W3C home > Mailing lists > Public > public-identity@w3.org > October 2011

Re: Draft Web Identithy Working Group Charter for Discussion

From: Harry Halpin <hhalpin@w3.org>
Date: Tue, 18 Oct 2011 22:50:33 +0100 (BST)
Message-ID: <afa628c237af4974267eadd9e2c0b49f.squirrel@webmail-mit.w3.org>
To: "Henry Story" <henry.story@bblfish.net>
Cc: "Harry Halpin" <hhalpin@w3.org>, public-identity@w3.org
>
> On 18 Oct 2011, at 21:58, Harry Halpin wrote:
>
>>>
>>> On 18 Oct 2011, at 21:05, Harry Halpin wrote:
>>>
>>>>> sounds good, but why no mention of WebID?
>>>>>
>>>>> Henry
>>>>
>>>> At the workshop, it seemed people wanted to focus on API based work
>>>> first
>>>> such as the Crypto API, and certificates were discussed but thought of
>>>> as
>>>> out-of-scope for this future working group, although the W3C would be
>>>> happy to see future work around certificates (everyone agrees current
>>>> situation is a mess). The one idea that came up was a possible future
>>>> workshop focused more narrowly on certificates.
>>>
>>> The WebID working group is not a working group about certificates. It
>>> is
>>> about tying
>>> TLS/SSL to identity to the web using simple web architecture. The most
>>> active list of all
>>> the groups you have created recently is the WebId XG list. Few of us
>>> were
>>> present in
>>> California during your discussion. So perhaps you could take that into
>>> account, and allow
>>> us to have a discussion of how webid can tie into these other
>>> protocols.
>>> We did not
>>> look at that in the WebID XG simply in order to make sure we could
>>> deliver
>>> something.
>>>
>>
>> Currently the WebID work does depend critically on certificates, which
>> is
>> why I brought that option of another workshop up (as there's no
>> non-certificate purely API-based option in your draft spec).
>
> It does not depend critically on certificates Harry. Not any more than
> BrowserID does in any case. All that browserid is doing is creating JSON
> based certificates. As I argue int this comparison between BrowserId and
> WebID on stack exchange
>
> http://security.stackexchange.com/questions/5406/what-are-the-main-advantages-and-disadvantages-of-webid-compared-to-browserid
>
> there is not that much difference between those two protocols. If browser
> id decides to create a new JSON format certificate then that's ok with us.
> The only issue is that no browser implements that by default, which is why
> we did not look at that. If browser vendors are interested in developing
> other certificate formats, then that is also ok. But I don't see that this
> is a reason to exclude WebID, since we are developing experience in
> exactly that space.
>
>
>> We are of course following the WebID's work
>
> It does not seem that you are looking carefully enough Harry.
>

While there is some abstract structural isomorphism between the
BrowserID's use of PKI for assertion signing and WebID's use of putting
URIs in certs (you may also want to add OpenID Connect's Basic Profile
into the list of the things your group should look at), you do critically
depend on TLS and existing cert specifications.

At the workshop, there were a number of security/deployment concerns that
Brad Hill voiced and emailed to you. I'd make sure your group addresses
these:

http://lists.w3.org/Archives/Public/public-xg-webid/2011May/0127.html


>> and look forward to your concrete suggestions that comes from any
>> discussion on the WebID list,
>
> Yes, we could participate here.
>
>> although I would request that WebID-specific discussions stay on the
>> WebID
>> list and then your group gives the W3C a single list of requested
>> changes
>> to the charter, as discussions on this list should ideally focus on
>> textual changes and scoping to the charter.
>
> Ok. I will ask that group.
>

Also add any commitments you have from any vendors (ideally W3C members)
or large deployment sites that would use and are interested in this
authentication mechanism. Attach that a part of the group's response to
the charter would be appreciated.

> Henry
>
>>
>>
>>>
>>> Henry
>>>
>>>>
>>>>       cheers,
>>>>          harry
>>>>
>>>>>
>>>>> On 18 Oct 2011, at 19:53, Harry Halpin wrote:
>>>>>
>>>>>> Everyone,
>>>>>>
>>>>>> While its still not fully baked, we'd like to open the discussion on
>>>>>> the
>>>>>> list over this draft charter for a "Web Identity" Working Group:
>>>>>>
>>>>>> http://www.w3.org/2011/08/webidentity-charter.html
>>>>>>
>>>>>> Everything is fair game - I'm not quite comfortable even with the
>>>>>> Working
>>>>>> Group name. Also, there are issues of how we should scope this,
>>>>>> whether
>>>>>> or
>>>>>> not we should split the work into two WGs (one for a Crypto API and
>>>>>> another for a higher-level identity API and hooks for
>>>>>> device/browser-aware
>>>>>> authentication) or stick it in one WG - and of course relations to
>>>>>> other
>>>>>> standards bodies.
>>>>>>
>>>>>> Also, if any of you are near Silicon Valley we can discuss this in
>>>>>> person
>>>>>> at the W3C Technical Plenary on Nov 1st. I'll send that email out in
>>>>>> one
>>>>>> sec..
>>>>>>
>>>>>> And if anyone is at Internet Identity Workshop I'm here to discuss
>>>>>> the
>>>>>> charter.
>>>>>>
>>>>>> cheers,
>>>>>>      harry
>>>>>>
>>>>>>
>>>>>
>>>>> Social Web Architect
>>>>> http://bblfish.net/
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>> Social Web Architect
>>> http://bblfish.net/
>>>
>>>
>>
>
> Social Web Architect
> http://bblfish.net/
>
>
>
Received on Tuesday, 18 October 2011 21:50:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 18 October 2011 21:50:36 GMT