W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: WebID-TLS lacks server logout

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sun, 18 May 2014 09:59:01 +0200
Message-ID: <CAKaEYhKK6PVQc6A8X08wafcc01QHt6xXWmHE1GdwNJDncdgEdA@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: "public-webid@w3.org" <public-webid@w3.org>
On 18 May 2014 09:40, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:

> On 2014-05-18 09:22, Melvin Carvalho wrote:
> >
> >
> >
> > On 18 May 2014 08:54, Anders Rundgren <anders.rundgren.net@gmail.com<mailto:
> anders.rundgren.net@gmail.com>> wrote:
> >
> >     This limitation has been discussed in various W3C forums for at
> least two years.
> >     As far as I know *none* of the browser vendors have ever commented
> on this.
> >
> >     To me that says: The browser vendors do not care about HTTPS CCA
> (Client
> >     Certificate Authentication) at all.
> >
> >     Hoping for improvements in HTTPS CCA is a pure waste of time; it is
> better
> >     start playing with other authentication technologies.  There are
> such.
> >
> >
> > FWIW
> >
> > Personally, I *love* this feature, since, like most people, I dont use a
> shared computer.
> >
> > Let's face it, if you shared your computer, you've lost all your
> security already ...
>
> I don't disagree but banks do not like the idea that you may be logged in
> for
> days without doing anything.  It all goes back to the fact that HTTPS CCA
> is
> incompatible with established methods for maintaining web sessions.
>

Surely they can just break the session on the server side, then.  Like they
do already with cookies?


>
> That's all.
>
> Anders
>
> Anders
>
>
> >
> >
> >
> >     Anders
> >
> >
>
>
Received on Sunday, 18 May 2014 07:59:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC