W3C home > Mailing lists > Public > public-credentials@w3.org > June 2015

Re: WHY USING FACEBOOK, GOOGLE, AND TWITTER TO LOG INTO APPS IS A PROBLEM

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Wed, 17 Jun 2015 15:23:57 +0000
Message-ID: <CAM1Sok1mT0rr4irucVUk=LyGgKKQ3CKvrxoy7_GL3QmY6XPD4w@mail.gmail.com>
To: Joerg.Heuer@telekom.de, melvincarvalho@gmail.com
Cc: eric.korb@accreditrust.com, public-credentials@w3.org
IMHO: I think interoperability...

An entities identity chain will likely transit across multiple 'things'
perhaps in-turn relating to the same dataspace and related assets.

Ie: iptv

TV may use a TOS cert to identify the TV, and where to store tracking data.
Let's hope it stores that data in relation to the owner of the TV.

They then may have a means to both navigate the data on a computer or
mobile device, perhaps provide or revoke access to that data to nominated
parties (ideally, with declared terms), or assign different users, which
may in-turn interoperable at a server level with other dataspaces and/or
2nd screen devices to create new interactive experiences, socially with
people watching the same TV and the same program, which in-turn may invoke
an array of different, personally declared terms in relation to the
participating social graph regardless of whether their groups by the
program their watching, or the room their watching it in.

Sometimes a WebID-TLS cert is better, othertimes, hopefully, a credential.

Othertimes a Google I'd, or an Apple ID.

Within the standards interoperability; I'm not sure who takes on the work
around ensuring interop.

Is that a credentials CG task?

Is it really one or the other?

Simple answer IMHO is that their both designed for linked-data support and
I can see application for both tools, ideally interoperable / cooperatively.

On Thu, 18 Jun 2015 at 1:12 am, <Joerg.Heuer@telekom.de> wrote:

> Okay, let’s formulate my remark more correctly: It should be possible to
> store credentials outside of the browser, explicitly to allow for these
> different preferences. No problem with browsers implementing the same
> functionality. In essence we are talking about portability now.
>
>
>
> *From:* Melvin Carvalho [mailto:melvincarvalho@gmail.com]
> *Sent:* Mittwoch, 17. Juni 2015 17:05
> *To:* Heuer, Jörg
> *Cc:* Eric Korb; W3C Credentials Community Group
>
>
> *Subject:* Re: WHY USING FACEBOOK, GOOGLE, AND TWITTER TO LOG INTO APPS
> IS A PROBLEM
>
>
>
>
>
>
>
> On 17 June 2015 at 16:57, <Joerg.Heuer@telekom.de> wrote:
>
> +1 to definitely not aim at storing credentials in the browser. I’d like
> to use different browsers on different platforms – and have them synced if
> I may…
>
>
>
> That's a design decision and people will have different preferences.  It's
> really important not to impose personal preferences onto others, here.
> Mozilla tried to do this and that's one reason Persona failed to become a
> standard.
>
> Estonia solve this quite neatly with the e citizen program by using a card
> reader.  The browsers have the ability to store credentials externally,
> which is a nice feature.
>
> It seems to have worked very well.  Once finland operate this, both
> belgium and holland have digital id schemes in the world.  I think
> estonia/finland is the most advanced.  There will be mounting pressure IMHO
> on denmark, norway, sweden and then germany to innovate:
>
> https://www.youtube.com/watch?v=L4J5yeyGu1A
>
> It's been a huge win for Estonia to date
>
> Adding the online national census capability cost only the census
> software, less than €10K, because the infrastructure was already in place
>
> compare the US: The 2010 census cost $13 billion, approximately $42 per
> capita
>
>
>
>
>
> *From:* Timothy Holborn [mailto:timothy.holborn@gmail.com]
> *Sent:* Mittwoch, 17. Juni 2015 16:52
> *To:* Eric Korb; Melvin Carvalho
> *Cc:* Credentials Community Group
> *Subject:* Re: WHY USING FACEBOOK, GOOGLE, AND TWITTER TO LOG INTO APPS
> IS A PROBLEM
>
>
>
> (Can't respond inline on Google inbox, as far as I can tell...)
> Re: credentials in the browser.
> So,
> How do you reset your tls cert? Say, for nanna...
> Are you suggesting you think credentials are unnecessary?
> What's the difference between trusting a data space service with your data
> vs. your credential access support.
> Do you think it's global or go home; or,
> Should every legal entity (and/or bot/agent) be able to "mint" a
> "credential", and what happens if your computer is stolen, or fails, or
> someone else is using your account on your computer.
> How does it support isolation of roles/persona.
> Communities at all levels share and disagree on an array of values. From
> images relating to local laws on nudity or gun licensing, to the cost of
> education.
> Who says one ring should rule them all...
>
>
>
> On Thu, 18 Jun 2015 at 12:17 am, Melvin Carvalho <melvincarvalho@gmail.com>
> wrote:
>
> On 17 June 2015 at 14:23, Eric Korb <eric.korb@accreditrust.com> wrote:
>
> Interesting article.
>
>
>
>
> http://www.fastcompany.com/3044280/one-more-thing/the-ghosts-of-app-permissions-past
>
>
>
> Yep, it used to be even worse.  They used to phish your password:
>
> http://microformats.org/wiki/social-network-anti-patterns
>
> Mozilla persona still does this.
>
> I prefer to keep credentials in the browser.  This can be done today with
> X.509 or the web crypto API.
>
>
>
>
>
> ----------------------------------
>
> Eric Korb, President/CEO - accreditrust.com <https://www.accreditrust.com>
>
>
>
Received on Wednesday, 17 June 2015 15:24:36 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:24 UTC