- From: Dave Longley <dlongley@digitalbazaar.com>
- Date: Tue, 10 Jun 2014 19:21:46 -0400
- To: public-webpayments@w3.org
On 06/10/2014 02:30 PM, Kingsley Idehen wrote: > On 6/10/14 12:21 PM, Manu Sporny wrote: >> On 06/10/2014 08:00 AM, Kingsley Idehen wrote: >>> Issues with your assertions: >>> >>> [1] They are too generic -- dependency of Client Certification >>> Authentication (CCA) isn't a bad thing bearing in mind only a >>> minority of Browser (circa. 2004) have this problem. >> >> The problem is subjective, true. That said, I continue to assert that >> it's a big problem and is the biggest reason WebID+TLS has gone nowhere. > > Okay, but I am also demonstrating to you that competitive pressures and > "opportunity costs" are the keys to getting browser vendors to respond. > Right now we have IE, Firefox, and Safari working fine, which leaves > Opera and Chrome. > > The top browsers across desktop, notebooks, tablets, palmtops, and > phones don't have a TLS CCA problem. "Working fine" is subjective. I disagree that there isn't a TLS CCA problem, but, like Manu, won't argue the point and will wait to see if WebID+TLS gains any traction. > >> I postulate that it's >> because it's obvious to most UX folks that client-side certificates are >> a dead end wrt. security scalability for the general public. > > The folks that take that position, as far as I am concerned, suffer from > the same misconception i.e., that developers know best, that all > problems are approached from the perspective of the programming code as > opposed to the underlying logic that enables us express data in reusable > form via entity relations. I don't think it has anything to do with programming code or expressing data via entity relations. It has to do with the experience of watching people use terrible UIs. They don't like them. They aren't likely to use them again. I think that how well a system works underneath a terrible UI is largely irrelevant to most people. > > >> I >> understand that you and a number of other WebID+TLS hold the opposite >> position and think things are getting better. Maybe they are. > > For me, WebID-TLS is an option for authenticating identity claims based on: > > 1. HTTP URIs for entity denotation (naming) and connotation (perception) > 2. RDF statements for structured data representation > 3. Entity Relation Semantics for understanding how entities are related. > >> >> I'm just not willing to wait on the browser vendors anymore, and even if >> the usability problem is improved, I still don't think it'll result in a >> solution that's as easy to use as the Identity Credentials stuff. > > You don't have to wait. All I am saying is that WebID-TLS and whatever > you choose can and will co-exist. Mutual inclusion works, its natural to > the Web i.e., baked into its design. That's certainly true (these techs can coexist). > >> >>> The Client Certificate Authentication (CCA) Problem Status: >>> >>> As of the time of writing this reply, the only browsers with this >>> problem i.e, an inability to disconnect and start new TLS sessions >>> are as follows: Chrome and Opera. >> >> That's not the problem. The problem is that a majority of >> non-technologists find the client-side certificate solution to be >> confusing. > > No they don't, that's a misconception. > > YouID was developed to refute that very line of thinking. > >> Additionally, how do you use client-side certificates from a >> device that you don't own? > > Excellent question, here's what happens if you are a YouID user: > > 1. You open a browser on your borrowed device > 2. Goto your folder (Google Drive, OneDrive, Dropbox, Box., > ODS-Briefcase, WebDAV etc.) and open up the pkc#12 file it created > 3. Authenticate when challenged by the host in regards to opening the > secure pkcs#12 file > 4. Install your credentials. > > 1-4 happen using the native UX of any modern OS since they all have > inbuilt handlers for pkcs#12. I think most people won't want to do what you just described. There's nothing for you to argue against here, it's just my totally subjective opinion, based entirely on my own intuition. I think going to a folder to find a file to install, when you want to login to a website, will be too foreign an experience for most people to embrace. I think there will be a simpler, better alternative and people will choose that (eg: "enter a password and click a button to register your new/borrowed device"). That alternative will arise because it won't depend on browser manufacturers to implement it from the start. > >> >>> I don't see how Opera and Chrome can continue to be deficient re. CCA >>> bearing in mind the current state of implementations from IE, >>> Safari, and Firefox. How