Re: Proof of Concept: Identity Credentials Login from Manu Sporny on 2014-06-16 (public-webpayments@w3.org from June 2014)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sun, 15 Jun 2014 21:36:46 -0400
To: public-webpayments@w3.org
Message-ID: <539E4A2E.1080505@digitalbazaar.com>

On 06/15/2014 08:21 PM, Kingsley Idehen wrote:
> On 6/10/14 7:21 PM, Dave Longley wrote:
>>> Okay, but I am also demonstrating to you that competitive
>>> pressures and
>>>> "opportunity costs" are the keys to getting browser vendors to
>>>> respond. Right now we have IE, Firefox, and Safari working
>>>> fine, which leaves Opera and Chrome.
>>>> 
>>>> The top browsers across desktop, notebooks, tablets, palmtops,
>>>> and phones don't have a TLS CCA problem.
>> "Working fine" is subjective. I disagree that there isn't a TLS
>> CCA problem, but, like Manu, won't argue the point and will wait to
>> see if WebID+TLS gains any traction.
>> 
>> 
> "Working fine" means that across IE, Safari, and Firefox, I can 
> demonstrate the fact that you don't have to restart any of the 
> aforementioned browsers in a quest to change the identity of the
> agent seeking at access a protected resource.

Yes, that's demonstrably true. That's also not what is broken with
WebID+TLS. :)

> Simple example, you have a protected resource denoted by the
> URI/URL: <http://example.org/doc/private.html> , using an ACL that
> grants read-write privileges to WebIDs: <#i> and 
> <http://kingsley.idehen.net/dataspace/person/kidehen#this> . My 
> demonstrable claim [1] is that you will not need to restart Firefox, 
> Safari, or IE in order to access said protected resources using
> either WebID. That's the crux of the matter re. browsers UI/UX and
> WebID-TLS.

I think there's disagreement over what the crux of the matter is. I've
never thought that not being able to logout was the crux of the matter.

The crux of the matter is that the selection of a client-side
certificate via the current browser selection dialogs is a broken user
experience. I'm arguing that browser-embedded client-side certs are
broken because they are too complicated to manage for the vast majority
of the 2.4 billion people that use the Web today.

Again, this is a subjective statement, but we're saying it because we're
not willing to bet our company on the current WebID+TLS login flow
(because we think it's too "techy" for the masses and because we don't
think browser companies are that interested in fixing the UX for the
purposes of WebID+TLS). :)

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Marathonic Dawn of Web Payments
http://manu.sporny.org/2014/dawn-of-web-payments/

Received on Monday, 16 June 2014 01:37:16 UTC