Henry, hello. I don't have much more to add here, because I can't fundamentally add much more than assertion, but I have a couple of brief responses.
On 2013 Aug 9, at 14:41, Henry Story wrote: >> I don't have an easy solution to this -- I can see all the problems with >> creating applications which users have to run to generate WebIDs, and >> regarding which they then have to be given follow-up instructions. But >> doing this in the browser, though technically neat and correct, may have >> killing UI/model problems, as described above (because of the invisibility >> and passivity of the browser in most people's conception), and these >> problems may make this the browser-generation route less successful in the >> end. > > I am not convinced. The problems with Certificates in the Browser are > entirely to do with the problem of dealing with CAs. > Clearly a bit of education is needed, and what better than a web site to do > that. I think you're very optimistic about what 'a bit of education' can do. I've long had X.509, ssh and PGP/GPG keys, I've used the Java X.509 API in the past, I understand large fractions of the technology and maths of public key crypto, I've written my own DER codecs and I can (albeit now only with a crib) read X.509 certificates by eye, using od(1). I am roughly as educated about certificates as it is possible to be, and I _still_ get confused about where my damn certificates are, and I still mess up an annual browser-based certificate renewal request. I agree that some of this stuff is 'just' a matter of UI improvements (though the number and profundity of the UI problems at <http://www.w3.org/wiki/Foaf%2Bssl/Clients#Further_User_Interface_Issues> -- and the incompleteness of the list -- is dispiriting). My suggestion here is that I believe the conceptual difficulties inherent in managing and conceptualising certificates _within a web browser_, though presumably not insurmountable, are significantly challenging, in the sense that they will require a lot more than just a bit of UI tweaking to address. I know that I didn't have this problem back when I was coding/working with certificates daily, as many people in this thread will be still. But now I'm not, and I'm apparently _very_ promptly back with the naive users. >>> http://www.w3.org/wiki/Foaf%2Bssl/Clients#Further_User_Interface_Issues >> >> Oooh, they're awful. I just checked, and I submitted an Apple bug report >> about this -- detailing the awfulness and inadequacy of Safari's and >> Keychain Access's UIs here -- back in October 2008, which finally received >> "We are closing this bug since our engineers are aware of the issue and will >> continue to track it" in November 2011, and nothing since. *sigh* > > The Chrome and Opera UIs are pretty Good. Apple's too, it's just that it has > a privacy issue. I don't think I agree with this, either: the list of failings at that URI is pretty killing. I can't even log out with a non-working certificate! The OS X experience is better (from my point of view) only because the keychain (separate from the browser), and the standalone Keychain Access application, means that I have a better conceptual model of where my certificates are, than I would if they were entirely within the browser. All the best, Norman -- Norman Gray : http://nxg.me.uk SUPA School of Physics and Astronomy, University of Glasgow, UK
