msporny at digitalbazaar.com
Sun Aug 8 06:24:24 CEST 2010
On 08/07/2010 06:26 PM, Henry Story wrote:
> There are a couple of your claims above that I think need a little
> tuning or explaining in more detail.
> First the claim that WebIDs cannot be created in Internet Explorer is
> not quite true. IE has an Active X component that comes with the
> operating system and that is available. Creating a WebID using IE from
> http://webid.myxwiki.org/ should work, though as I don't have Windows
> I don't test it that much to tell the truth. Bruno Harbulot wrote a
> calls to that Active X component. The advantage of doing it that way
> to be enabled on IE, but so does your solution :-)
> Now the IE Active X solution may have some usability issues, but I
> think it needs clearly pointing out what those issues are, so that
> they can be understood clearly,
I've tried to fix the language in the blog post to state that IE needs
an ActiveX component to generate a proper certificate in IE.
> Secondly you say "you get the peace of mind that if you lose one of
> your WebIDs, you can always just deactivate it via your WebID provider
> and generate a new WebID". There is in fact a better way still: you
> can keep your WebID, and just remove the public key from your public
> profile. In fact you should be able to have any number of public keys
> associated with one WebID.
Hmm, that's what I meant to convey in the blog post, but failed to do
so. I've fixed up some of the language to make the point you make above,
and the one I was trying to make initially, more clear.
> Now when I log in to digital bazaar it asks me for the WebID I already
> have (I have a few in fact).
We think that this is an Apache misconfiguration... we set client-side
certificate support to optional, so we'll look into this a bit more
early next week.
> My browser -- Chromium -- asks me for my
> client certificate, but then you don't use it! If this system should
> allow me to use either my flash certificate or my browser certificate
> this would be great -- if I have already submitted my browser
> certificate then it should use that. So hopefully we can get it to
> that point. Especially as me and many people have disabled flash - I
> just reinstalled it for your site.
Yes, I think that's quite do-able - shouldn't be difficult to
accomplish. I'll talk with our engineering team and see what they have
> What I think you have done is to have tied one more keychain into the
> WebID system: the flash keychain. Flash is really a browser in a
> browser. Now it would be even better if flash could use the browser
> keychain, because then the same keychains could be used for logging in
> from the browser and flash.
Unfortunately, we don't currently know of any way of retrieving the
across all browsers.
Our current thinking is to entirely abandon the native browser
client-side certificate generation and selection mechanism because it is
complicated and broken. The browser-based interfaces leave much to be
desired when viewed from a regular website usability perspective. Having
the usability story better when generating and selecting a WebID
Waiting on the browser manufacturers to improve their client-side
certificate management UIs will take years. That doesn't mean that
people wouldn't be able to use the browser-based certificate management
mechanism for WebID, just that we think that approach is a dead end.
Manu Sporny (skype: msporny, twitter: manusporny)
President/CEO - Digital Bazaar, Inc.
blog: WebID - Universal Login for the Web
More information about the foaf-protocols