XAuth critiques

Ben Laurie benl at google.com
Tue Jun 8 17:22:48 UTC 2010


On 8 June 2010 18:18, Peter Watkins <peterw at tux.org> wrote:

> On Tue, Jun 08, 2010 at 05:55:30PM +0100, Ben Laurie wrote:
> > On 8 June 2010 17:39, Story Henry <henry.story at bblfish.net> wrote:
>
> > > Why should browser manufacturers bother to install this in the browser
> and
> > > maintain it, when they already have an excellent identification
> protocol
> > > built into https?
> > >
> > > The fact that this group wishes to ignore the existence of SSL does not
> > > make it not be there.
> > >
> > > Just check out the video of it on http://webid.myxwiki.org/
> > > to see it working!
>
> > I would really like to see better support for client certificates in
> > browsers so that this became less clunky around the certificate
> management
> > aspects...
>
> Yes, Henry's demo looks messy to me, and helps illustrate the primary
> problem
> of auth based on SSL/TLS clients: portability and "roaming". Note in
> Henry's
> demo at 4:43 he logs in with Firefox and sees a (hideous!) dialogue box
> suggesting client keypair "firefox hjs3". Later, at 6:12 in the video, on
> the same computer, Henry tries Chromium, which has a clean interface
> suggesting
> (only!) client cert "Henry Story". You don't even have good UX on the same
> machine. Let's say Michal Zalewski scares you away from using Firefox for a
> few days -- you have to manually export "firefox hjs3" and then manually
> import it into Chromium? Even on the same computer?
>
> What happens when you buy a new PC or some relatively locked-down web
> tablet?
>

Well, at this point I should mention Nigori, which is supposed to deal with
this issue...

http://www.links.org/index.php?s=nigori


>
> I for one am not ignoring SSL/TLS, I just don't think it's ever been a
> viable
> solution for general use because it doesn't roam well -- and I first looked
> at client cert auth many years ago.
>
> I don't think OpenID ignores SSL/TLS, either. It's up to the OP to decide
> how an OpenID user authenticates, and Verisign PIP already supports using
> client certificates as an authentication factor.
>  https://pip.verisignlabs.com/learnmore.do
>
> Finally, even if you don't care about the roaming issue or the requirement
> that the RP use https, I don't understand how FOAF+SSL at all addresses the
> UI problems that XAuth tackles (client service discovery & NASCAR
> interfaces).
>
> -Peter
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100608/d8940f44/attachment.html>


More information about the specs mailing list