W3C home > Mailing lists > Public > public-webid@w3.org > November 2014

Re: Simple Page-Owner Token (SPOT) Authentication

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Wed, 19 Nov 2014 15:24:12 +0100
Message-ID: <CAKaEYhKKzQLV5sS4QCCaUga8hyT1jN5i5Kf9nNenBLuQJ1Yq3w@mail.gmail.com>
To: Mo McRoberts <Mo.McRoberts@bbc.co.uk>
Cc: Kingsley Idehen <kidehen@openlinksw.com>, "public-webid@w3.org" <public-webid@w3.org>
On 19 November 2014 14:33, Mo McRoberts <Mo.McRoberts@bbc.co.uk> wrote:

> We use TLS CCA within the BBC for access to production services and tools.
> Thousands upon thousands of people use them regularly. I'm an issuer for
> third parties who've signed NDAs to get certs, so I also have to deal with
> them when they get unstuck. I can tell you absolutely categorically that
> the CCA user experience *is* universally terrible, especially around
> cert/key management. I know this not because I'm jumping to conclusions on
> behalf of end-users, but because I have to support the end-users who are
> using CCA.
>

Mo, could you drill down into the pain points, in order of what you see as
the biggest, e.g. auth UI, keys across devices, lost keys, particular
browsers, etc.

Any thoughts on how we could make it better?


>
> M.
>
> > On  2014-Nov-19, at 13:16, Kingsley Idehen <kidehen@openlinksw.com>
> wrote:
> >
> > On 11/18/14 9:42 PM, Sandro Hawke wrote:
> >> On 11/12/2014 01:01 AM, Anders Rundgren wrote:
> >>> On 2014-11-12 05:36, Sandro Hawke wrote:
> >>>> On 11/10/2014 06:39 AM, Melvin Carvalho wrote:
> >>>>> Just wanted to highlight this interesting work from sandro
> >>>>
> >>>> Thanks.   I should say the design came out of discussions with Andrei
> Sambra,
> >>> > trying to avoid the problems with poor browser support of client
> certificates.
> >>>
> >>> Sandro, that's a very interesting statement since the W3C is just
> about to launch
> >>> a continuation of WebCrypto which indeed may be focused on
> certificates and browsers!
> >>>
> >>
> >> I'm just speaking for myself as a user and software developer; I'm not
> involved in that W3C work.  My feeling is the UX is terrible. My
> understanding is the only people who ever use it are people without a
> choice, like enterprise employees and university students.  What fraction
> of consumer websites use client certs for user authentication?   I've never
> seen one.   I think that's because the UX is so bad.
> >>
> >>      -- Sandro
> >
> > Sandro,
> >
> > If users are clueless about what they are doing, no amount of UX + UI
> will solve that. This issue isn't just about browser implementations, its
> about the combined effects of understanding (on the parts of users and app
> developers), UX, and UI.
> >
> > Focusing on the "UI/UX is bad" narrative will not fix anything. Which is
> akin to the "RDF tools are bad" narrative.
> >
> > Why don't we try a little harder in regards to exploiting the pinhole
> that TLS CCA offers? We've done that, and had success [1].
> >
> > Users don't have a major problem with TLS CCA once they understand
> what's happening. Like many things (in my experience) its developers that
> are once again jumping to their own conclusions on behalf of end-users.
> >
> >
> > [1] http://youid.openlinksw.com -- Certificate Generator that produces
> Certs that make TLS CCA interactions easier to understand (New HTML version
> will soon be released) .
> >
> > --
> > Regards,
> >
> > Kingsley Idehen
> > Founder & CEO
> > OpenLink Software
> > Company Web: http://www.openlinksw.com
> > Personal Weblog 1: http://kidehen.blogspot.com
> > Personal Weblog 2: http://www.openlinksw.com/blog/~kidehen
> > Twitter Profile: https://twitter.com/kidehen
> > Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
> > LinkedIn Profile: http://www.linkedin.com/in/kidehen
> > Personal WebID: http://kingsley.idehen.net/dataspace/person/kidehen#this
> >
> >
>
>
> --
> Mo McRoberts - Chief Technical Architect - Archives & Digital Public Space,
> Zone 2.12, BBC Scotland, 40 Pacific Quay, Glasgow G51 1DA.
>
> Inside the BBC? My movements this week: http://neva.li/where-is-mo
>
>
>
>
>
>
>
>
Received on Wednesday, 19 November 2014 14:24:40 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:54:50 UTC