much longer do you think they will remain deficient (per your own definition of that word)? What's your estimate? > > Opera and Chrome are laggards. The problem is identity and privacy, > Safari, Firefox, and IE are already better. Safari is the default > browser for Mac OS X and iOS. IE is the default browser for Windows and > Windows Mobile. What's left re., market share? I thought Android's market share was ~80% (for mobile). That may have changed, but I doubt by much. My understanding was also that Chrome had the largest browser market share. I haven't checked very thoroughly, but some quick googling seemed to suggest that both of these things are still true. >> >>> That's broken. What end-users need is the ability to control their >>> identity and privacy online via solutions that leverage Web & >>> Internet architecture such that the following are loosely coupled (no >>> 3rd party .com, .org, .cc etc.. in the way): >> >> Sure, agreed. Why do you think the Identity Credentials stuff places a >> 3rd party in the way? > > I don't see how my credentials end up in a place of my choosing e.g., I > might want to save those credentials to storage provided by Google > Drive, Dropbox, OneDrive etc.. You can do that. Can you point to the specific parts of the technology that you think prohibit you from doing so? I think there's some misunderstanding. > > >> You can run your own IdP if you'd like, the code >> is on Github right now and we do plan to release a completely open >> source, public domain implementation of it in time. You don't have to >> use any 3rd party if you don't want to. > > That something I (or anyone else) needs to code at a time when we should > be simply working with puzzle-pieces as you would any jigsaw puzzle. > Again, HTTP URIs, RDF statements, and Relation Semantics == all you need > in regards to constructing and using the puzzle-pieces and piecing that > AWWW facilitates. > >> under the control of a non-profit like the Electronic Frontier >> Foundation, Creative Commons, or GNU Foundation. > > That can never be an accepted assurance. Never. What are your specific objections with this approach? I guess what I don't understand is that you appear to be quite passionately ("Never.") rejecting having a well-known, well-respected non-profit host what amounts to a temporary open source shim. Unless I'm mistaken, you already use various other more fully-featured identity-related technologies (eg: Google+) that you view as less than ideal for one reason or another. I'm just saying "Never" should perhaps be "Not for too long" or "That isn't much better than what we have now"? > > >> That site will go away >> in time if this stuff is implemented in the browser. > > How will that be implemented in the browser? On who's timetable, under > what market (or "opportunity costs") driven duress? Companies ultimately > only respond to "opportunity costs". In what way would the answers you have for those same questions for WebID+TLS be different from the Identity Credentials tech? IMO, people would give preference to a browser that shortens and makes more secure the login process they use with every website they log into. So long as the UX is acceptable. If the Identity Credentials tech becomes the predominant way you log into sites on the Web and it has been standardized by W3C, I would expect browser manufacturers to adopt it and build new innovative features on top of it. IMO, the (near) ubiquity of any login tech strongly influences browser manufacturers to integrate some aspects of it into their browsers. The difference I see between the Identity Credentials tech and WebID+TLS is that the former has no clear catch-22. People can adopt it without browser support which can lead to adoption by browser manufacturers. If peoples' adoption of a tech depends on a browser UX that browser manufacturers won't implement because people aren't adopting the tech, then that tech is not likely to go far. Again, I know that you don't think WebID+TLS has this catch-22. We'll see. > >> If not, then an >> independent, trusted organization will be put in charge of it. > > "Independent trusted orgranization" is just a phrase comprised of three > words. Not unlike any other phrase that is also three words long. :) > What it actually denotes and connotes is quite nebulous. Trust > never works that way, it has to be the outcome of some kind of "proof of > work". That's why crypto is crucial to Trust. The "proof of work" is the past behavior of said organization. > >> >> As for the rest of your list, we're aligned. There is very little that >> we're not aligned on. :) Excellent! -- Dave Longley CTO Digital Bazaar, Inc.
Received on Tuesday, 10 June 2014 23:22:11 UTC