I think a problem is that it is unclear where a certain issue belong. IMO all of the stuff I wrote about belong to the app-area but some people think it is about security only.
XML protocols in browsers is an app, at least as I see it. Anders ----- Original Message ----- From: "Marcos Caceres" <marc...@opera.com> To: "Anders Rundgren" <anders.rundg...@telia.com> Cc: "channy" <cha...@gmail.com>; "WebApps HG" <firstname.lastname@example.org>; "Jungshik Shin" <jungs...@google.com>; "Gen Kanai" <g...@mozilla.com>; "Ian Hickson" <i...@hixie.ch>; "Thomas Roessler" <t...@w3.org> Sent: Tuesday, March 24, 2009 22:24 Subject: Re: Web Sigining in Action On Tue, Mar 24, 2009 at 9:37 PM, Anders Rundgren <anders.rundg...@telia.com> wrote: > Hi Everybody, > There are simply TONS of issues related to usage of certificates in > conjunction with a browser. If you want, you can take a peek at the > current thread "client certficates unusable?" in mozilla-dev :-) > > I personally find it annoying that there are maybe some 100M USB > memory sticks in circulation that could have been a wonderful container > for keys but unfortunately it never happened. Well, a few US compaines > tried to create proprietary solutions with SanDisk but (of course) they > all failed. Who want to *pay* for a card driver? It is really > something that you would like the OS to have from the beginning! > > What does this have to do with Web Signing you may wonder? Well, IMO we need > to take this in a step-wise fashion and if we can't even get the > "keyring"´right, it seems > that the rest will be of secondary interest. That doesn't say I'm not > interested in > Web Signing, I have just put it on the "back-burner" in favor of key storage > and > execution. > > The absence of a useful <keygen> standard is a disaster. Will the browser- > vendors be able to address this issue? I don't expect that. > > Regarding Web Signing a large groups of banks have turned to MSFT to get > this solved. I think they are overly optimistic about MSFT's capability and > interest in this area but it is a good thing that they are trying at least :-) > > Based on 13 years of experience with eID, I believe most of the web > "standards" > in this are will not come from standardization forums because they have proved > to good for really general purpose stuff, but much less successful for > applications > like Web Sign and <keygen>. A scheme like my current KeyGen2 would not > take less than 3 years to standardize and the result would probably be not be > very useful anyway. Why? Because there are too many choices and people > cannot work under such premisses. Whatever <keygen> or WebSign we will > get, it will most certainly be an open source effort rather than a standard. > > What W3C could/should standardize is a way to get XML protocols running > in a browser and leave the content parts to other groups. IETF's KEYPROV > will fail as hard as XKMS did if we ignore the browser connection all the > time. I see. thanks for the history. However, what, if anything, should our working group do? I don't see anything that is in scope or anything directed at any one of our specifications. If we are screwing something up somewhere, then please be clear as to where and we will do our best to fix it. Kind regards, Marcos -- Marcos Caceres http://datadriven.com.au