- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Sun, 18 May 2014 07:00:33 +0200
- To: Sandro Hawke <sandro@w3.org>, public-webid@w3.org
On 2014-05-18 06:02, Sandro Hawke wrote: > On May 17, 2014 2:38:00 PM EDT, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: > ... >> >> In addition, the banks I talk about have at least FOUR MAGNITUDES >> more users than WebID-TLS. That they don't participate in W3C is >> strange but OTOH, I don't see much (if any...) browser vendor >> interest in WebID or WebPayments so it would be pointless for >> banks to join at this stage. It would be interesting to hear >> what the W3C think about this. > > I'm not quite sure which "this" you mean. > > In general, W3C tries hard to operate where there is broad industry > consensus. Doing things not endorsed by the major players in some > market rarely turns out well. W3C supports HTTPS CCA (Client Certificate Authentication) as featured in WebID-TLS but [almost] all big users (almost none being a W3C member...) of strong consumer authentication have given up on HTTPS CCA for various reasons including those listed on the first page of: http://webpki.org/papers/PKI/webauth.pdf The analysis performed in this list suggest that these problems ca be fixed by adjusting the UI in browsers. As the document shows, this is a "simplification" which thwarts progress as well as being ignored by the browser vendors (which BTW are entirely *invisible* in the this list). > At the moment the W3C doesn't see anything like consensus around WebID, One problem is that WebID *nowadays* only represent a way to represent user information, i.e. WebID is NOT an authentication solution. How for example banks represent their clients is of no importance to us since they rarely (ever?) publish such information on the web for consumption by *other* parties. > or, I'm thinking, any other technology in that space. Well, Google and their followers Microsoft, PayPal, RSA, ARM actually launched a *ground-breaking* web-based authentication technology earlier this year known as U2F (Universal Two Factor authentication). For some reason they chose to do that in the FIDO Alliance rather than in W3C. > But clearly there are important use cases in this neighborhood, > so hopefully there will be some convergence one of these days soon. IMO, we are as far from this goal as is technically possible. Authentication on the web is at the same state as secure and convenient credit-card transactions on the web; i.e. this work haven't actually started! Bear in mind that Microsoft over the years have tried a number of things and they have all failed miserably like Passport, Information Cards, U-Prove and last but not least VSC (Virtual Smart Cards) featured in W8. > There are several ways such convergence can be recognized, BTW. My 15Y+ experience of such efforts indicates that it requires a VERY INFLUENTIAL vendor to get anywhere. Today this is almost equivalent to Google given their 70% market-share in technology for mobile devices. The other day I was in a meeting with a vendor who are considering doing something in this space in http://www.linaro.org/ I think this may be a better way of doing things than a traditional standardization effort and rather let the market decide what they consider "the standard". This forum clearly lacks the competence, funding and bandwidth needed for creating a standards proposal like U2F. > If the staff didn't pick up on it (and we can't be experts in everything), The problem is really how to deal with issues that the big vendors DO NOT want to discuss in open forums like authentication on the web. Web Crypto is fine but it has no ties to WebID or banks AFAICT. > the representatives from the member organizations can suggest things, preferably getting enthusiastic support from other representatives, etc. WebID and WebPayments are in desperate need of support but I don't see it happen. > > Not sure if I answered your question at all, sorry. Thanx Anders > > - Sandro > >> >> Anders > >
Received on Sunday, 18 May 2014 05:01:10 UTC