- From: Alex Korth <alex@ttbc.de>
- Date: Tue, 14 Jul 2009 10:27:03 +0200
- To: public-xg-socialweb@w3.org
Hi all, > If most people don't know what a browser is (eg. see > http://www.youtube.com/watch?v=o4MwTvtyrUQ ), can we expect them to "do > the right thing" when asked to choose a certificate? Can we train them > to behave well on shared or public machines? Can they understand the > various risks and the extent of their privacy exposure? No. Most people will only apologize the useful aspect of the IDP approach. Security does not come first for them. E.g., it took ages to train people not to give away passwords. The password anti-pattern showed us how much they cared in favor of usefulness of the address book import from Gmail. People don't want to churn. That's too much effort. The technical solution to this must be something that everyone is comfy with, i.e. the majority of ppl need the IDP approach to be implemented by their favorite service provider. And that's gonna happen anyway. The power user may want to be his own IDP and host his stuff in his own EC2 node, or browser plug-in, but the normal user actually does not really understand and care about all this. For the latter, it is natural to stay at a big player that right now does already host lots of his stuff, e.g. "I got my account (Web ID) at Google, my contacts at Gmail and my photos at Flickr." The whole thing can only emerge. There will not be the one technical implementation, but a variety of approaches that everyone chooses from. The critical aspect is the emergence of interoperability and openness, i.e. agreed exchange formats, protocols, license agreements and certificates for privacy issues. But don't ask my auntie to sign a certificate in her browser ;) Cheers, Alex Dan Brickley wrote: > On 13/7/09 21:16, Toby A Inkster wrote: >> On 13 Jul 2009, at 18:31, Kaliya wrote: >> >>> The think I am confused about when you propose this is that your >>> browser becomes a "beacon" giving away your identifier to who ever >>> asks. Maybe I am not understanding how this [FOAF+SSL] works but when >>> Kingsley explained it to me at the Sem Web conference this is what I >>> "got" >> >> >> Your browser should pop up a dialogue box asking which certificate you >> wish to use when you visit a website. If you hit "cancel" then the web >> site may decide to give you anonymous access, or may decline to give you >> access - it's their choice. > > If most people don't know what a browser is (eg. see > http://www.youtube.com/watch?v=o4MwTvtyrUQ ), can we expect them to "do > the right thing" when asked to choose a certificate? Can we train them > to behave well on shared or public machines? Can they understand the > various risks and the extent of their privacy exposure? > > Nearby in the Web: http://www.cs.auckland.ac.nz/~pgut001/pubs/usability.pdf > > Also http://blog.johnath.com/2008/04/16/security-ui-in-firefox-3plus1/ > from a Firefox guy has some thoughts (scroll down a bit) on user > certificates: > > """In North America (outside of the military, at least) client > certificates are not a regular matter of course for most users, but in > other parts of the world, they are becoming downright commonplace. As I > understand it, Belgium and Denmark already issue certs to their > citizenry for government interaction, and I think Britain is considering > its options as well. We’ve fixed some bugs in that UI in Firefox 3, but > I think it’s still a second-class UI in terms of the attention it has > gotten, and making it awesome would probably help a lot of users in the > countries that use them. If you have experience and feedback here, I > would welcome it.""" > (subsequent comments in the blog add South Korea, Slovenia,...). > > Also http://blog.johnath.com/2009/07/07/privacy-features-in-firefox-3-5/ > -> http://blog.mozilla.com/faaborg/2009/06/30/firefox-35-and-privacy/ > and http://support.mozilla.com/en-US/kb/Managing+Profiles > which have some more information about multiple-profiles in Firefox (ie. > addressing the shared machine concern I raised above). > > No easy answers here. Certs are on the rise, they're hard to use, but > things are improving... > > cheers, > > Dan > > -- Alexander Korth alex@ttbc.de www.twitter.com/alexkorth
Received on Tuesday, 14 July 2009 08:27:42 UTC