On 8 June 2010 18:18, Peter Watkins <[email protected]> wrote: > On Tue, Jun 08, 2010 at 05:55:30PM +0100, Ben Laurie wrote: > > On 8 June 2010 17:39, Story Henry <[email protected]> wrote: > > > > Why should browser manufacturers bother to install this in the browser > and > > > maintain it, when they already have an excellent identification > protocol > > > built into https? > > > > > > The fact that this group wishes to ignore the existence of SSL does not > > > make it not be there. > > > > > > Just check out the video of it on http://webid.myxwiki.org/ > > > to see it working! > > > I would really like to see better support for client certificates in > > browsers so that this became less clunky around the certificate > management > > aspects... > > Yes, Henry's demo looks messy to me, and helps illustrate the primary > problem > of auth based on SSL/TLS clients: portability and "roaming". Note in > Henry's > demo at 4:43 he logs in with Firefox and sees a (hideous!) dialogue box > suggesting client keypair "firefox hjs3". Later, at 6:12 in the video, on > the same computer, Henry tries Chromium, which has a clean interface > suggesting > (only!) client cert "Henry Story". You don't even have good UX on the same > machine. Let's say Michal Zalewski scares you away from using Firefox for a > few days -- you have to manually export "firefox hjs3" and then manually > import it into Chromium? Even on the same computer? > > What happens when you buy a new PC or some relatively locked-down web > tablet? >
Well, at this point I should mention Nigori, which is supposed to deal with this issue... http://www.links.org/index.php?s=nigori > > I for one am not ignoring SSL/TLS, I just don't think it's ever been a > viable > solution for general use because it doesn't roam well -- and I first looked > at client cert auth many years ago. > > I don't think OpenID ignores SSL/TLS, either. It's up to the OP to decide > how an OpenID user authenticates, and Verisign PIP already supports using > client certificates as an authentication factor. > https://pip.verisignlabs.com/learnmore.do > > Finally, even if you don't care about the roaming issue or the requirement > that the RP use https, I don't understand how FOAF+SSL at all addresses the > UI problems that XAuth tackles (client service discovery & NASCAR > interfaces). > > -Peter > >
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
