<br><br><div class="gmail_quote">On 8 June 2010 18:18, Peter Watkins <span dir="ltr"><<a href="mailto:peterw@tux.org">peterw@tux.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Tue, Jun 08, 2010 at 05:55:30PM +0100, Ben Laurie wrote:<br>
> On 8 June 2010 17:39, Story Henry <<a href="mailto:henry.story@bblfish.net">henry.story@bblfish.net</a>> wrote:<br>
<br>
</div><div class="im">> > Why should browser manufacturers bother to install this in the browser and<br>
> > maintain it, when they already have an excellent identification protocol<br>
> > built into https?<br>
> ><br>
> > The fact that this group wishes to ignore the existence of SSL does not<br>
> > make it not be there.<br>
> ><br>
> > Just check out the video of it on <a href="http://webid.myxwiki.org/" target="_blank">http://webid.myxwiki.org/</a><br>
> > to see it working!<br>
<br>
> I would really like to see better support for client certificates in<br>
> browsers so that this became less clunky around the certificate management<br>
> aspects...<br>
<br>
</div>Yes, Henry's demo looks messy to me, and helps illustrate the primary problem<br>
of auth based on SSL/TLS clients: portability and "roaming". Note in Henry's<br>
demo at 4:43 he logs in with Firefox and sees a (hideous!) dialogue box<br>
suggesting client keypair "firefox hjs3". Later, at 6:12 in the video, on<br>
the same computer, Henry tries Chromium, which has a clean interface suggesting<br>
(only!) client cert "Henry Story". You don't even have good UX on the same<br>
machine. Let's say Michal Zalewski scares you away from using Firefox for a<br>
few days -- you have to manually export "firefox hjs3" and then manually<br>
import it into Chromium? Even on the same computer?<br>
<br>
What happens when you buy a new PC or some relatively locked-down web tablet?<br></blockquote><div><br></div><div>Well, at this point I should mention Nigori, which is supposed to deal with this issue...</div><div><br></div>
<div><a href="http://www.links.org/index.php?s=nigori">http://www.links.org/index.php?s=nigori</a></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
I for one am not ignoring SSL/TLS, I just don't think it's ever been a viable<br>
solution for general use because it doesn't roam well -- and I first looked<br>
at client cert auth many years ago.<br>
<br>
I don't think OpenID ignores SSL/TLS, either. It's up to the OP to decide<br>
how an OpenID user authenticates, and Verisign PIP already supports using<br>
client certificates as an authentication factor.<br>
<a href="https://pip.verisignlabs.com/learnmore.do" target="_blank">https://pip.verisignlabs.com/learnmore.do</a><br>
<br>
Finally, even if you don't care about the roaming issue or the requirement<br>
that the RP use https, I don't understand how FOAF+SSL at all addresses the<br>
UI problems that XAuth tackles (client service discovery & NASCAR interfaces).<br>
<font color="#888888"><br>
-Peter<br>
<br>
</font></blockquote></div><br>