Re: WPWG On NOT abandoning the CG specs (was Re: Update on Web Payments Working Group) from Anders Rundgren on 2016-09-28 (public-webpayments@w3.org from September 2016)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Wed, 28 Sep 2016 21:03:57 +0200
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: Timothy Holborn <timothy.holborn@gmail.com>, Web Payments CG <public-webpayments@w3.org>
Message-ID: <b483153b-56a7-5f61-31ed-67a887510fb6@gmail.com>

On 2016-09-28 19:33, Melvin Carvalho wrote:
>
>
> On 28 September 2016 at 18:37, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>     On 2016-09-28 15:05, Timothy Holborn wrote:
>
>         I often wonder where the strategic differentiation is in design
>
>     > philosophy that results in heavy browser reliance vs. 'cloud'
>     > alternatives that leave perhaps different MVP requirements for browsers.
>
>     https://image-store.slidesharecdn.com/784bf26c-4ea7-4383-b89f-b92777167bb7-large.jpeg <https://image-store.slidesharecdn.com/784bf26c-4ea7-4383-b89f-b92777167bb7-large.jpeg>
>
>         What ever happened to <keygen> why was it bad?
>
>
>     This is something I have a stake in since I proposed that it should be removed
>     from HTML5 back in 2009 for the simple reason that a 2-week student hack, missing
>     support for basic stuff like PIN-codes, isn't usable by banks and governments.
>
>     That proposal didn't make me overly popular :-(
>
>     When Google much later suggested the same but from another angle, everybody
>     cheered and said "let's squash this dated piece of crap".  Replacing <keygen>
>     with something more 201X-ish wasn't on the menu.
>
>     However, both Microsoft and Google have "enterprise solutions" for the US
>     government et al to keep the (from their perspective) only real market intact.
>     https://developer.chrome.com/extensions/enterprise_platformKeys <https://developer.chrome.com/extensions/enterprise_platformKeys>
>
>         Or WebID-TLS UX support - too expensive?
>
>
>     The USG have no UX problems since their users only have 0-2 certificates.
>
>     The problem according to TAG is that client certificates potentially expose
>     static IDs to parties that shouldn't have it.  If you rather hand out static IDs
>     through an IdP (Identity Provider) like Google, everything is just fine :-)
>
>
> But in this scenario, it also provides google with a back door into your system,
 > as well as tracking each time you log in.  Im not saying that's necessarily a
 > bad trade off, in all cases, but removal of choice is clearly bad for end users.

Agreed.  However, client certificates on the Web may be fully "resurrected"
but very unlikely in the way the WebID-TLS community have specified it.

A

Received on Wednesday, 28 September 2016 19:04:42 UTC