Re: Proof of Concept: Identity Credentials Login from Kingsley Idehen on 2014-06-16 (public-webpayments@w3.org from June 2014)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Mon, 16 Jun 2014 09:47:02 -0400
To: public-webpayments@w3.org
Message-ID: <539EF556.3050707@openlinksw.com>
On 6/15/14 9:36 PM, Manu Sporny wrote:
> On 06/15/2014 08:21 PM, Kingsley Idehen wrote:
>> >On 6/10/14 7:21 PM, Dave Longley wrote:
>>>> >>>Okay, but I am also demonstrating to you that competitive
>>>> >>>pressures and
>>>>> >>>>"opportunity costs" are the keys to getting browser vendors to
>>>>> >>>>respond. Right now we have IE, Firefox, and Safari working
>>>>> >>>>fine, which leaves Opera and Chrome.
>>>>> >>>>
>>>>> >>>>The top browsers across desktop, notebooks, tablets, palmtops,
>>>>> >>>>and phones don't have a TLS CCA problem.
>>> >>"Working fine" is subjective. I disagree that there isn't a TLS
>>> >>CCA problem, but, like Manu, won't argue the point and will wait to
>>> >>see if WebID+TLS gains any traction.
>>> >>
>>> >>
>> >"Working fine" means that across IE, Safari, and Firefox, I can
>> >demonstrate the fact that you don't have to restart any of the
>> >aforementioned browsers in a quest to change the identity of the
>> >agent seeking at access a protected resource.
> Yes, that's demonstrably true. That's also not what is broken with
> WebID+TLS.:)
>
>> >Simple example, you have a protected resource denoted by the
>> >URI/URL:<http://example.org/doc/private.html>  , using an ACL that
>> >grants read-write privileges to WebIDs: <#i> and
>> ><http://kingsley.idehen.net/dataspace/person/kidehen#this>  . My
>> >demonstrable claim [1] is that you will not need to restart Firefox,
>> >Safari, or IE in order to access said protected resources using
>> >either WebID. That's the crux of the matter re. browsers UI/UX and
>> >WebID-TLS.
> I think there's disagreement over what the crux of the matter is. I've
> never thought that not being able to logout was the crux of the matter.

Being able to toggle between identities without restarting a browser is 
the root problem that arises from browser implementations of TLS. This 
problem leads to other problems at the UI/UX levels.

>
> The crux of the matter is that the selection of a client-side
> certificate via the current browser selection dialogs is a broken user
> experience.

It comes across as broken for the following reasons:

1. users don't have an immediate intuition as to what they are actually 
doing -- and when they act on a hunch the end up having to restart their 
browser or encounter other unexpected behaviour

2. due to #1, the role of certificate generators and their expected 
functionality is lost -- a generator should provide a UI/UX that makes 
the act of certificate generation clear to the user (*this isn't a 
browser problem, it just shows up in the browser via TLS CCA*)
> I'm arguing that browser-embedded client-side certs are
> broken because they are too complicated to manage for the vast majority
> of the 2.4 billion people that use the Web today.

Certificates management and Browsers are supposed to be loosely coupled. 
Opera, Firefox, and Thunderbird have their own keystores which simply 
create the illusion of these components being tightly coupled with key 
storage. In the case of Safari (Apple), Chrome (Google), IE (Microsoft) 
the Browser and the Key Store are loosely coupled i.e., the Browser 
interacts with the host OS in regards to keystore management and access 
services.

Google simply needs to fix the bug it currently has in Chrome so that it 
works just like Safari (at the very least) and like IE (ideally re., TLS 
sessions).

As I keep on saying, we have two browsers that have the problem:

1. Chrome -- it interacts with the keystore via OS provided APIs but 
doesn't emulate Safar or IE re. TLS session handling (they can fix that, 
and they will fix it)

2. Firefox and Opera -- both of these use their own keystore rather than 
providing an option to work with the native OS keystore via existing 
APIs provided by respective operating systems.

>
> Again, this is a subjective statement, but we're saying it because we're
> not willing to bet our company on the current WebID+TLS login flow
> (because we think it's too "techy" for the masses and because we don't
> think browser companies are that interested in fixing the UX for the
> purposes of WebID+TLS).:)

This isn't about "betting a company" on anything though, its supposed to 
be about constructing a spec where all the key components are loosely 
coupled and based on open standards, without prejudice :-)


-- 

Regards,

Kingsley Idehen 
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter Profile: https://twitter.com/kidehen
Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen
Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Monday, 16 June 2014 13:47:25 UTC