W3C home > Mailing lists > Public > public-webid@w3.org > November 2014

Re: Browser usability of Certificates

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Thu, 20 Nov 2014 16:52:58 -0500
Message-ID: <546E62BA.1050004@openlinksw.com>
To: public-webid@w3.org
On 11/20/14 3:04 PM, Anders Rundgren wrote:
> On 2014-11-20 19:38, henry.story@bblfish.net wrote:
>>
>>> On 19 Nov 2014, at 15:24, Melvin Carvalho <melvincarvalho@gmail.com 
>>> <mailto:melvincarvalho@gmail.com>> wrote:
>>>
>>>
>>>
>>> On 19 November 2014 14:33, Mo McRoberts<Mo.McRoberts@bbc.co.uk 
>>> <mailto:Mo.McRoberts@bbc.co.uk>>wrote:
>>>
>>>     We use TLS CCA within the BBC for access to production services 
>>> and tools. Thousands upon thousands of people use them regularly. 
>>> I'm an issuer for third parties who've signed NDAs to get certs, so 
>>> I also have to deal with them when they get unstuck. I can tell you 
>>> absolutely categorically that the CCA user experience *is* 
>>> universally terrible, especially around cert/key management. I know 
>>> this not because I'm jumping to conclusions on behalf of end-users, 
>>> but because I have to support the end-users who are using CCA.
>>>
>>>
>>> Mo, could you drill down into the pain points, in order of what you 
>>> see as the biggest, e.g. auth UI, keys across devices, lost keys, 
>>> particular browsers, etc.
>>
>> +1 that would be very helpful.
>> It looks like a big issue you have is due to Certificate Authorities. 
>> But once WebID removes that, what problems remain?
>
> My guess is that the problems Mo referred to probably do not have much 
> to do
> with CAs, but with the processes involved with issuing and renewing 
> certificates.

And if that is the case (I can't speak for Mo), did I not raise 
alleviation of this matter via my YouID reference [1]?  Basically, 
demonstrating an application (for iOS, Android, Web Browsers) that 
enables easy WebID watermarked certificate generation combined with 
production of public artifacts that collectively address the "proof of 
work" via "mirrored claims" that drives protocols such as WebID-TLS.


>
> Mozillas's keygen was designed almost 20 years ago.  It doesn't 
> support renewals.

So what? Simply load new certificates when the expire. You assume, 
incorrectly, that this is beyond the realm of comprehension for an 
end-user. How is this different from a credit card, passport, driver's 
license etc.., in your pocket en route to some place where you will need 
to provide "proof of identity" ?

Using real-world examples helps end-users understand technology. There 
are many ways to tell the same fundamental story, unfortunately, crypto 
typically centers around a single narrative laden with gobbledegook.

>
> HTTPS CCA works fine for the USG since they pay hideous sums per seat 
> to keep
> PIV and CAC going.  The users only have one certificate to chose from so
> there are no UX issues either.
>
> Voila! Problem solved.  According to Microsoft.

A single certificate (identity card) misconception is a major part of 
the entire problem.

>
>
> The markets I'm talking about don't use the built-in PKI client since it
> works so poor, they roll their own.
>
> Voila! Problem solved.  According to Microsoft.

That isn't their worldview.
>
>
> BTW, I heard that Mozilla recently removed the javascript logout
> method since the other vendors didn't want to support it...

Not surprised if they did (I haven't tested this lately). IMHO., they 
are more of a problem vector than the likes of Microsoft and Apple (who 
actually know much more about software development and deployment).


