W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: Microsoft's Information Cards. Was: UI for client cert selection (Was: Releasing RWW.IO)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Mon, 05 May 2014 18:57:27 -0400
Message-ID: <53681757.600@openlinksw.com>
To: public-webid@w3.org
On 5/5/14 3:28 PM, Andrei Sambra wrote:
> There is another aspect that most people tend not to see right away. 
> X.509 certs and the whole PKI system has suffered several blows 
> recently, with less and less people trusting the CA system. I'm pretty 
> sure that banks are aware of this when they consider whether to deploy 
> X.509 client certs for their customers.
> Compared to PKI, WebID-TLS (even with its UI issues) still remains a 
> strong candidate, since it doesn't rely on CAs, but instead on the WOT 
> and asymmetric crypto (which was proven to work well so far).
> -- Andrei

That's it in a nutshell.

The flaws in CA controlled PKI are bleeding, as demonstrated by Heartbleed.


There are many aspects to what de-referencable URIs (e.g., HTTP URIs) as 
denotation mechanisms offer. Even more so when combined with structured 
data endowed with human and machine comprehensible entity relationship 

Ironically, as I've indicated to you repeatedly, I have used your 
examples, including the technologies you've referenced thus far. My 
confidence in the utility, an eventual mass adoption, of webby PKI 
remains resolute :-)

> On Mon, May 5, 2014 at 12:09 PM, Anders Rundgren 
> <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> 
> wrote:
>     Around 2005 Microsoft announced its pretty cool Information Card
>     concept with
>     the hope that for example banks would adopt it.
>     I told Microsoft folks early on that banks in the EU have already
>     put their
>     money on X.509 certificates but unfortunately they can't use the
>     solution
>     featured in Windows and IE.  If you fix that, they may indeed jump
>     on the
>     Information Card bandwagon.
>     Microsoft did neither listen to me nor checked with the banks what
>     the problem
>     could possibly be.
>     Six years later they were forced withdrawing the entire
>     Information Card concept
>     from the market due to lack of adoption. It goes without saying
>     that they haven't
>     considered making X.509 client authentication useful for
>     bank-users even in the most
>     recent incarnations of Windows; they have rather opted for U2F
>     like the competition.
>     What I wanted to say with this is that "denial" is a human and
>     natural reaction,
>     but if the condition stays forever, it becomes a problem.
>     In the WebID-TLS case the "defection" to U2F by all platform
>     vendors except Apple
>     and Mozilla indicates that it's time to "Kill Your Darlings" and
>     move on.
>     Anders



Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter Profile: https://twitter.com/kidehen
Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen

Received on Monday, 5 May 2014 22:57:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC