W3C home > Mailing lists > Public > public-webpayments@w3.org > June 2014

Re: Proof of Concept: Identity Credentials Login

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Tue, 10 Jun 2014 12:21:48 -0400
Message-ID: <5397309C.502@digitalbazaar.com>
To: public-webpayments@w3.org
On 06/10/2014 08:00 AM, Kingsley Idehen wrote:
> I've provided a comment on your blog post. At the same time, my
> history with Wordpress blogs is that comments are 100% guaranteed to
> make it to the public, for a variety of reasons.

Unfortunately, there's no comment from you in the moderation queue in
the blog. :( Would your mind reposting it as I'd like to make sure
people can read your comments. In the meantime, I'll answer them here.

> The World Wide Web is inherently architected to accommodate multiple
>  ways of providing services driven by Linked Open Data (i.e., open
> standards based structured data) and HTTP URIs. I don't believe in
> OpenID vs Persona vs WebID-TLS vs OAuth etc. These authentication
> protocols can co-exist.

They can co-exist, but the more technologies that we have that do almost
the same thing, the more complexity there is and greater the burden on
Web developers and people using the Web.

> Issues with your assertions:
>
> [1] They are too generic -- dependency of Client Certification
> Authentication (CCA) isn't a bad thing bearing in mind only a
> minority of Browser (circa. 2004) have this problem.

The problem is subjective, true. That said, I continue to assert that
it's a big problem and is the biggest reason WebID+TLS has gone nowhere.
That said, I'm happy to defer whether or not that approach is a viable
one to the the WebID+TLS proponents. I'm just not interested in slamming
my head against that particular usability wall (the management of
client-side certificates) anymore. :)

> [2] Too subjective -- "difficult to use for most non-technologists"
> isn't a defensible position.

Neither is "it's easy to use for most non-technologists". If we had
enough money, we'd do a thorough set of usability studies. That said, I
think it's telling that this problem has existed for over a decade and
no real research into the area has been performed. I postulate that it's
because it's obvious to most UX folks that client-side certificates are
a dead end wrt. security scalability for the general public. I
understand that you and a number of other WebID+TLS hold the opposite
position and think things are getting better. Maybe they are.

I'm just not willing to wait on the browser vendors anymore, and even if
the usability problem is improved, I still don't think it'll result in a
solution that's as easy to use as the Identity Credentials stuff.

> The Client Certificate Authentication (CCA) Problem Status:
>
> As of the time of writing this reply, the only browsers with this
> problem i.e, an inability to disconnect and start new TLS sessions
> are as follows: Chrome and Opera.

That's not the problem. The problem is that a majority of
non-technologists find the client-side certificate solution to be
confusing. Additionally, how do you use client-side certificates from a
device that you don't own? How do you make sure they expire at the
correct time?

> I don't see how Opera and Chrome can continue to be deficient re. CCA
>  bearing in mind the current state of implementations from IE,
> Safari, and Firefox.

... because the demand for better client-side cert UIs is almost
non-existent.

> End-users do not need programmers thinking or speaking for them.

Except that we do that with every single line of code that we write. :)

I understand what you're saying, "choice is good", but don't pretend as
if we don't make a thousand decisions on behalf of end-users every day
with the UX choices that developers and designers make in their products.

> That's broken. What end-users need is the ability to control their
> identity and privacy online via solutions that leverage Web &
> Internet architecture such that the following are loosely coupled (no
> 3rd party .com, .org, .cc etc.. in the way):

Sure, agreed. Why do  you think the Identity Credentials stuff places a
3rd party in the way? You can run your own IdP if you'd like, the code
is on Github right now and we do plan to release a completely open
source, public domain implementation of it in time. You don't have to
use any 3rd party if you don't want to.

The one exception to this is login-hub.com, and that is going to be put
under the control of a non-profit like the Electronic Frontier
Foundation, Creative Commons, or GNU Foundation. That site will go away
in time if this stuff is implemented in the browser. If not, then an
independent, trusted organization will be put in charge of it.

As for the rest of your list, we're aligned. There is very little that
we're not aligned on. :)

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/
Received on Tuesday, 10 June 2014 16:20:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:31 UTC