Kingsley
>
>
> Anders
>>
>>
>>>
>>> Any thoughts on how we could make it better?
>>>
>>>
>>>     M.
>>>
>>>     > On  2014-Nov-19, at 13:16, Kingsley Idehen 
>>> <kidehen@openlinksw.com <mailto:kidehen@openlinksw.com>> wrote:
>>>     >
>>>     > On 11/18/14 9:42 PM, Sandro Hawke wrote:
>>>     >> On 11/12/2014 01:01 AM, Anders Rundgren wrote:
>>>     >>> On 2014-11-12 05:36, Sandro Hawke wrote:
>>>     >>>> On 11/10/2014 06:39 AM, Melvin Carvalho wrote:
>>>     >>>>> Just wanted to highlight this interesting work from sandro
>>>     >>>>
>>>     >>>> Thanks.   I should say the design came out of discussions 
>>> with Andrei Sambra,
>>>     >>> > trying to avoid the problems with poor browser support of 
>>> client certificates.
>>>     >>>
>>>     >>> Sandro, that's a very interesting statement since the W3C is 
>>> just about to launch
>>>     >>> a continuation of WebCrypto which indeed may be focused on 
>>> certificates and browsers!
>>>     >>>
>>>     >>
>>>     >> I'm just speaking for myself as a user and software 
>>> developer; I'm not involved in that W3C work.  My feeling is the UX 
>>> is terrible. My understanding is the only people who ever use it are 
>>> people without a choice, like enterprise employees and university 
>>> students.  What fraction of consumer websites use client certs for 
>>> user authentication?   I've never seen one.   I think that's because 
>>> the UX is so bad.
>>>     >>
>>>     >>      -- Sandro
>>>     >
>>>     > Sandro,
>>>     >
>>>     > If users are clueless about what they are doing, no amount of 
>>> UX + UI will solve that. This issue isn't just about browser 
>>> implementations, its about the combined effects of understanding (on 
>>> the parts of users and app developers), UX, and UI.
>>>     >
>>>     > Focusing on the "UI/UX is bad" narrative will not fix 
>>> anything. Which is akin to the "RDF tools are bad" narrative.
>>>     >
>>>     > Why don't we try a little harder in regards to exploiting the 
>>> pinhole that TLS CCA offers? We've done that, and had success [1].
>>>     >
>>>     > Users don't have a major problem with TLS CCA once they 
>>> understand what's happening. Like many things (in my experience) its 
>>> developers that are once again jumping to their own conclusions on 
>>> behalf of end-users.
>>>     >
>>>     >
>>>     > [1]http://youid.openlinksw.com 
>>> <http://youid.openlinksw.com/>-- Certificate Generator that produces 
>>> Certs that make TLS CCA interactions easier to understand (New HTML 
>>> version will soon be released) .
>>>     >
>>>     > --
>>>     > Regards,
>>>     >
>>>     > Kingsley Idehen
>>>     > Founder & CEO
>>>     > OpenLink Software
>>>     > Company Web:http://www.openlinksw.com 
>>> <http://www.openlinksw.com/>
>>>     > Personal Weblog 1:http://kidehen.blogspot.com 
>>> <http://kidehen.blogspot.com/>
>>>     > Personal Weblog 2:http://www.openlinksw.com/blog/~kidehen
>>>     > Twitter Profile:https://twitter.com/kidehen
>>>     > Google+ Profile:https://plus.google.com/+KingsleyIdehen/about
>>>     > LinkedIn Profile:http://www.linkedin.com/in/kidehen
>>>     > Personal 
>>> WebID:http://kingsley.idehen.net/dataspace/person/kidehen#this
>>>     >
>>>     >
>>>
>>>
>>>     --
>>>     Mo McRoberts - Chief Technical Architect - Archives & Digital 
>>> Public Space,
>>>     Zone 2.12, BBC Scotland, 40 Pacific Quay, Glasgow G51 1DA.
>>>
>>>     Inside the BBC? My movements this week:http://neva.li/where-is-mo
>>
>> Social Web Architect
>> http://bblfish.net/
>>
>
>
>
>


-- 
Regards,

Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog 1: http://kidehen.blogspot.com
Personal Weblog 2: http://www.openlinksw.com/blog/~kidehen
Twitter Profile: https://twitter.com/kidehen
Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen
Personal WebID: http://kingsley.idehen.net/dataspace/person/kidehen#this




Received on Thursday, 20 November 2014 21:53:20 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:54:50 UTC