W3C home > Mailing lists > Public > public-webid@w3.org > July 2015

Re: a common understanding of profiles

From: Henry Story <henry.story@co-operating.systems>
Date: Wed, 1 Jul 2015 10:37:43 +0200
Cc: Carvalho Melvin <melvincarvalho@gmail.com>, public-webid <public-webid@w3.org>
Message-Id: <C551C4B1-C582-4D0E-A81F-37BBEED7426E@co-operating.systems>
To: Halpin Harry <hhalpin@w3.org>

> On 28 Jun 2015, at 22:13, Harry Halpin <hhalpin@w3.org> wrote:
> 
> 
> You just have to scroll down. However here they are:
> 
> https://lists.w3.org/Archives/Public/public-xg-webid/2011May/0126.html

It would be good to know which part of this is still relevant. This was written
before Snowden, and before or just at the point where TLS started being massively
deployed by the large players like Google and Facebook. Part of the argument is that
there some players would need to buy a lot of new equipment, but that has not
stopped deployment with Facebook, Google, and more and more providers. 

The issue of TLS renegotiation may be fixed by TLS1.3 but we'll have to see where
that goes.

There are also engineering arguments for which there can be good answers, such as
time outs, and numerous aysnchronous programming methods to reduce cost. Clearly a
distributed protocol can come under such attacks, but that will be the case whatever
the protocol. Those arguments could be arguments against the web itself but that seems
to work fine. Furthermore I have heard there is more and more support even in the TLS communities now for interactions in authentication protocols. 

But there are ways we could improve still, it's just that there is not enough support
for us to bother yet. 

> 
> https://lists.w3.org/Archives/Public/public-webcrypto-comments/2015Jun/0001.html
> 
> https://lists.w3.org/Archives/Public/public-webcrypto-comments/2015Jun/0003.html

These are a problem for the WebCrypto JS APIs, which is what you have been pushing for the past 3 years as the possible future alternative to WebID-TLS. This is due to 
 * lack of integration into Chrome which is why TLS with its minimal crypto language has a major
advantage.
 * JS being a Turing complete language, which leaves open infinitely more security problems than a minimal language such as that present in TLS.

As a result you can't do simple things such as ask the user to click on a certificate box, which you can do in TLS.

> 
> It may take me a week or so to write this down, I can't do it overnight
> nor do I have lots of spare time. Again, all of these points were
> brought up privately (last time by Nadim from INRIA at the Social Web
> F2F) and ignored for a long time.

Yes, it would be good to write dow what is still relevant. 
Received on Wednesday, 1 July 2015 08:38:13 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 1 July 2015 08:38:13 UTC