- From: Christian Lundkvist <christian.lundkvist@consensys.net>
- Date: Wed, 21 Mar 2018 10:36:02 +0000
- To: Dennis Yurkevich <dennis@mediaiqdigital.com>
- Cc: "=Drummond Reed" <drummond.reed@evernym.com>, "Jordan, John CITZ:EX" <John.Jordan@gov.bc.ca>, "public-credentials@w3.org" <public-credentials@w3.org>
- Message-ID: <CAJw0h=RpGL9aOGfduz5Rc3s+dkji5znr=TRnQkGgaAmCoR7sMA@mail.gmail.com>
Hi Dennis, Personally I think your question is valid and I think session cookies is a reasonable solution for maintaining a browser session in the short term. I.e. you “log in” first with DID Auth, the service associates your DID with a browser cookie and as long as the cookie is valid your session is maintained. Another model could be to generate another private key in the browser, associate this with your DID at the service and then sign every request with the browser key. You can still require a separate DID Auth with the users phone/edge device when authorizing high-value transactions. Christian On Wed, Mar 21, 2018 at 10:45 AM Dennis Yurkevich <dennis@mediaiqdigital.com> wrote: > Thank you Drummond and John for your replies. > > I understand the concept and benefits of DID auth, however I am more > thinking of how this can be implemented in the short term as websites will > not (most likely) switch over from current auth workflow to DIDs all at > once, and they will want to cater for users who do not have capability to > authorise using DIDs. > > But lets say I am using my mobile device on which I have stored my *privK*, > to authenticate on a website. If we say take the uPort approach and show a > QR code to facilitate this - what happens if I shutdown my browser > (accidentally) and want to log back in? Does this group feel that > implementers will still be forced to use session cookies? > > And the second question still stands, many people are using cookie based > tracking and analysis in their apps - what do you envisage companies such > as this with no direction user interaction would do? > > I think these are important questions (and many more) when we think about > the DID auth spec to ensure we capture real world use cases in such a way > adoption possibility is increased. > > Best, > Dennis > > On Wed, Mar 21, 2018 at 4:38 AM, =Drummond Reed <drummond.reed@evernym.com > > wrote: > >> +1 to John's reply. DIDs essentially inverse the traditional cookie >> relationship, i.e., rather than a site handing you a cookie (over which you >> have no control other than to delete it), you hand the site a DID. Because >> you control the private key, you can always prove control of that DID. You >> can even rotate the public/private key pair associated with the DID and >> still prove control. >> >> That's why they are sea change in both identification and authentication >> (and, in conjunction with verifiable credentials, in authorization as well). >> >> =D >> >> On Tue, Mar 20, 2018 at 5:08 AM, Jordan, John CITZ:EX < >> John.Jordan@gov.bc.ca> wrote: >> >>> Hi Dennis >>> >>> There are deeper experts here however my thinking is there is no more >>> “remember me” as there will no longer be a “login”. One will simply >>> connect to a service at which point DID Auth will occur. You will already >>> be authenticated via the device you are using to control your private keys. >>> Ideally DIDs are pairwise unique so I guess a site could use your DID for >>> preferences and so forth. >>> >>> Remember me and cookies a hack to solve user experience issues around >>> user logon and sessions. >>> >>> Not sure what to say about tracking. I think there needs to be consent >>> and withdrawal of consent at least :) ... maybe DIDs can help with user >>> control of consent. >>> >>> J >>> >>> On Mar 20, 2018, at 05:06, Dennis Yurkevich <dennis@mediaiqdigital.com >>> <mailto:dennis@mediaiqdigital.com>> wrote: >>> >>> Hello All, >>> >>> I have quite a general question on which I am yet to find an answer >>> anywhere on the github