this is that "denial" is a human and natural reaction,
>     but if the condition stays forever, it becomes a problem.
>     In the WebID-TLS case the "defection" to U2F by all platform vendors except Apple
>     and Mozilla indicates that it's time to "Kill Your Darlings" and move on.
>     Anders
Received on Monday, 5 May 2014 20:22:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC