W3C home > Mailing lists > Public > public-identity@w3.org > July 2011

Re: The Internet Identity (WG) Crisis

From: Dirk Pranke <dpranke@chromium.org>
Date: Fri, 1 Jul 2011 16:27:21 -0700
Message-ID: <CAEoffTCCqEkCvGeeWpYwVvHOjE-VBd+b7JdEfxqZCu9n1ZUjHQ@mail.gmail.com>
To: Henry Story <henry.story@bblfish.net>
Cc: Anders Rundgren <anders.rundgren@telia.com>, "public-identity@w3.org" <public-identity@w3.org>
On Wed, Jun 29, 2011 at 12:21 AM, Henry Story <henry.story@bblfish.net> wrote:
>
> On 28 Jun 2011, at 15:05, Anders Rundgren wrote:
>
>> Henry,
>>
>> I don't disagree with what you write but there are initiatives
>> having a higher inertia than WebID because they depend on
>> multiple things to happen at roughly the same time.
>>
>> Anything browser-2-server "protocolish" falls into this category.
>
> yes, that's why with WebID we are very careful to require no browser changes, since those are the most difficult to deploy.

While I would agree that for most if not all of the 2000's this was
true and a reasonable design constraint, it is not clear that this is
still true or reasonable (as I argued in my presentation at the w3c
summit). While I do grant that there is still a large IE6/7/8 user
base locked out of potential changes, it is not clear that fixing this
is actually more difficult (or important to accomodate) than changing
the bajillion services out there that still require usernames and
passwords, or retraining and providing an upgrade path for the
hundreds of millions of users who have existing usernames and
passwords (or, now, increasingly are getting used to OpenID and/or FB
Connect).

For example, if we could wave a magic wand and come up with a new
system that worked across all services on the web and in the next
major version of each browser, that might be enough of an upgrade
incentive to make the legacy problem go away.

Of course that depends on what your goals are ... get new services to
use WebID, or get existing services to change?

-- Dirk

> The idea is to build momentum on a basis that is not perfect, but that works, and so to build a larger voice: the voice of the users. The browsers were never perfect and were always evolving anyway, but have grown through feedback.
>
>> If we take my pet project, Key Provisioning, it is undoubtedly in
>> the other end of the spectrum compared to WebID but that doesn't render
>> it useless; it just requires much more work on every front you can imagine.
>
> I think I can imagine. It is already so much work to get a simple idea like WebID widely understood and adopted.
> For sure the WebID story does benefit a lot from deeper longer term changes such a DNSsec, DANE, and other infrastructure improvements, including improved provisioning, as these help develop a better future roadmap.
>
>> Is there a short-cut?  I haven't seen it at least.  That current schemes
>> work for WebID is true but a close to 100% reject of <keygen> and CertEnroll
>> for *other* usages seems to say something as well.
>
> Yes, the provisioning of cryptokeys with WebID does apparently work with keygen
> but the user experience is not very satisfactory, as you can see in the second video
> "WebID and the crypto Stick" on http://bblfish.net/blog/2011/05/25/
>
> It would be great to have provisioning of such hardware devices be as easy as simple
> keygeneration in a browser.
>
> I have heard of the keygen2 proposal,
>  http://webpki.org/auth-token-4-the-cloud.html
> but I am not sure what other use cases more the advanced keygens are trying to solve -
> probably because I have not yet hit those limits myself.
>
>
>> If my long-short works as
>> planned, WebID will benefit from a fundamentally better platform including
>> a GUI borrowed from Microsoft's [unfortunately failed] Information Card project.
>
> Their GUI was a good idea. They did not make it webby enough I can now see from the WebID experience. By tying the information to the WebId, the GUI could be dynamically up to date with information from the web.
>
>>
>> "Everybody should have their own business plan"
>>
>> I have in my project removed "business" but kept "plan".  Open HW + SW
>> clearly isn't what the "authentication industry" is looking for.  However,
>> the potential *users* of the technology should have no issues with that :-)
>
> The global authentication space is going to be much bigger than anything else, mainly because it will be open, flexible and decentralised. Those are the initial requirements for any global network effect to get going, and those follow exponential curves.
>
>>
>> BTW, WebID is great!
>
> Thanks. I look forward to a primekey implementation :-) Technical feedback on our spec from implementation experience would be greatly welcome. We are now developing simple test suites to help us narrow down on issues. It would be great to have some of your members joing http://tinyurl.com/webidxg
>
>> It will be even greater when you keep your ID in
>> the phone.
>
> yes, WebID is a killer app in the cell phone. It used to work in the iPhone a few years ago,
> and my demos were extremely convincing.
>
> http://blogs.oracle.com/bblfish/entry/one_click_global_sign_on
>
> I am not sure which cell phones it works in now. The iPhone had an SSL problem a while after I wrote that article. And I don't have a cell phone myself now. We need more deployment to help make the case for it.
>
> Henry
>
>
>> But we have to wait:
>>
>> http://www.mobilepaymentstoday.com/blog/5901/Forget-about-the-wallet-wars-here-come-the-IP-wars
>>
>> Anders
>>
>>
>> On 2011-06-28 14:34, Henry Story wrote:
>>>
>>> On 28 Jun 2011, at 13:35, Anders Rundgren wrote:
>>>
>>>> On 2011-06-28 12:01, Josh Howlett wrote:
>>>>>
>>>>>> A fundamental problem with option #2 is that it seems hard (maybe even
>>>>>> impossible) just getting down the basics such as Why, What and How.
>>>>>
>>>>> Could you expand on what you mean by that?
>>>>
>>>> Well, before you start anything it is always good to know WHY
>>>> you are doing it.  This is essentially the "vision" part.
>>>
>>> "Philosophy and the Social Web"
>>> http://www.slideshare.net/bblfish/philosophy-and-the-social-web-5583083
>>>
>>> All about what the web is, how it fits together architecturally and why Identity is core to it,
>>> and why it is so important to have it decentralised.
>>>
>>>> HOW should presumably describe the necessary deliverables and the
>>>> strategy for getting these adopted.   The latter is almost always
>>>> missing because that is close to "business plan".
>>>
>>> Implementations that interoperate. Everybody should have their own business plan.
>>> Bootstrapping is always difficult.
>>>
>>>>
>>>> WHAT is the thing that existing charters usually specify.  Like
>>>> a secure authentication solution for mobile users.
>>>
>>> What, with an order of delivery
>>>  - WebID for authenticaiton
>>>  - Authentication ontologies - to describe who can access what resource (ACL work at W3C)
>>>  - privacy ontologies (what can be done with the data)
>>>  - logics to tie any other auth system into WebID: so you can can show how different authentiction systems work
>>>  - formalised trust logics
>>>
>>> One does not need the whole stack. WebID works pretty well, combines nicely with openid, and can be used to start building the platform.
>>>
>>> My feeling is more that for some psychological reason, the obvious solutions (to me) seem to be invisible to a lot of people in this space.
>>>
>>>
>>> Henry
>>>
>>>>
>>>> Anders
>>>>
>>>>>
>>>>> Josh.
>>>>>
>>>>>
>>>>>
>>>>> JANET(UK) is a trading name of The JNT Association, a company limited
>>>>> by guarantee which is registered in England under No. 2881024
>>>>> and whose Registered Office is at Lumen House, Library Avenue,
>>>>> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>> Social Web Architect
>>> http://bblfish.net/
>>>
>>>
>>
>>
>
> Social Web Architect
> http://bblfish.net/
>
>
>
Received on Friday, 1 July 2011 23:28:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 1 July 2011 23:28:19 GMT