Re: keygen and client-certificates document available from henry.story@bblfish.net on 2015-12-05 (www-tag@w3.org from December 2015)

From: <henry.story@bblfish.net>
Date: Sat, 5 Dec 2015 13:07:10 +0000
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Graham Leggett <minfrin@sharp.fm>, Travis Leithead <travis.leithead@microsoft.com>, "www-tag@w3.org" <www-tag@w3.org>
Message-Id: <47236AF2-908C-423C-B831-A7D9FD4C90EA@bblfish.net>

> On 5 Dec 2015, at 10:00, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> On 4 December 2015 at 22:20, Graham Leggett <minfrin@sharp.fm> wrote:
>>> [...]  Either way, I don't think that
>>> there is any question you could sensibly ask a user that would
>>> convince me that the answer you got constituted informed consent.
>> 
>> “This website wants to use your location, do you allow this?”
>> “This website wants to use your camera, do you allow this?”
>> “This website wants you to create a new identity, do you allow this?”
> 
> One of these things is not like the other ones...  What is a new
> identity?  You make it sound like I'm going into the witness
> protection programme.

I don't think Graham was claiming that his exact wording was the right
one. Finding the right wording, the right interface and symbolism and
methaphors for this is a task that would presumably involve designers
writers, and many others.

If one is just creating a key to be used with HTTP Signatures [1] 
then one may ask the user if he wishes to add a Key to his KeyChain.
If one is adding some form of credential, one may ask the user if he
wishes to add the signed statement by S that P. ( eg by the DMV that
you have a drivers licence ).

Then on reaching a resource that requires authentication the resource
can describe what types of credentials are needed for authentication.
The User Agent should then be able to present those credentials that
match and ask the user if he wishes to use it. The user may then also
want to set policies to automate this process.

Given how far User Interfaces have evolved in the past 30 years, from
the command line, to smart phones interacted with using gestures, it
seems that the argument that something cannot be done, is the one
where the burden proof lies on those that claim something to be impossible.

Henry

[1] https://tools.ietf.org/html/draft-cavage-http-signatures-05
which I have now implemented on the client and server using 
WebCrypto

Received on Saturday, 5 December 2015 13:07:41 UTC