RE: using windows to mint web id credentials, from Peter Williams on 2011-11-27 (public-xg-webid@w3.org from November 2011)

From: Peter Williams <home_pw@msn.com>
Date: Sun, 27 Nov 2011 09:09:08 -0800
To: <mo.mcroberts@bbc.co.uk>
CC: "public-xg-webid@w3.org" <public-xg-webid@w3.org>, <foaf-protocols@lists.foaf-project.org>
Message-ID: <SNT143-W65D15A62A499A0383693CF92CD0@phx.gbl>
Now, I find it fine. It "looks" MAC and my spouse would love it - being a total mac-girl. She totally gets the key-ring metaphor, and would want her wifi password, form passwords, office document passwords, and web-logon password to be using the very same UI and management metaphor (and not be what Mozilla or Chome, on the mac, would prefer her to do). Now. lets be brutally honest. It doesnt use the (universal) browser. Probably becuase you are likable you wont be given grief for NOT using the browser and the web. You did "err" and apply the (evil) "platform" rather than the (good) browser itself.  Obviously, such terms are pejorative (and make me sound prissy). Now, if you look in the spec, nowhere does it talk about self-signed certs (and nowhere does it talk about the topic of "provisioning" identity credentials, or any equivalent concept). I implemented the spec, as an software engineer would. Pretend im deep in a bunker in China, using my brain to fight the forces engaged in an aggresive cyberwar against my country, and I just have that paper (translated). I have no wikis, no contacts, no friends and no email and no google translator from English into Mandarin. What code would I write, so things interwork? This is what my boss has tasked me to do. Concerning the self-signed mantra that dominates your tool design, the most the spec does is waffle vaguely about whether one must or must not have a particular issuer name in the issuer DN field. It does not say that the same private key listed in the publickey field must sign the cert. It does not say that the validation agent must confirm such signature (using the public key within the cert). it does not even say that the signature need be verified! it does not say that signature-failing cert MUST be processed asIf signature-verified. It doesnt say what happens if the cert is encountered in a verified SSL handshake after its notAfter date, assuming its present and in the right format. Under default rules, it says such matters are "implementation specific." That means, I choose (and Im in a bunker). This matters to me, as some Windows libraries default to no cert checks, whereas others (older in general) default to PKI per PKIX specs. This change reflects the times, in which certs are increasingly a convenient blob  format (only), but their status of them or their keys they bear is defined (much as in webid world) by external metadata. Such is common in the SAML and ws-fedp world, too, where signed metadata introduces cert blobs to relying parties. its GREAT that the semantic web is on the ball too, and I commend Henry for leading this community in this direction. There is every indication that this W3C design can outclass the OASIS SAML stuff, being far more forward thinking. Having said all that, spec needs to stop being an evangelism vehicle, and a political instrument attempting to lead a social revolution. Leave that for w3c position papers, where such matters belongs, written in fine, moderate, temperate, unreligious, fair-minded prose such as that Harry Halpin used in summarizing the W3C identity conference. It just needs to address engineers, measured by engineering metrics. Isnt it great that an analysis of the two the worlds commonest platforms both require no vendor change ... to work with webid! Thats great (web) engineering, since its focussed on reality.  > From: mo.mcroberts@bbc.co.uk
> Date: Sat, 26 Nov 2011 22:37:20 +0000
> CC: public-xg-webid@w3.org; foaf-protocols@lists.foaf-project.org
> To: home_pw@msn.com
> Subject: Re: using windows to mint web id credentials,
> 
> For what it’s worth, a Mac OS X “self-service” version (more pictures, less narrative, as I’m very lazy):
> 
> http://naughtystep.nexgenta.com/2011/webid-on-macosx/
> 
> Not nearly as enterprisey, but possibly rather useful for folk.
> 
> If anybody wants to grab the images and put them onto a (wiki?) page somewhere, feel free. Consider them public domain.
> 
> M.
> 
> -- 
> Mo McRoberts - Technical Lead - The Space,
> 0141 422 6036 (Internal: 01-26036) - PGP key CEBCF03E,
> Project Office: Room 7083, BBC Television Centre, London W12 7RJ
> 
> 
> 
>
Received on Sunday, 27 November 2011 17:09:38 UTC