[foaf-protocols] HTTP request header field for acceptable authentication methods
home_pw at msn.com
Sat Nov 5 19:36:30 CET 2011
The issue of webid, browserid (and the 5 other latest schemes doing the same thing) has become religious, at the cultish level. One sees the cc: trick, as folks seek to make their case. To be fair, browserid community is a bit more disciplined than others, on keeping a lid on broadcast-based prosletizing. All I see is 5 new unverified schemes with about a max of 1000 users each (mostly developers), vying for attention in the usual vendor space. Each denies the legitimacy of the other, including such as gmail or yahoo or openid or SAML or ws-fedp, or OAUTH, or OAUTH v2, or anything else. AS a consumer of such assertions, I reject any scheme proposal IF IT HAS THAT POSTURE. The posture means its too immature for adoption by the likes of us (mainstream). We are really not interested in another Google Wave. There seems nothing to be done to stop the endless pursuit of assertion protocols. Any scheme that half-works simply induces a counter-scheme to become designed, as folks seek to impose some or other twist on what MUST now be trusted. This seems to be lobbyist-based, as some new infrastrcuture business sees $$ in controlling user logon. For browserid, someone believes that only email providers enable scalable verification. For our users , half of them use gmail and gmail already does the equivalent of a browserid assertion and validation. Its called openid v2. For me, its was trivial to integrate openid (i.e. Google), as Microsoft's ACS ideneity gateway did 100% of the work for us. Integrating microsoft gateway was pretty trivial, too. It want hard to pursuade the security auditor that our work was "reasonable." If it helps, perhaps note that we are service provider. We are logically an adoptee of schemes such as browser, assuming they deliver a 100 million users to our door - since we need the problem solved "at a national level". its just the nature of real estate. We have even decided to get out of the login and authentication business (after 40 years). Nothing helped make anyone happy - despite having delivered password management, securid tokencodes, phone-based SMS, passmark anti-fraud neural networks, and even biometrics. We are even designed our own secure USB key, for a while. No user community was/is happy. Every subgroup wants some twist, to suit their personal hot button issue. The user community is almost as fragmented as the vendor community. Of course, noone will pay anything, as its someones else responsibility. Whats more (in our unusual space), no ads are allowed - so even that funding trick is unavailable. Folks cannot even trade off their privacy for free security technology. If anyone cares (and I rarely find folks in the religious phase of a movement could give a damn, wanting only to preach to those likely to be "converted") we have stopped accepting any of the third-party schemes, unless its gatewayed to us by the Microsoft Azure ACS service. Fpr the next year or two, they are the gatekeeper on the n schemes, rewriting the n assertion blob formats into one. Its not that there is anything special about the Microsoft Azure service to us, other than its scheme agnostic. What it does is make identity verification less of a "miserable affair", removing the posturing and the carping that is getting in the way of delivering service values. Hope the feedback on the list's tone helps. > CC: bergi at axolotlfarm.org; julian.reschke at greenbytes.de; http-auth at ietf.org; fielding at gbiv.com; foaf-protocols at lists.foaf-project.org; public-xg-webid at w3.org; ietf-http-wg at w3.org; public-rww at w3.org
> From: mnot at mnot.net
> Subject: Re: [foaf-protocols] HTTP request header field for acceptable authentication methods
> Date: Sat, 5 Nov 2011 12:55:26 +1100
> To: home_pw at msn.com
> Not sure why you're asking me; perhaps the cc list needs to be trimmed?
> On 05/11/2011, at 12:45 PM, Peter Williams <home_pw at msn.com> wrote:
> > So what is webid vs webid-tls?
> > Does webid tls exclude ssl v3?
> > I ask as only very specific agendas call for the elimination of ssl v3. Only .001% of the users know the difference, and less than half of those can accurately state it.
> > On Nov 4, 2011, at 2:28 AM, "Mark Nottingham" <mnot at mnot.net> wrote:
> >> On 04/11/2011, at 9:34 AM, bergi wrote:
> >>> Authentication Scheme
> >>> I was thinking about this a little bit more and now I'm not sure if we
> >>> should use WebID or WebID-TLS or even something else. From the
> >>> terminology point of view WebID-TLS would fit better.
> >>> HTTPBis, part 7, section 2.3  points to a link on the IANA web site
> >>> which is dead . I haven't found a new URL. Somebody knows if this
> >>> page has moved somewhere else?
> >> That link is dead because HTTPbis hasn't been through the entire process yet; the IANA registries will be established later on.
> >> Cheers,
> >> --
> >> Mark Nottingham http://www.mnot.net/
> >> _______________________________________________
> >> foaf-protocols mailing list
> >> foaf-protocols at lists.foaf-project.org
> >> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the foaf-protocols