W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: Microsoft's Information Cards. Was: UI for client cert selection (Was: Releasing RWW.IO)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Tue, 06 May 2014 22:22:49 +0200
Message-ID: <53694499.70205@gmail.com>
To: Kingsley Idehen <kidehen@openlinksw.com>, public-webid@w3.org
On 2014-05-06 21:02, Kingsley Idehen wrote:
<snip>
>>> Anders,
>>>
>>> Once you delve a litter deeper into RDF based Linked Data prowess, you
>>> will be more hopeful.
>>>
>>> I don't share your pessimism, and I've used every piece of technology to
>>> which you've made reference thus far.
>> Yes, the WebID group is like Microsoft stuck in an ever-lasting "denial" state.
>>
>> Fortunately, the world at large has moved on.
> 
> On to what?

Since WebID-TLS never delivered what it promised, the opposite in the form of
Facebook, Google and similar super-provider in China have become the de-facto
standard for social network login.

> The identity and privacy issues remain, even more so today. The big 
> social media networks don't have a solution, or what am I missing here? 
> A solution is one in which you (not them) control:
> 
> 1. your identity
> 2. calibration of your vulnerabilities online.

This was pretty much what Microsoft tried to do with Information Cards as
well but it failed.  IMO, because it was dogmatic, inflexible and didn't
consider those who had already invested heavily in X.509 client certs.


> 
>>
>> Personally, I believe that the primary designer of U2F, Google, prematurely dismissed
>> traditional X.509 client certificates as a useless and privacy-impeding technology.
> 
> Yes, that's a personal view, so who knows? :-)
> 
>> Could this maybe have something to do with HTML5's <keygen> as well?
>> To my knowledge no mobile bank is using this piece of junk which is the current
>> enrollment solution in Android. iOS doesn't support <keygen> although Apple was
>> very keen that it became a W3C standard :-)
> 
> Apple doesn't need <keygen/> . It knows how to handle crypto data. It 
> also knows a lot about UI and UX.

Apple's counterpart to <keygen/> doesn't match banks requirements neither
regarding the UX nor functionality.  It's not even possible to assign a
PIN to a key.


> 
>>
>> As I see it, the X.509 client-side-cert journey have just begun!
>> The predecessors disappeared somewhere along the road and no search-party were ever sent out...
>>
>> That's optimism :-)
> 
> X.509 + HTTP URIs == Webby PKI (or PKI webized). That's what's going to 
> win out, ultimately. Nothing to do with my prediction capabilities, 
> everything to do with the dexterity inherent in the aforementioned 
> infrastructure and the identity combined with identity + privacy issues 
> tsunami headed the way of all the current social media behemoths. Ditto 
> the banks.

Building a decentralized system is technically much more difficult than
a centralized system regardless of what it does.

Paypal and Google can with ease deploy strong authentication using U2F,
something their distributed counterparts (like banks) cannot since they
haven't any suitable technology for doing that.

Nothing will happen until the above is a fact based on conventional wisdom
which says that things must screw-up completely to make change inevitable.

I leave it to TimBL to call for proposals.

Anders

> 
> 
> Kingsley
>>
>> Anders
>>
>>
>>
>>
> 
> 
Received on Tuesday, 6 May 2014 20:23:22 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC