RE: Solutions to the NASCAR problem? from Joerg.Heuer@telekom.de on 2015-11-23 (public-credentials@w3.org from November 2015)

From: <Joerg.Heuer@telekom.de>
Date: Mon, 23 Nov 2015 18:45:06 +0100
To: <melvincarvalho@gmail.com>
CC: <anders.rundgren.net@gmail.com>, <dlongley@digitalbazaar.com>, <public-credentials@w3.org>, <public-webid@w3.org>
Message-ID: <FB5E170315856249A4C381355C027E4502A1AB8990A3@HE100041.emea1.cds.t-internal.com>
Oh yeah, we’re touching one of my dearest philosophical questions now! ☺

Whenever you authenticate you have to establish something like an identity (though that might not be your intention in the first place), which has led to the fact that authentication was always tied to a specific identity. Everybody did it once for an identity, again and again. An identity can be established without authentication being required (IP works that way!) if you agree on an IP address being a proper identity – in some sense.

In essence, everybody is right, but the authentication of a certain person is still far from FIDO tokens, most passwords or PINs.

Biometry would be very ‘personal’ but still it might be very hard to actually ‘identify’ a person out of Millions of people if their fingerprints aren’t all stored somewhere (and I’d personally not wish for such situation to ever occur).

It sounds fine for me if we, technology people, come up with many good ideas to authenticate something or someone, but “identity management’s last mile”, in which a real person is connected to it, is still either a personal contact, a contract or a law. Nothing we’d need to reinvent, but something to efficiently support with technology.

The ‘remember me’ function is fine for now. But I’d love to see more control than that – and I mean easy-to-use-and-understand control - for the user evolving over time.

Cheers,
                Jörg

From: Melvin Carvalho [mailto:melvincarvalho@gmail.com]
Sent: Montag, 23. November 2015 18:11
To: Heuer, Jörg
Cc: Anders Rundgren; Dave Longley; W3C Credentials Community Group; public-webid
Subject: Re: Solutions to the NASCAR problem?



On 23 November 2015 at 18:02, <Joerg.Heuer@telekom.de<mailto:Joerg.Heuer@telekom.de>> wrote:
Hi again!

FIDO doesn't do identity management, but authentication, as was already stated. To that matter FIDO, as it is, does not explicitly support free assignments of AuthN tokens (or even token generators) to one or multiple identities.

You cant do authentication effectively without identification.  Because you have to authenticate *something*.

The minimum level of management is to document what identity you are verifying.  Ideally further management items you get for free, as is the case with HTTP identifiers.
Once you know what you're authenticating, it's easy enough to have a "remember me" button in the client to solve the nascar problem.  Or to tie a name and avatar to that identifier in order to make a good user experience.  We seem to still be stuck in the 1980s on this front -- I'm hoping innovation is coming when FIDO is introduced ...


I guess, the protocol could be enhanced to allow more control through the user than just confirming or not in the future. Alternatively, we could assume multiple FIDO tokens being available and being individually assigned to identities. Virtualization of FIDO tokens would seem a good topic to solve the problem early on.

Cheers,
        Jörg

-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren.net@gmail.com<mailto:anders.rundgren.net@gmail.com>]
Sent: Samstag, 21. November 2015 20:53
To: Heuer, Jörg; dlongley@digitalbazaar.com<mailto:dlongley@digitalbazaar.com>; public-credentials@w3.org<mailto:public-credentials@w3.org>; public-webid@w3.org<mailto:public-webid@w3.org>
Subject: Re: Solutions to the NASCAR problem?

On 2015-11-21 18:41, Joerg.Heuer@telekom.de<mailto:Joerg.Heuer@telekom.de> wrote:
> Hello all,
>
> One of the main benefits to the 'wallet'-approach is, that the
> negotiation between
 > the RP and the user's 'wallet' just doesn't have this problem at all.

Indeed.


> Once the RP sends a statement about what 'instruments' and IdPs it
> accepts, it's
 > up to the 'wallet' of the user to figure out what to use. Could be very plain  > and offer all matches to the user to make a pick or it can be way more sophisticated  > and implement the user's policy according to context.

Fully implemented as well!
https://test.webpki.org/webpay-merchant/home



> And yes, FIDO should be among the technologies employed I'd say.

There is no public information about FIDO solving the NASCAR problem:
http://www.w3.org/Submission/2015/02/


Do you have any other information to share with us?

Anders


>
> Cheers,
>       Jörg
>
> -----Original Message-----
> From: Dave Longley [mailto:dlongley@digitalbazaar.com<mailto:dlongley@digitalbazaar.com>]
> Sent: Samstag, 21. November 2015 16:31
> To: Anders Rundgren; W3C Credentials Community Group;
> public-webid@w3.org<mailto:public-webid@w3.org>
> Subject: Re: Solutions to the NASCAR problem?
>
> On 11/21/2015 02:11 AM, Anders Rundgren wrote:
>> I'm interested hearing what's available and what's cooking:
>> http://indiewebcamp.com/NASCAR_problem

>>
>> Just the core (and links), no TL;DR BS please.
>
> There's a very simple demo here:
>
> https://authorization.io

>
> It involves technology intended to solve the NASCAR problem. In step 2, the site you log into only needs to provide a login button; the browser will take care of the rest (finding out your IdP, etc).
>
> --
> Dave Longley
> CTO
> Digital Bazaar, Inc.
>
Received on Monday, 23 November 2015 17:45:41 UTC