WebID discovery. Was: The Internet Identity (WG) Crisis from Anders Rundgren on 2011-07-02 (public-identity@w3.org from July 2011)

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Sat, 02 Jul 2011 16:01:37 +0200
To: Henry Story <henry.story@bblfish.net>
CC: "public-identity@w3.org" <public-identity@w3.org>
Message-ID: <4E0F24C1.7020806@telia.com>

On 2011-07-02 09:53, Henry Story wrote:
> 
> On 2 Jul 2011, at 08:23, Anders Rundgren wrote:
> 
>> I believe there are some very different challenges involved in
>> the various identity endeavors.
>>
>> WebID's primary challenge is persuading large social network providers
>> to upgrade.  This would (IMO) be much more realistic if there was some kind
>> of mechanism that allowed them with the help of some javascript automatically
>> redirect the login if the user had a [suitable] WebID.
> 
> This is quite easy to do I believe, and I have been wanting to implement it 
> as a way to show how WebID deals with the NASCAR problem.
> 
> http://factoryjoe.com/blog/2009/04/06/does-openid-need-to-be-hard/
> 
> The answer is simple again: place the login endpoint behind an https service 
> that asks for the client certificates optionally.
> 
> If the user has a certificate 
> 	his browser will ask him to choose one 
>         (or select the last one he took for the site) 
>      resulting in his being logged in. 
> Else 
>         the browser returns a NASCAR selection box

I wouldn't put my money (if I had any...) on such a solution because it
is quite intrusive unless some very specific conditions are met.
In addition, TLS client-certificate-authentication is at least in MSIE
downright user-hostile and requires restart if you do something wrong.
There is not even an agreed upon logout scheme for browsers!

Extract from a web-app of mine:

     if (document.all == null) // FF, Opera, etc
       {
          if (window.crypto) window.crypto.logout();
       }
     else // MSIE 6+
       {
          document.execCommand('ClearAuthenticationCache');
       };

We are (de-facto) stuck with stuff that hasn't progressed much since Netscape
introduced SSL back in 1995.

In fact, quite a bunch of the bank/e-government plugins I tend to bring up in
these context rather PKI-authenticate an the *app-level*. This is essentially
analogous to form-based login versus HTTP-auth (which "nobody" uses).

I therefore included such a scheme in the suite of PKI-enabled applications
(WASP, WebAUTH and InfoCards) which I started with before I realized that
"Getting the Damned Key" was higher up on the food chain.

> So no need for Javascript, or anything new to get things working. 
> Of course there are huge improvements that browser vendors can then make, but one does not
> need to start ex-nihilo.

The NASCAR (a new term for me) selection box is the best short-term migration
solution.  I'm not sure that it is technically feasible doing discovery without
actually making things even worse.  It might be better that the platform remembers
your selection for future uses.

<snip>

Anders

Received on Saturday, 2 July 2011 14:02:32 UTC