- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Tue, 10 Jun 2014 12:21:48 -0400
- To: public-webpayments@w3.org
On 06/10/2014 08:00 AM, Kingsley Idehen wrote: > I've provided a comment on your blog post. At the same time, my > history with Wordpress blogs is that comments are 100% guaranteed to > make it to the public, for a variety of reasons. Unfortunately, there's no comment from you in the moderation queue in the blog. :( Would your mind reposting it as I'd like to make sure people can read your comments. In the meantime, I'll answer them here. > The World Wide Web is inherently architected to accommodate multiple > ways of providing services driven by Linked Open Data (i.e., open > standards based structured data) and HTTP URIs. I don't believe in > OpenID vs Persona vs WebID-TLS vs OAuth etc. These authentication > protocols can co-exist. They can co-exist, but the more technologies that we have that do almost the same thing, the more complexity there is and greater the burden on Web developers and people using the Web. > Issues with your assertions: > > [1] They are too generic -- dependency of Client Certification > Authentication (CCA) isn't a bad thing bearing in mind only a > minority of Browser (circa. 2004) have this problem. The problem is subjective, true. That said, I continue to assert that it's a big problem and is the biggest reason WebID+TLS has gone nowhere. That said, I'm happy to defer whether or not that approach is a viable one to the the WebID+TLS proponents. I'm just not interested in slamming my head against that particular usability wall (the management of client-side certificates) anymore. :) > [2] Too subjective -- "difficult to use for most non-technologists" > isn't a defensible position. Neither is "it's easy to use for most non-technologists". If we had enough money, we'd do a thorough set of usability studies. That said, I think it's telling that this problem has existed for over a decade and no real research into the area has been performed. I postulate that it's because it's obvious to most UX folks that client-side certificates are a dead end wrt. security scalability for the general public. I understand that you and a number of other WebID+TLS hold the opposite position and think things are getting better. Maybe they are. I'm just not willing to wait on the browser vendors anymore, and even if the usability problem is improved, I still don't think it'll result in a solution that's as easy to use as the Identity Credentials stuff. > The Client Certificate Authentication (CCA) Problem Status: > > As of the time of writing this reply, the only browsers with this > problem i.e, an inability to disconnect and start new TLS sessions > are as follows: Chrome and Opera. That's not the problem. The problem is that a majority of non-technologists find the client-side certificate solution to be confusing. Additionally, how do you use client-side certificates from a device that you don't own? How do you make sure they expire at the correct time? > I don't see how Opera and Chrome can continue to be deficient re. CCA > bearing in mind the current state of implementations from IE, > Safari, and Firefox. ... because the demand for better client-side cert UIs is almost non-existent. > End-users do not need programmers thinking or speaking for them. Except that we do that with every single line of code that we write. :) I understand what you're saying, "choice is good", but don't pretend as if we don't make a thousand decisions on behalf of end-users every day with the UX choices that developers and designers make in their products. > That's broken. What end-users need is the ability to control their > identity and privacy online via solutions that leverage Web & > Internet architecture such that the following are loosely coupled (no > 3rd party .com, .org, .cc etc.. in the way): Sure, agreed. Why do you think the Identity Credentials stuff places a 3rd party in the way? You can run your own IdP if you'd like, the code is on Github right now and we do plan to release a completely open source, public domain implementation of it in time. You don't have to use any 3rd party if you don't want to. The one exception to this is login-hub.com, and that is going to be put under the control of a non-profit like the Electronic Frontier Foundation, Creative Commons, or GNU Foundation. That site will go away in time if this stuff is implemented in the browser. If not, then an independent, trusted organization will be put in charge of it. As for the rest of your list, we're aligned. There is very little that we're not aligned on. :) -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: Meritora - Web payments commercial launch http://blog.meritora.com/launch/
Received on Tuesday, 10 June 2014 16:20:28 UTC