W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: YouID for Android Released

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 22 May 2014 06:55:20 +0200
Message-ID: <537D8338.6070903@gmail.com>
To: Peter Williams <home_pw@msn.com>
CC: "public-webid@w3.org" <public-webid@w3.org>
On 2014-05-22 01:23, Peter Williams wrote:
> Ive kinda moved on from pure browser theory (and I know that will alarm some purists).

So have most other people into mobile authentication also done.

>
> But, the good news I feed is that the nuveau world of sandboxed apps (that talk https) still used good ol X.509 certs. Indeed, they make rather better use of client-authn certs than browser EVER did. I some sense, its like browsers were supposed to be (before PGP theorists threw out the baby with the bath water, for a quick fix [that didnt scale to a global trust model suiting consumers]).

Yes, browsers have essentially not improved since their inception w.r.t. X.509 client cert authentication.


>
> Though we are JUST ABOUT to catch up with app-fever (started 4 years ago), we know that we do so ONLY because apps themselves are evolving - to (GUESS WHAT) be more like web-era browsers (doing HTML rendering, and HTML5-mediation to device-API features like location sensors or NSA’s remote microphones).
>
> So, I feel that the linked-data story now has to merge with client certs mgt used now in app land - where the MDM (mobile device manager PROVISIONS the client cert, typically used to control the posture of the device - limiting its open behaviour to fit a endpoint security model. If we do so, then one has a hybrid trust model world, that is not just an NSA/CIA/DHS/NIST/FISMA/openid cyberwar prep initiative. The same cert can also be used in webby interactions (for loosely coupled trust models). that the set of such interactions IS constrained by the MDM (which says one can ONLY talk to certain linked data endpoints) by governance policy does NOT worry me - since we are SEEKING a nuveau happyland, that mixes public/enterprise/cloud/personal models of crypto that are NOT founded in internet militarism.

The belief that "the same certificate" can be used in multiple and completely independent contexts is something that this group has got wrong which isn't very surprising since it is ignoring existing X.509 markets like on-line banks.  The same goes for the importance of Linked Data in other contexts than the social web.  Yes, IoT may be another venue but this field is owned by the "things"-vendors and they don't seem to hangout here.

Statements like "take full control of your online (Web and Internet) Identity" may sound cool but has essentially no value since just about all service providers have their own "identity system" which you either accept or reject.  The latter means you won't be able to use their services.  Calling this "take full control" is IMO quite a stretch.

Wouldn't it be better if this group realized that it is working on a particular problem and see how that can play together with other identity-using applications?  Then WebID could eventually even get a more useful authentication solution, something it will never be able to get on its own!

thanx,
Anders
Received on Thursday, 22 May 2014 04:55:57 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC