[foaf-protocols] Fwd: XAuth critiques

David Chadwick d.w.chadwick at kent.ac.uk
Wed Jun 9 13:50:05 CEST 2010


Hi Nathan

Nathan wrote:
> David Chadwick wrote:
>> Hi Nathan
>>
>> Nathan wrote:
>>> personal opinion:
>>>
>>> standardisation of whether certificate storage is delegated by the 
>>> browser to the OS certificate store (like chrome and ie) or handled 
>>> by the browser (like all the others) - I'd like to see it one or the 
>>> other.
>>
>> as long as you have a standard API for accessing the certificate it 
>> does not matter where it is stored, does it?
> 
> Thinking more from the user side, if I install a cert via keygen and 
> then find it in two browsers, but not the third, I'll be a little confused

agreed. So it does need to be common to all browsers. Imagine one 
browser uses C: and another uses D: how confusing that would be to 
users. The solution is to have a standard PSE (Personal Security 
Environment) in which private keys and self signed root CA keys are 
stored. Public key certificates can be stored anywhere, so the user 
should be able to choose a file directory and all browsers should be 
configurable to look there for PKCs.


> 
>>>
>>> choice of which certificate to present should always be left up to 
>>> the user, unless they have specifically requested to always send X 
>>> certificate to Y domain (I don't want my webid and thus my foaf 
>>> (identity) details handed out without me knowing).
>>
>> agreed. Also, even if you have set up an "always use this cert" rule, 
>> you should be able to change it at any time.
> 
> concur
> 
>>>
>>> regardless of any UI/UX synchronisation amongst vendors, 
>>> standardisation of which certificate details are presented to the 
>>> user when selecting a certificate would be brilliant.
>>
>> I dont see how you can standardise this. The cert contents are already 
>> standardised, but suppliers are free to display any info in any way 
>> they want to. So I dont buy this one.
> 
> well then at least include one bit of common information from the cert 
> that identifies it unambiguously; again from a users perspective.
> 
> If you equate a certificate to a file this all becomes clearer, if you 
> saved a file as "My Certificate" and then found it wasn't available in 2 
> programs, and had a different name in each program, you'd be a bit 
> confused surely.. maybe you and I wouldn't be, but my youngest and my 
> mother both would..

One problem is that browsers, people, and even technical gurus refer to 
private keys as certificates. They are not, They are separate, and 
should be treated as such

regards

David

> 
> Best,
> 
> Nathan
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************


More information about the foaf-protocols mailing list