On 8 June 2010 18:47, Story Henry <[email protected]> wrote: > > On 8 Jun 2010, at 19:18, Peter Watkins wrote: > >> On Tue, Jun 08, 2010 at 05:55:30PM +0100, Ben Laurie wrote: >>> On 8 June 2010 17:39, Story Henry <[email protected]> wrote: >> >>>> Why should browser manufacturers bother to install this in the browser and >>>> maintain it, when they already have an excellent identification protocol >>>> built into https? >>>> >>>> The fact that this group wishes to ignore the existence of SSL does not >>>> make it not be there. >>>> >>>> Just check out the video of it on http://webid.myxwiki.org/ >>>> to see it working! >> >>> I would really like to see better support for client certificates in >>> browsers so that this became less clunky around the certificate management >>> aspects... >> >> Yes, Henry's demo looks messy to me, and helps illustrate the primary problem >> of auth based on SSL/TLS clients: portability and "roaming". Note in Henry's >> demo at 4:43 he logs in with Firefox and sees a (hideous!) dialogue box >> suggesting client keypair "firefox hjs3". Later, at 6:12 in the video, on >> the same computer, Henry tries Chromium, which has a clean interface >> suggesting >> (only!) client cert "Henry Story". You don't even have good UX on the same >> machine. Let's say Michal Zalewski scares you away from using Firefox for a >> few days -- you have to manually export "firefox hjs3" and then manually >> import it into Chromium? Even on the same computer? > > I need to improve the video then clearly, because you seem to have missed the > point here. > > You DON't need to export the certificate! You just create a new one: it's a > one click procedure!
But that's a terrible user experience: 1. If I have multiple identities, I have to do this for each identity - and, of course, I do have multiple identities as does pretty much everyone. 2. The only time I need to authenticate to each cert-providing site is when I move to a new PC or browser - i.e. very infrequently - so by the time I need to do it I'll have no idea what the password is, converting "one click" (and one username/password, I assume) into a very tedious process indeed. _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
