foaf+ssl was: XAuth critiques
Ben Laurie
benl at google.com
Wed Jun 9 09:20:51 UTC 2010
On 8 June 2010 18:47, Story Henry <henry.story at bblfish.net> wrote:
>
> On 8 Jun 2010, at 19:18, Peter Watkins wrote:
>
>> On Tue, Jun 08, 2010 at 05:55:30PM +0100, Ben Laurie wrote:
>>> On 8 June 2010 17:39, Story Henry <henry.story at bblfish.net> wrote:
>>
>>>> Why should browser manufacturers bother to install this in the browser and
>>>> maintain it, when they already have an excellent identification protocol
>>>> built into https?
>>>>
>>>> The fact that this group wishes to ignore the existence of SSL does not
>>>> make it not be there.
>>>>
>>>> Just check out the video of it on http://webid.myxwiki.org/
>>>> to see it working!
>>
>>> I would really like to see better support for client certificates in
>>> browsers so that this became less clunky around the certificate management
>>> aspects...
>>
>> Yes, Henry's demo looks messy to me, and helps illustrate the primary problem
>> of auth based on SSL/TLS clients: portability and "roaming". Note in Henry's
>> demo at 4:43 he logs in with Firefox and sees a (hideous!) dialogue box
>> suggesting client keypair "firefox hjs3". Later, at 6:12 in the video, on
>> the same computer, Henry tries Chromium, which has a clean interface suggesting
>> (only!) client cert "Henry Story". You don't even have good UX on the same
>> machine. Let's say Michal Zalewski scares you away from using Firefox for a
>> few days -- you have to manually export "firefox hjs3" and then manually
>> import it into Chromium? Even on the same computer?
>
> I need to improve the video then clearly, because you seem to have missed the point here.
>
> You DON't need to export the certificate! You just create a new one: it's a one click procedure!
But that's a terrible user experience:
1. If I have multiple identities, I have to do this for each identity
- and, of course, I do have multiple identities as does pretty much
everyone.
2. The only time I need to authenticate to each cert-providing site is
when I move to a new PC or browser - i.e. very infrequently - so by
the time I need to do it I'll have no idea what the password is,
converting "one click" (and one username/password, I assume) into a
very tedious process indeed.
More information about the specs
mailing list