On Tue, Jun 08, 2010 at 05:55:30PM +0100, Ben Laurie wrote: > On 8 June 2010 17:39, Story Henry <[email protected]> wrote:
> > Why should browser manufacturers bother to install this in the browser and > > maintain it, when they already have an excellent identification protocol > > built into https? > > > > The fact that this group wishes to ignore the existence of SSL does not > > make it not be there. > > > > Just check out the video of it on http://webid.myxwiki.org/ > > to see it working! > I would really like to see better support for client certificates in > browsers so that this became less clunky around the certificate management > aspects... Yes, Henry's demo looks messy to me, and helps illustrate the primary problem of auth based on SSL/TLS clients: portability and "roaming". Note in Henry's demo at 4:43 he logs in with Firefox and sees a (hideous!) dialogue box suggesting client keypair "firefox hjs3". Later, at 6:12 in the video, on the same computer, Henry tries Chromium, which has a clean interface suggesting (only!) client cert "Henry Story". You don't even have good UX on the same machine. Let's say Michal Zalewski scares you away from using Firefox for a few days -- you have to manually export "firefox hjs3" and then manually import it into Chromium? Even on the same computer? What happens when you buy a new PC or some relatively locked-down web tablet? I for one am not ignoring SSL/TLS, I just don't think it's ever been a viable solution for general use because it doesn't roam well -- and I first looked at client cert auth many years ago. I don't think OpenID ignores SSL/TLS, either. It's up to the OP to decide how an OpenID user authenticates, and Verisign PIP already supports using client certificates as an authentication factor. https://pip.verisignlabs.com/learnmore.do Finally, even if you don't care about the roaming issue or the requirement that the RP use https, I don't understand how FOAF+SSL at all addresses the UI problems that XAuth tackles (client service discovery & NASCAR interfaces). -Peter _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
