XAuth critiques

Peter Watkins peterw at tux.org
Tue Jun 8 17:18:39 UTC 2010


On Tue, Jun 08, 2010 at 05:55:30PM +0100, Ben Laurie wrote:
> On 8 June 2010 17:39, Story Henry <henry.story at bblfish.net> wrote:

> > Why should browser manufacturers bother to install this in the browser and
> > maintain it, when they already have an excellent identification protocol
> > built into https?
> >
> > The fact that this group wishes to ignore the existence of SSL does not
> > make it not be there.
> >
> > Just check out the video of it on http://webid.myxwiki.org/
> > to see it working!

> I would really like to see better support for client certificates in
> browsers so that this became less clunky around the certificate management
> aspects...

Yes, Henry's demo looks messy to me, and helps illustrate the primary problem 
of auth based on SSL/TLS clients: portability and "roaming". Note in Henry's
demo at 4:43 he logs in with Firefox and sees a (hideous!) dialogue box
suggesting client keypair "firefox hjs3". Later, at 6:12 in the video, on
the same computer, Henry tries Chromium, which has a clean interface suggesting
(only!) client cert "Henry Story". You don't even have good UX on the same 
machine. Let's say Michal Zalewski scares you away from using Firefox for a 
few days -- you have to manually export "firefox hjs3" and then manually 
import it into Chromium? Even on the same computer?

What happens when you buy a new PC or some relatively locked-down web tablet?

I for one am not ignoring SSL/TLS, I just don't think it's ever been a viable
solution for general use because it doesn't roam well -- and I first looked
at client cert auth many years ago.

I don't think OpenID ignores SSL/TLS, either. It's up to the OP to decide
how an OpenID user authenticates, and Verisign PIP already supports using 
client certificates as an authentication factor.
  https://pip.verisignlabs.com/learnmore.do

Finally, even if you don't care about the roaming issue or the requirement
that the RP use https, I don't understand how FOAF+SSL at all addresses the 
UI problems that XAuth tackles (client service discovery & NASCAR interfaces).

-Peter



More information about the specs mailing list