Re: Microsoft's Information Cards. Was: UI for client cert selection (Was: Releasing RWW.IO) from Anders Rundgren on 2014-05-06 (public-webid@w3.org from May 2014)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Tue, 06 May 2014 06:26:18 +0200
To: Kingsley Idehen <kidehen@openlinksw.com>, public-webid@w3.org
Message-ID: <5368646A.3040502@gmail.com>

On 2014-05-06 00:51, Kingsley Idehen wrote:
> On 5/5/14 12:09 PM, Anders Rundgren wrote:
>> Around 2005 Microsoft announced its pretty cool Information Card concept with
>> the hope that for example banks would adopt it.
>>
>> I told Microsoft folks early on that banks in the EU have already put their
>> money on X.509 certificates but unfortunately they can't use the solution
>> featured in Windows and IE.  If you fix that, they may indeed jump on the
>> Information Card bandwagon.
>>
>> Microsoft did neither listen to me nor checked with the banks what the problem
>> could possibly be.
>>
>> Six years later they were forced withdrawing the entire Information Card concept
>> from the market due to lack of adoption. It goes without saying that they haven't
>> considered making X.509 client authentication useful for bank-users even in the most
>> recent incarnations of Windows; they have rather opted for U2F like the competition.
>>
>> What I wanted to say with this is that "denial" is a human and natural reaction,
>> but if the condition stays forever, it becomes a problem.
>>
>> In the WebID-TLS case the "defection" to U2F by all platform vendors except Apple
>> and Mozilla indicates that it's time to "Kill Your Darlings" and move on.
>>
>> Anders
> Anders,
> 
> Once you delve a litter deeper into RDF based Linked Data prowess, you 
> will be more hopeful.
> 
> I don't share your pessimism, and I've used every piece of technology to 
> which you've made reference thus far.

Yes, the WebID group is like Microsoft stuck in an ever-lasting "denial" state.

Fortunately, the world at large has moved on.

Personally, I believe that the primary designer of U2F, Google, prematurely dismissed
traditional X.509 client certificates as a useless and privacy-impeding technology.
Could this maybe have something to do with HTML5's <keygen> as well?
To my knowledge no mobile bank is using this piece of junk which is the current
enrollment solution in Android. iOS doesn't support <keygen> although Apple was
very keen that it became a W3C standard :-)

As I see it, the X.509 client-side-cert journey have just begun!
The predecessors disappeared somewhere along the road and no search-party were ever sent out...

That's optimism :-)

Anders

>

Received on Tuesday, 6 May 2014 04:26:49 UTC