On 05/15/2013 11:04 PM, Philip Hands wrote: > Do you have any thoughts on how that compares with using > BrowserID/Persona? I'd got the impression that BrowserID has been put > together learning from mistakes of OpenID & WebID, but perhaps I'm just > swallowing their marketing. It looks to me like BrowserID/Persona will only work in web browsers with a functional javascript stack (and eventually, with a functional javascript crypto stack). The client authentication happens inside the TLS layer, over the HTTP protocol. If i understand the parts of WebID that intend to perform authentication correctly, it uses standard TLS client-side certificates to do pubkey authentication of the client *at* (not inside) the TLS layer, and only requires the use of HTTP(S) in one small place: on the backend for servers who need to do key discovery via that mechanism. Since i'm the kind of person who uses TLS to wrap protocols other than HTTP (though i also use it around HTTP), i'd prefer to adopt an authentication regime that isn't limited to that one protocol inside TLS, but rather to work at the TLS layer directly. For example: it looks possible to use WebID for authentication in an IMAP client capable of STARTTLS. Even if we limit ourselves to the HTTPS subset of the 'net, i'm also the kind of person who browses the web with javascript disabled most of the time (and uses and implements automated HTTPS clients that have no HTML DOM support, let alone javascript support), i'd also prefer to adopt an authentication regime that doesn't necessarily rely on javascript or the HTML DOM. For these reasons (which i think are relevant to debian), what i think folks are referring to as WebID here (client-side certs verified by some robust mechanism other than the standard CA cartel) sounds better than BrowserID to me. It's possible that i've misunderstood or mischaracterized any of the protocols or tools mentioned here, though. if that's the case, i hope that someone will correct me. Regards, --dkg PS thanks for keeping me cc'ed on replies
Attachment:
signature.asc
Description: OpenPGP digital signature