repo. >>> >>> How does this group see DIDs and specifically DID Auth interacting with >>> traditional browser cookies, specifically my questions are: >>> >>> * If a user checks the "remember me" button on a site which uses DID >>> Auth, what would be the implementation flow? >>> * In the scenarios where a site uses various third party analytics >>> systems which set tracking cookies, is there a better way to do this using >>> DIDs? >>> >>> Thanks! >>> Dennis >>> >>> -- >>> [Vital Design]<http://www.mediaiqdigital.com/> >>> Dennis Yurkevich >>> >>> 5th Floor | High Holborn House | 52-54 High Holborn | London | WC1V 6RL >>> <https://maps.google.com/?q=52-54+High+Holborn+%7C+London+%7C+WC1V+6RL&entry=gmail&source=g> >>> dennis@mediaiqdigital.com<mailto:dennis@mediaiqdigital.com> >>> tel +44 (0)20 700 0420 | mobile +44 (0) 7794 597783 >>> [Twitter]<http://www.mediaiqdigital.com> [Blog] < >>> https://www.facebook.com/MediaiQDigital> [Facebook] < >>> https://twitter.com/mediaiqdigital> [LinkedIn] < >>> https://www.instagram.com/mediaiqdigital> [Foursquare] < >>> https://www.linkedin.com/company/media-iq-digital-ltd> [Pinterest] < >>> http://www.mediaiqdigital.com/inspirethroughinsights> >>> >>> Disclaimer: This email and its attachments may be confidential and are >>> intended solely for the use of the individual to whom it is addressed. Any >>> views or opinions expressed are solely those of the author and do not >>> necessarily represent those of Media iQ Digital Limited. If you are not the >>> intended recipient of this email and its attachments, you must take no >>> action based upon them, nor must you copy or show them to anyone. No >>> contracts or official orders shall be concluded by means of this email. >>> Please contact the sender if you believe you have received this e-mail in >>> error. >>> >>> Media iQ Digital Limited is a company registered in England and Wales | >>> Company Number 07321732 | VAT No: GB995910763 >>> >> >> > > > -- > [image: Vital Design] <http://www.mediaiqdigital.com/> > Dennis Yurkevich > 5th Floor | High Holborn House | 52-54 High Holborn > <https://maps.google.com/?q=52-54+High+Holborn%C2%A0+%7C+%C2%A0London%C2%A0+%7C+%C2%A0WC1V+6RL&entry=gmail&source=g> > | London > <https://maps.google.com/?q=52-54+High+Holborn%C2%A0+%7C+%C2%A0London%C2%A0+%7C+%C2%A0WC1V+6RL&entry=gmail&source=g> > | WC1V 6RL > <https://maps.google.com/?q=52-54+High+Holborn%C2%A0+%7C+%C2%A0London%C2%A0+%7C+%C2%A0WC1V+6RL&entry=gmail&source=g> > > dennis@mediaiqdigital.com > tel +44 (0)20 700 0420 | > <https://maps.google.com/?q=52-54+High+Holborn%C2%A0+%7C+%C2%A0London%C2%A0+%7C+%C2%A0WC1V+6RL&entry=gmail&source=g> mobile > +44 (0) 7794 597783 > [image: Twitter] <http://www.mediaiqdigital.com> [image: Blog] > <https://www.facebook.com/MediaiQDigital> [image: Facebook] > <https://twitter.com/mediaiqdigital> [image: LinkedIn] > <https://www.instagram.com/mediaiqdigital> [image: Foursquare] > <https://www.linkedin.com/company/media-iq-digital-ltd> [image: Pinterest] > <http://www.mediaiqdigital.com/inspirethroughinsights> > *Disclaimer: *This email and its attachments may be confidential and are > intended solely for the use of the individual to whom it is addressed. Any > views or opinions expressed are solely those of the author and do not > necessarily represent those of Media iQ Digital Limited. If you are not the > intended recipient of this email and its attachments, you must take no > action based upon them, nor must you copy or show them to anyone. No > contracts or official orders shall be concluded by means of this email. > Please contact the sender if you believe you have received this e-mail in > error. > > Media iQ Digital Limited is a company registered in England and Wales | > <https://maps.google.com/?q=52-54+High+Holborn%C2%A0+%7C+%C2%A0London%C2%A0+%7C+%C2%A0WC1V+6RL&entry=gmail&source=g> > Company Number 07321732 | VAT No: GB995910763 >
Received on Wednesday, 21 March 2018 10:36:42 UTC