W3C home > Mailing lists > Public > public-credentials@w3.org > March 2015

Re: credential based login

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Mon, 23 Mar 2015 13:31:46 +0100
Message-ID: <CAKaEYh+SPHWA3pLBoBwLp967CirrGUnPLTq4cOwG4BdEU7xuHQ@mail.gmail.com>
To: Axel Nennker <Axel.Nennker@telekom.de>
Cc: W3C Credentials Community Group <public-credentials@w3.org>
On 23 March 2015 at 13:09, <Axel.Nennker@telekom.de> wrote:

> Melvin,
>
> Thanks for your welcomed advice. I think that a recommendation is always
> personal and subjective and “best” is clearly my personal view and not part
> of any “discussion”. Connecting communities is a stated goal of IIW and I
> think they are doing a great job. I did not suggest to have an “official”
> credentials meeting there. Some IETF WGs did that in the past but in the
> end the WG’s mailing list still is the ultimate “thing” for open discussion
> because not everybody can travel to all the interesting events.
>
> -Axel
>

Thanks for clarifying.  Identity has historically been a sensitive topic in
the past, with the W3C pushing the URI as identity and west coast
advocating XRI / inames as part of an identity system.  This has in the
past lead to some contention, but hopefully those days are behind us, and I
think largely in this group at least, we are settled on URIs as identity,
preferring HTTP URIs.

I find it helps to use more neutral language.  With an aim of hopefully
bringing ideas together in a way that leads to broader standards adoption.


>
>
>
>
> *From:* Melvin Carvalho [mailto:melvincarvalho@gmail.com]
> *Sent:* Monday, March 23, 2015 11:16 AM
> *To:* Nennker, Axel
> *Cc:* W3C Credentials Community Group
> *Subject:* Re: credential based login
>
>
>
>
>
>
>
> On 23 March 2015 at 08:09, <Axel.Nennker@telekom.de> wrote:
>
> Hi Manu,
>
> I would like to recommend the Internet Identity Workshop
>         http://www.internetidentityworkshop.com/
>
> https://www.eventbrite.com/e/internet-identity-workshop-xx-20-2015a-tickets-14097972415
> next month in Mountain View, California.
>
> It is the best place to discuss all ideas around identity.
>
>
>
> I would encourage you to refrain from using the term "best" in this type
> of discussion.  There are many forums that discuss identity, and everyone
> has their favorites.
>
> That said, I've followed IIW for many years, tho attending the conference
> itself is out of my price range, much good work has come out of it.
>
>
>
>
> Kind regards
> Axel
>
> https://www.w3.org/community/credentials/
>
>
> -----Original Message-----
> From: Manu Sporny [mailto:msporny@digitalbazaar.com]
> Sent: Monday, March 23, 2015 4:24 AM
> To: public-credentials@w3.org
> Subject: Re: Leveraging DNS and email addresses
>
> On 03/16/2015 04:02 AM, Adrian Hope-Bailie wrote:
> > I have been thinking lately about the challenge of keying an identity
> > in a way that:
> >
> > * Is easy to transfer and remember (even for humans) * Can be
> > normalised in a standard way and used as part of a standardised
> > discovery process by a client to discover the Identity Provider
> > (IdP) for that identity
>
> We've been doing quite a bit of thinking in this area for years, some
> background reading on the current status of this thinking:
>
> http://manu.sporny.org/2014/credential-based-login/
> http://manu.sporny.org/2014/identity-credentials/
>
> The rest of this post assumes you've read the blog posts above.
>
> > To my mind the obvious solution is to use the email address format as
> > this is already a well-known standard which user's understand.
>
> +1 to using email addresses as the /keying/ mechanism used to discover
> an IdP.
>
> -1 to making the IdP the same domain as the email address. Doing that
> creates a monopoly (Google for gmail.com addresses, for example).
>
> -1 to using email addresses as the thing that you tie a credential to -
> doing that leads to monopolistic behavior. Tying a credential to anything
> that's not completely portable and under the recipients control is ceding
> control of that credential to someone other than the recipient.
>
> > It seems to me that the only argument against an email address format
> > is that the domain part is often not under the control of the
> > identity owner. I don't see that is a good enough reason to force
> > users to try and change their thinking and use URIs as their
> > identifiers.
>
> That's the wrong way to look at it - the fact is that /both/ email
> addresses and URLs are bad things to tie credentials to. Email addresses
> are good as a lookup mechanism because it's been proven that people can
> remember them easily. URLs are bad as a lookup mechanism, and they're bad
> as a thing to tie credentials to, but they're good for hanging
> machine-readable information off of.
>
> > I don't have statistics to back this up (perhaps somebody does) but I
> > consider the relative obscurity of OpenID as a login option as
> > evidence that this is a bad idea.
>
> Yep, OpenID URLs are a bad idea.
>
> > So how do we help the user that has an email address @gmail.com
> > <http://gmail.com> or @hotmail.com <http://hotmail.com> or @yahoo.com
> > <http://yahoo.com> but wishes to host their identity themselves or at
> > a different IdP?
>
> Yep, exactly the question you should be asking.
>
> > First, we define a mechanism or standard algorithm/protocol for
> > translating their email address into a service discovery process that
> > may start with their home domain but ultimately result in the client
> > accessing the identity somewhere else. Then we pressure the large
> > email providers to abide by this standard. I acknowledge that this may
> > be difficult but I would say it is not impossible.
>
> That's what Mozilla Persona was about, and it failed. The blog posts above
> explain why Persona failed.
>
> > I imagine the user experience being something like the following:
> >
> > 1. I log in to my account with this email provider, go to my account
> > settings and provide the URL of my IdP. 2. When I use my identity
> > online the client executes the service discovery protocol as defined,
> > contacts my email provider and is given the URL I have configured as
> > part of this process. 3. The client negotiates with my IdP of choice
> > to get my identity information.
>
> You've basically re-invented Persona and added a redirection mechanism,
> and I don't think that'll work.
>
> > If we have designed the protocol correctly (very close to what is
> > already in place today) my email provider only knows who my IdP is but
> > nothing more about the identity I have defined their unless I choose
> > to share it.
>
> Why would Google adopt this for gmail.com? What's in it for them? Same
> question goes for all the major email providers.
>
> > Where a user has a primary email address with a provider who is not
> > following the standard the user has two choices:
> >
> > 1. Change email providers
>
> I don't think people with a gmail.com address will do this.
>
> > 2. Use an identity that is different from their primary email address.
>
> I don't think people will understand why they have to have two email
> addresses.
>
> > Is there a compelling case for using a URI as an identity key as
> > opposed to the familar form of an email address?
>
> Email addresses change throughout your lifetime. Tying identity to a URL
> is also a bad idea. The world needs a decentralized identifier that's
> portable, full stop. The blog posts go into it a bit more... the
> identus.org demo is something you should look at... I'd be happy to go
> through it w/ you at some point.
>
> -- manu
>
> --
> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: The Marathonic Dawn of Web Payments
> http://manu.sporny.org/2014/dawn-of-web-payments/
>
>
>
Received on Monday, 23 March 2015 12:32:14 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:23 UTC