[foaf-protocols] WebID breakthrough - pure Javascript+Flash implementation

Manu Sporny msporny at digitalbazaar.com
Mon Aug 9 05:08:41 CEST 2010

On 08/08/2010 09:57 AM, Kingsley Idehen wrote:
> The user interaction is simple:
> 1. Go to: https://id.myopenlink.net
> 2. Register with your existing WebID or get a new account
> 3. Edit your Profile using the Profile Manager (at least add your email
> address to your profile)
> 4. Use the "X.509" tab under "Security" to generate your X.509 Cert that
> includes your WebID (remember once you have an account you have a WebID,
> Profile Page URL, and an OpenID URL (all hooked together in conventional
> Linked Data style)
> 5. Save the generated Cert. to your Profile (don't forget to hatch the
> "enable WebID login" option)
> 6. Save and Exit Profile Manager
> 7. Visit a WebID or OpenID based space on the Web from Windows, Mac OS
> X, Linux, or any other Unix Platform.

Kingsley, I'll respond to your other points in another e-mail. I wanted
to draw attention to the procedure you describe above. This is a perfect
example of the problem we wanted to highlight when putting together the
WebID demo we recently released. Compare the sequence above with how we
create accounts in websites today:

1. Click create account.
2. Fill out username, e-mail address and password.

Now, sign in:

1. Enter username and password.

Both you and Henry seem to be commenting about WebID from the standpoint
of how easy it is to manage X509 certificates now. The point that I'm
trying to make is that if we talk about managing X509 certificates /at
all/ for /any/ WebID interaction, we're going to thoroughly confuse the
majority of people that use the Web. WebID is not going to be adopted
very rapidly (or at all) because it is more complicated than what we do
on websites today.

One of the points of our demo was to highlight that WebID is competing
against traditional login. When traditional account creation is a 2 step
process at best, and a 4 step process at worst - having a 7 step process
(as you outline above for WebID) won't be received well by the general
Web community.

That is not to say that experts should be stopped from managing their
own certificates, quite the contrary, we should support experts... but
also understand that they are the minority and WebID cannot be
successful by catering to or designing for experts.

Here are a few anti-patterns for WebID as far as I see it:

1. Requiring plugins of any kind that are not in over 90% of all
   browsers. Flash is a plugin, but it is available in over 90% of all
2. Requiring browser features that are not already widely deployed.
3. Depending on browser/OS features that could confuse the user
   experience - like OS-native X509 Certificate generation.

The main point of the demo was to demonstrate that WebID doesn't need
any of the OS/browser technologies that this community believed were
necessary to implement WebID in the browser.

Furthermore, I think it would be a mistake to choose a technology
solution that is more complicated than regular account creation and
username/password login is at the moment. The current state of managing
X509 certificates via the browser or the OS falls into this category.

That said, I do think we should support the traditional OS/browser-based
WebID experience, but understand that that experience is for experts and
will confuse the general public. If we are going to start presenting
this work to people like Google, Twitter and Facebook - we need to show
them something simpler than a demo that requires them to manage their
OS/browser-native X509 certificates.

-- manu

Manu Sporny (skype: msporny, twitter: manusporny)
President/CEO - Digital Bazaar, Inc.
blog: WebID - Universal Login for the Web

More information about the foaf-protocols mailing list