[foaf-protocols] WebID breakthrough - pure Javascript+Flash implementation

Manu Sporny msporny at digitalbazaar.com
Tue Aug 10 15:46:36 CEST 2010

On 08/09/10 06:13, Henry Story wrote:
> Hi Kingsley, I watched your video that shows you creating a
> certificate for Internet Explorer
> http://www.youtube.com/watch?v=gzqHVUb3qrw
> Looking at that I can only agree with Manu Sporny that this is
> geeky.
> If there are issues we need to try to find out how we can reduce them
> there.

Just a quick note as it seems like some of my comments were viewed as
strong criticisms against current WebID implementations. I didn't mean
for them to come across as harsh as they seemed to. By the defensive
responses, it seems that they unfortunately did.

The core of my concerns come from our intent to deploy WebID and merge
it into the PaySwarm spec:


We have a very strong concern about the usability issues that we're
going to have with people managing X509 certificates using OS/browser
native mechanisms. Anything outside of working inside the page content
seems to be too complicated for our user base.

I think that we can write the spec so that it allows OS/browser-managed
certificates as well as Javascript/Flash-managed certificates. We need
to give our customers a unified experience across all browsers.

To give you an example of our concern - some of our customers have
trouble understanding the difference between having an MP3 file on their
computer vs. streaming audio from a server:


In many cases, people will log into our music downloads site and after
purchasing their MP3 from our site and downloading it to their computer,
they will open up their purchase transaction history and continuously
download from our site every time that they want to play a song that
they have purchased from us. They have the MP3 on their disk, but they
don't understand that it resides on their disk and they use our commerce
site and their transaction history as a playlist of sorts. We do explain
that the MP3 is on their computer and they don't need to keep
downloading it every time they want to play it, but the concept is lost
on a subset of our customer base.

Similarly, anything that pops up a dialog from the browser is treated as
an error of some sort and they think that the website is trying to trick
them into doing something bad. They operate on the simplistic advice of
"pop-ups are bad - pop-ups are sites are trying to steal your
information, you should close them immediately". More importantly (re:
certificate creation), we have learned that if we require our customers
to read /anything/, they won't do it and we'll get customer support
requests asking about how to do X, when it is very clearly explained on
the page.

We provide a browser-based plugin to do legal P2P media downloads and
sales and that has not been successful for the same reasons - once we
asked our customers to install a plugin, very few of them followed
through with it.

So, we believe that there is a bad usability story for OS/browser-native
WebIDs. Henry, Kingsley - it's fine if you guys aren't convinced of this
because we can support both OS-based and JS/Flash-based certs in the spec.

However, we're having a very hard time understanding how to deploy
OS/browser-native based WebID in a commercial environment that won't
result in a flood of support requests from our customers. Each support
request costs us many times more than we would make from the customer at
present, so we're trying to think this through before we create a
problem for ourselves by adopting WebID.

-- manu

Manu Sporny (skype: msporny, twitter: manusporny)
President/CEO - Digital Bazaar, Inc.
blog: WebID - Universal Login for the Web

More information about the foaf-protocols mailing list