Re: Microsoft's Information Cards. Was: UI for client cert selection (Was: Releasing RWW.IO)

On 5/6/14 12:26 AM, Anders Rundgren wrote:
> On 2014-05-06 00:51, Kingsley Idehen wrote:
>> On 5/5/14 12:09 PM, Anders Rundgren wrote:
>>> Around 2005 Microsoft announced its pretty cool Information Card concept with
>>> the hope that for example banks would adopt it.
>>>
>>> I told Microsoft folks early on that banks in the EU have already put their
>>> money on X.509 certificates but unfortunately they can't use the solution
>>> featured in Windows and IE.  If you fix that, they may indeed jump on the
>>> Information Card bandwagon.
>>>
>>> Microsoft did neither listen to me nor checked with the banks what the problem
>>> could possibly be.
>>>
>>> Six years later they were forced withdrawing the entire Information Card concept
>>> from the market due to lack of adoption. It goes without saying that they haven't
>>> considered making X.509 client authentication useful for bank-users even in the most
>>> recent incarnations of Windows; they have rather opted for U2F like the competition.
>>>
>>> What I wanted to say with this is that "denial" is a human and natural reaction,
>>> but if the condition stays forever, it becomes a problem.
>>>
>>> In the WebID-TLS case the "defection" to U2F by all platform vendors except Apple
>>> and Mozilla indicates that it's time to "Kill Your Darlings" and move on.
>>>
>>> Anders
>> Anders,
>>
>> Once you delve a litter deeper into RDF based Linked Data prowess, you
>> will be more hopeful.
>>
>> I don't share your pessimism, and I've used every piece of technology to
>> which you've made reference thus far.
> Yes, the WebID group is like Microsoft stuck in an ever-lasting "denial" state.
>
> Fortunately, the world at large has moved on.

On to what?

The identity and privacy issues remain, even more so today. The big 
social media networks don't have a solution, or what am I missing here? 
A solution is one in which you (not them) control:

1. your identity
2. calibration of your vulnerabilities online.


>
> Personally, I believe that the primary designer of U2F, Google, prematurely dismissed
> traditional X.509 client certificates as a useless and privacy-impeding technology.

Yes, that's a personal view, so who knows? :-)

> Could this maybe have something to do with HTML5's <keygen> as well?
> To my knowledge no mobile bank is using this piece of junk which is the current
> enrollment solution in Android. iOS doesn't support <keygen> although Apple was
> very keen that it became a W3C standard :-)

Apple doesn't need <keygen/> . It knows how to handle crypto data. It 
also knows a lot about UI and UX.

>
> As I see it, the X.509 client-side-cert journey have just begun!
> The predecessors disappeared somewhere along the road and no search-party were ever sent out...
>
> That's optimism :-)

X.509 + HTTP URIs == Webby PKI (or PKI webized). That's what's going to 
win out, ultimately. Nothing to do with my prediction capabilities, 
everything to do with the dexterity inherent in the aforementioned 
infrastructure and the identity combined with identity + privacy issues 
tsunami headed the way of all the current social media behemoths. Ditto 
the banks.


Kingsley
>
> Anders
>
>
>
>


-- 

Regards,

Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter Profile: https://twitter.com/kidehen
Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen