- From: Peter Williams <home_pw@msn.com>
- Date: Sat, 7 Jan 2012 12:37:29 -0800
- To: <kidehen@openlinksw.com>, "public-xg-webid@w3.org" <public-xg-webid@w3.org>
- Message-ID: <SNT143-W43F3E76D4F5B7E68923A67929A0@phx.gbl>
One of the differences between MSFT/Novell and SUN/Mzoilla was while all group delivered SSL to US DOD (office brigade), only the first two did it for long enough. Most of the SUN certs stuff was either pro forma (formal wars, which they lost, with MSFT for mindshare) or on contacts, for sepcialized (and indeed higher assurance areas) of DOD (el al). But only the first two stayed focussed oncommodity needs (so what works for DoD offices tends to work for every other class of office, too; and then consumers). yes, obviously, all the militarisms have to get dropped off at the gate, but the commodity support is what matters. In microsoft cases, it was just not proftable (being about evil $$) to maintain some code for a big (but not particularly well paying) customer, and other code base for the rest of us. For that world, the onus was on the smartcard (as the repository of the private key, and point of control over https client tunnel endpoint formation). but, it is useful to see what we can learn. When one does a "logout", does this mean (as one who worked with a great Ukrania/Russian engineer on smartcard middleware for browsers) that one also closes down the channel between browser and smartcard? Does one invoke the smartcard applets' own logout (for the US style of card, using CAC applets in javacard, or otherwise)? Does one make the card reader terminal say something? What happens the card is wireless (as in Apple Near Field cards)? Obviously, one site doing a logout should really not interfere with the SSL channels sourced to the smartcard multiplexing channel endpoints with 100 other sites (as supporting page postback or ajax client-side controls in other tabs/browser instances). Whant happens when the user is conencting to a browser OVER an RDP session, given the nature of RDP is that the card reader on the rdp reader's client is that which the remote browser isntance thinks its talking to? (RDF is able to remotely project local devices, for CCID (smarcard/crypto) enumeration on the remote browser instance). Does this log the user out of windows too, since its hosting the RDP client (and using its own IE to talk to other sites with https). I know folks are only just now getting to grips with real https (and client certs). I dont expect folks to have the kind of knowhow and expeirnece I have (having done nothing else... for years). but, there are some practices its worth copying. The first thing to do, is not assume the worst, and that its all an evil plot (that suppresses open source, PGP, local trust models, or innovation itself). So far on commodity crypto, it Microsoft 10, Evil 0. Date: Sat, 7 Jan 2012 14:45:51 -0500 From: kidehen@openlinksw.com To: public-xg-webid@w3.org Subject: Re: wot won Thing, asked W3C Identity Conference On 1/7/12 11:57 AM, Henry Story wrote: On 7 Jan 2012, at 17:38, Peter Williams wrote: The identity conference hosted by W3C aksed folks to state one thing that could be done by all browser manufacturers, that makes a difference. The difference doesnt have to save this world. It just has to remove a disabling barrier. For me, its for ALL mainstream browsers to have something similar to that provided in IE8+: the "New Session" menu item. This is that which, in the SSL world, allows me to stay on the same site (e.g. WebID Realm) and change client certificate, without exiting the browser. (It may have other properties related to pseudo-privacy, too) With all mainstream browser others than IE8+, I have to exit the browser to use a differnt persona (and even all instances of the process, in some of the worst cases). With New Session I dont. I get a new brower window (with new tab set), enabled with new SSL client authn. Very nice. It seems that Microsoft has the best implementation of https at present. With IE you can - logout (using javascript) - your sessions - a nice cert selection box - supports Want request All the other browsers have one of those missing - Firefox has an butt ugly selection box - Chrome, Opera, and Safari have no way to log out - Safari does not even let you log out multiple times (this is a serious security hole) - Opera and Safari require the server to ask for the certificate in NEED mode if they are going to send it One annoyance for IE is lack of the html5 keygen element, which means implementations are more difficult, but this can be dealt with. Now everybody knows I am far from an unconditional M$ supporter (having worked for Sun Microsystems), but I think here this has to be said quite clearly. The failure of the other browsers is entirely their own fault at this level. Yep! +1000 As a result people here should do the ultimate to do a good job supporting IE. They still have 50% of the market, and it would be silly to loose our message 50% for internet users. +1000 This is how you will ultimately get all the other browsers in line. Decision makers hate "opportunity costs" that erode business models. This is the only thing any technical person needs to understand. Basically, make "opportunity costs" palpable to decision makers by leveraging the amplifier offered by the WWW + Internet (InterWeb). You will be amazed how quickly the other browsers will get in line :-) This is worth having universally. WebID depends on it, I'd counsel. The second thing is ... almost equally useful. But, Im not allowed two wishes. Social Web Architect http://bblfish.net/ -- Regards, Kingsley Idehen Founder & CEO OpenLink Software Company Web: http://www.openlinksw.com Personal Weblog: http://www.openlinksw.com/blog/~kidehen Twitter/Identi.ca handle: @kidehen Google+ Profile: https://plus.google.com/112399767740508618350/about LinkedIn Profile: http://www.linkedin.com/in/kidehen
Received on Saturday, 7 January 2012 20:38:00 UTC