henry.story at gmail.com
Tue Aug 10 16:22:39 CEST 2010
Manu I understand and support the need for maximal simplicity.
What we want to know is exactly where WebID certificates are too complex.
I just don't see it as being too complex even for my Mom on Safari, Chromium, IE 6 or perhaps even Opera.
On Firefox the User UI is ugly but not complex - but that is certainly bad in itself. Now how many non geeky/technical end users do use Firefox? How many non-geeky end users use windows? How ugly is windows? (Answer: very. So ugliness even though clearly bad in so many ways, is not even an argument against success, as so many business people told us during the 1980ies and even in the 1990ies (my father teaches at a business school (INSEAD) from where I am writing this, so don't take this as a personal comment))
On IE > 6 it is more complex to generate than on the keygen enabled browsers.
Now as you can imagine most of us here don't use Windows at all. So the fact that we have not found a solution on IE > 6 does not mean that a very good solution cannot be found. And so I am interested in work such as the one Kingsley is doing to see if one can get it down to a 1 click event.
Consider also that we have put no energy in our examples up to now in aesthetics as we have been looking at protocol issues.
Having said that there is ONE major usability issue: and that is that one cannot change the client certificate for a site without restarting the browser once one has chosen it in Opera, Firefox, Chrome and IE, and with Safari one cannot change it at all (major bug).
But the above is something we can live with as we build examples of a Social Web using it, because the advantage gained for the Social Web outweigh even that pain in the neck.
There are a few bug reports on this issue, and I do urge everyone to vote for the following bug:
It also contains links to issues in other browsers.
My guess is that we just need one of the browser vendors to fix this, and the advantage will be so apparent for the Social Web that it will have a very positive influence on the other vendors. But for that to work we need to be ready to use the improvement any browser vendor produces and then be able to demonstrate the advantages with good software.
The flash fix could be very useful patch to get some businesses going, but we need to see it interoperate with the correctly engineered solution. So please allow me to login to your site with my existing WebIDs!
Then it could be useful to see if I can create my own flash webid on my site and login to other sites... But since you are putting this forward as a new element it would be good to see the interoperation work already there. :-)
On 10 Aug 2010, at 15:46, Manu Sporny wrote:
> On 08/09/10 06:13, Henry Story wrote:
>> Hi Kingsley, I watched your video that shows you creating a
>> certificate for Internet Explorer
>> Looking at that I can only agree with Manu Sporny that this is
>> If there are issues we need to try to find out how we can reduce them
> Just a quick note as it seems like some of my comments were viewed as
> strong criticisms against current WebID implementations. I didn't mean
> for them to come across as harsh as they seemed to. By the defensive
> responses, it seems that they unfortunately did.
> The core of my concerns come from our intent to deploy WebID and merge
> it into the PaySwarm spec:
> We have a very strong concern about the usability issues that we're
> going to have with people managing X509 certificates using OS/browser
> native mechanisms. Anything outside of working inside the page content
> seems to be too complicated for our user base.
> I think that we can write the spec so that it allows OS/browser-managed
> to give our customers a unified experience across all browsers.
> To give you an example of our concern - some of our customers have
> trouble understanding the difference between having an MP3 file on their
> computer vs. streaming audio from a server:
> In many cases, people will log into our music downloads site and after
> purchasing their MP3 from our site and downloading it to their computer,
> they will open up their purchase transaction history and continuously
> download from our site every time that they want to play a song that
> they have purchased from us. They have the MP3 on their disk, but they
> don't understand that it resides on their disk and they use our commerce
> site and their transaction history as a playlist of sorts. We do explain
> that the MP3 is on their computer and they don't need to keep
> downloading it every time they want to play it, but the concept is lost
> on a subset of our customer base.
> Similarly, anything that pops up a dialog from the browser is treated as
> an error of some sort and they think that the website is trying to trick
> them into doing something bad. They operate on the simplistic advice of
> "pop-ups are bad - pop-ups are sites are trying to steal your
> information, you should close them immediately". More importantly (re:
> certificate creation), we have learned that if we require our customers
> to read /anything/, they won't do it and we'll get customer support
> requests asking about how to do X, when it is very clearly explained on
> the page.
> We provide a browser-based plugin to do legal P2P media downloads and
> sales and that has not been successful for the same reasons - once we
> asked our customers to install a plugin, very few of them followed
> through with it.
> So, we believe that there is a bad usability story for OS/browser-native
> WebIDs. Henry, Kingsley - it's fine if you guys aren't convinced of this
> because we can support both OS-based and JS/Flash-based certs in the spec.
> However, we're having a very hard time understanding how to deploy
> OS/browser-native based WebID in a commercial environment that won't
> result in a flood of support requests from our customers. Each support
> request costs us many times more than we would make from the customer at
> present, so we're trying to think this through before we create a
> problem for ourselves by adopting WebID.
> -- manu
> Manu Sporny (skype: msporny, twitter: manusporny)
> President/CEO - Digital Bazaar, Inc.
> blog: WebID - Universal Login for the Web
> foaf-protocols mailing list
> foaf-protocols at lists.foaf-project.org
More information about the foaf-protocols