- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Fri, 21 Nov 2014 05:59:52 +0100
- To: "henry.story@bblfish.net" <henry.story@bblfish.net>
- CC: Mo McRoberts <Mo.McRoberts@bbc.co.uk>, "public-webid@w3.org" <public-webid@w3.org>
On 2014-11-20 23:17, henry.story@bblfish.net wrote: > >> On 20 Nov 2014, at 21:04, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: >> >>>> >>>> Mo, could you drill down into the pain points, in order of what you see as the biggest, e.g. auth UI, keys across devices, lost keys, particular browsers, etc. >>> >>> +1 that would be very helpful. >>> It looks like a big issue you have is due to Certificate Authorities. But once WebID removes that, what problems remain? >> >> My guess is that the problems Mo referred to probably do not have much to do >> with CAs, but with the processes involved with issuing and renewing certificates. > > I am interested in Mo's explantaions Anders, not guesses at what others think > his explanations are. Having worked with consumer-PKI since 1996, my guesses should be fairly correct but of course I also want to hear Mo's explanations. Anyway, the bigger problem is that the bunch of large consumer-PKI deployments (who simply can't use <keygen> and CertEnroll since these don't support two-factor authentication = Key + PIN), have with the "outlawing" of browser-plugins effectively been cast-off the web! That is, they have converted their stuff to native. If you to that add the fact that "Apps" is the thing powering Android and iOS it is pretty clear that browser-based TLS CCA is a mechanism that none of the vendors intend to improve; since You, Kingsley and the US government maintain that it works just fine in OS/X and Windows why should they even consider that? FIDO have (in stark contrast to the W3C) managed to line-up the entire industry and are now rolling out U2F which authenticates on application-level. This is what Microsoft is currently pushing: https://www.w3.org/2012/webcrypto/wiki/images/d/dd/CertAndKey_Management_Requirements_for_WebCrypto_microsoft.pdf It has no links to TLS CCA as far as I can tell. I would recommend looking into other [secure] methods for bootstrapping WebIDs. Anders > > > Henry > > > Social Web Architect > http://bblfish.net/ >
Received on Friday, 21 November 2014 05:00:27 UTC