- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Wed, 07 Jan 2015 21:20:23 +0100
- To: Melvin Carvalho <melvincarvalho@gmail.com>
- CC: Kingsley Idehen <kidehen@openlinksw.com>, public-webid <public-webid@w3.org>
Showdown is quickly approaching :-) http://lists.w3.org/Archives/Public/public-web-security/2015Jan/0004.html On 2015-01-07 16:23, Melvin Carvalho wrote: > > > On 6 January 2015 at 21:42, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote: > > Melvin, > I'm 100% into authentication and I have never encountered WebID-TLS in the wild. > That WebID has a value of its own is possible but to me WebID without TLS appears like a car without motor. > > > Yes I understand. Good analogy with car and motor. In fact most of us in the WebID group had the same opinion for the first few years. > > It was only when we met at TPAC, and timbl helped us, we understood that identity could stand alone and even that it was useful. > > If you read the axioms I posed, you may have noticed that the design of the web was based on modularity. So as I pointed out there a team working on 140+ authentication systems for webid. > > Why not make it 141? > > Very often you'll see closed or proprietary systems making the pitch "you can take our identity system, but only if you use our authentication system". It's one way to do it, but it's not how webid works. Webid is universal identity, in fact, the only universal identity system I know of. > > You may view that you can choose an auth method as a weakness, but it's allowed facebook to adopt without forcing TLS on them, google may join too, and those of us that like to run decentralized identities can use PKI. > > As Henry said, if you're looking to tightly couple identity and authentication, this probably isnt the list for you. > > > Anyway, as Henry said this community and activity has no browser-vendor-support. > > Does the W3C really have anything to offer in fields like identity, payments and such? > Currently it seems more like a bunch of disparate, semi-religious "cults" run by people with fairly limited bandwidth. > VISA and all the other biggies fled to FIDO. There's no chance getting them back using the current strategy. > > Anders > On 2015-01-06 19:16, Melvin Carvalho wrote: > > > > On 5 January 2015 at 17:29, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com> <mailto:anders.rundgren.net@__gmail.com <mailto:anders.rundgren.net@gmail.com>>> wrote: > > Kingsley, > > This discussion isn't going anywhere since You, Henry and a bunch > of other people hangout out in this list insist that TLS CCA works > just fine while Google and hundreds of other big companies are betting > on an entirely different authentication technology (which BTW seems > awfully difficult to merge with WebID). > > Dirk Balfanz (inventor of named scheme) on TLS CCA: > http://www.browserauth.net/____tls-client-authentication <http://www.browserauth.net/__tls-client-authentication> <http://www.browserauth.net/__tls-client-authentication <http://www.browserauth.net/tls-client-authentication>> > > > I must admit I'm a huge fan of WebID + TLS and use it constantly. However, I understand the TLS part is not for everything. I think the WebID part is strong enough to stand alone. Facebook already implement it with their own auth system, (Google have said in the past they wanted to serve FOAF, but havent yet done it fully) and I know of a team hoping to add 140+ new auth systems to WebID using passport.js > > http://passportjs.org/ > > So while I would encourage you to use webid + tls and make it better, if it's not for you, I dont think anyone will force it upon you. > > I'd encourage you to look at the web axioms, in particular, "tolerance", which tries to make the web a platform offering freedom of choice. > > http://www.w3.org/__DesignIssues/Principles.html <http://www.w3.org/DesignIssues/Principles.html> > > > Anders > > > On 2015-01-05 16:42, Kingsley Idehen wrote: > > On 1/4/15 2:34 PM, Anders Rundgren wrote: > > On 2015-01-04 19:49, Kingsley Idehen wrote: > > On 1/4/15 10:27 AM, Anders Rundgren wrote: > > On 2015-01-04 16:21, Timothy Holborn wrote: > > Interesting. I found more info [1] > > Does it support WebID-TLS? > > > It is primarily intended to lower the cost (maybe to zero) for getting > a TLS server-certificate. > > For WebID-TLS there's no hope. The industry have take another route. > > Anders > > > Happy New Year! > > Again, WebID-TLS and TLS are loosely coupled items. The industry hasn't > gone anywhere, it is mired in an identity and trust crisis. > > I strongly encourage you to put your personal biases aside. Doing that > will enable you understand where WebID-TLS and similar approached re. > Blogic (webby logic) fit into the mix re., addressing the identity and > trust problem that's putting every Web and Internet users privacy at > risk etc.. > > > There are 25M Korean users of X.509 certificates on the web. How many > users > have WebID-TLS? 100? 1000? 10000? > > > What is WebID-TLS to you? > X.509 != TLS let alone WebID-TLS. X.509 its a standard for creating a > digital representation of an Identity Card (Certificate). > > There isn't an such notion as "having WebID-TLS" it is simply a protocol > for verifying claims in a WebID-Profile document that you lookup via a > WebID placed in an X.509 Certificate. > > > What's worse is that the 25M users are being *pushed off the web* since > plugins are about to be "outlawed". > > > X.509 and Browser Plugins two distinct things. I don't understand why > you continue to conflate all the puzzle-pieces. > > Sweden, another big user of X.509+Web has > already left the web (browser) for Android and iPhone app-based > solutions. > > > This isn't about Web Browsers. It is about verifying identity claims > over HTTP using trust Webs crafted using logic. > > > Do you have any solution to this? > > > What is the problem? > > Do I? YES! W3C must perform market > research and not only rely on a handful of big-tech technologists who > mainly run their own agenda. > > > The W3C's job is to formalize aspects of Web usage that aren't > formalized. For instance, RDF is a retrospective formalization of what's > always been a nascent part of the Web, since inception. > > Kingsley > > Anders > > > Let's try to be more constructive in 2015, complaining about everything > without offering any practical alternatives, gets us nowhere! > > Kingsley > > > > [1] https://letsencrypt.org/____howitworks/ <https://letsencrypt.org/__howitworks/> <https://letsencrypt.org/__howitworks/ <https://letsencrypt.org/howitworks/>> > > On 4 January 2015 at 22:01, cdr <mail@whats-your.name <mailto:mail@whats-your.name> <mailto:mail@whats-your.name <mailto:mail@whats-your.name>> > <mailto:mail@whats-your.name <mailto:mail@whats-your.name> <mailto:mail@whats-your.name <mailto:mail@whats-your.name>>>__> wrote: > > > a financial issue, being the cost of a > > domain and wildcard SSL certificate. > > Let's Encrypt is attempting to address this > > seth@EFF giving a talk on how it works: > https://www.youtube.com/watch?____v=OZyXx8Ie4pA&t=17m <https://www.youtube.com/watch?__v=OZyXx8Ie4pA&t=17m> <https://www.youtube.com/__watch?v=OZyXx8Ie4pA&t=17m <https://www.youtube.com/watch?v=OZyXx8Ie4pA&t=17m>> > > > > > > > > > > > > > > > > > >
Received on Wednesday, 7 January 2015 20:20:56 UTC