W3C home > Mailing lists > Public > public-webid@w3.org > November 2014

Re: Browser usability of Certificates

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Fri, 21 Nov 2014 05:59:52 +0100
Message-ID: <546EC6C8.1010606@gmail.com>
To: "henry.story@bblfish.net" <henry.story@bblfish.net>
CC: Mo McRoberts <Mo.McRoberts@bbc.co.uk>, "public-webid@w3.org" <public-webid@w3.org>
On 2014-11-20 23:17, henry.story@bblfish.net wrote:
>> On 20 Nov 2014, at 21:04, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>>>> Mo, could you drill down into the pain points, in order of what you see as the biggest, e.g. auth UI, keys across devices, lost keys, particular browsers, etc.
>>> +1 that would be very helpful.
>>> It looks like a big issue you have is due to Certificate Authorities. But once WebID removes that, what problems remain?
>> My guess is that the problems Mo referred to probably do not have much to do
>> with CAs, but with the processes involved with issuing and renewing certificates.
> I am interested in Mo's explantaions Anders, not guesses at what others think
> his explanations are.

Having worked with consumer-PKI since 1996, my guesses should be fairly correct but
of course I also want to hear Mo's explanations.

Anyway, the bigger problem is that the bunch of large consumer-PKI deployments
(who simply can't use <keygen> and CertEnroll since these don't support two-factor
authentication = Key + PIN), have with the "outlawing" of browser-plugins effectively
been cast-off the web! That is, they have converted their stuff to native.

If you to that add the fact that "Apps" is the thing powering Android and iOS it
is pretty clear that browser-based TLS CCA is a mechanism that none of the vendors
intend to improve; since You, Kingsley and the US government maintain that it works
just fine in OS/X and Windows why should they even consider that?

FIDO have (in stark contrast to the W3C) managed to line-up the entire
industry and are now rolling out U2F which authenticates on application-level.

This is what Microsoft is currently pushing:
It has no links to TLS CCA as far as I can tell.

I would recommend looking into other [secure] methods for bootstrapping WebIDs.


> Henry
> Social Web Architect
> http://bblfish.net/
Received on Friday, 21 November 2014 05:00:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:57 UTC