W3C home > Mailing lists > Public > public-identity@w3.org > October 2011

Re: WebID. Re: Draft Web Identithy Working Group Charter for Discussion

From: Harry Halpin <hhalpin@w3.org>
Date: Tue, 25 Oct 2011 12:17:32 +0100 (BST)
Message-ID: <ad6eae482ba656db7a0dcecf02cfe29e.squirrel@webmail-mit.w3.org>
To: public-identity@w3.org
> On 2011-10-18 21:58, Harry Halpin wrote:
>>> On 18 Oct 2011, at 21:05, Harry Halpin wrote:
>>>>> sounds good, but why no mention of WebID?
>>>>> Henry
>>>> At the workshop, it seemed people wanted to focus on API based work
first
>>>> such as the Crypto API, and certificates were discussed but thought
of
>>>> as
>>>> out-of-scope for this future working group, although the W3C would be
happy to see future work around certificates (everyone agrees current
situation is a mess). The one idea that came up was a possible future
workshop focused more narrowly on certificates.
>
> A problem as I see it is that the people from "The Big Three" at the
workshop do not really represent their employers' ideas of what is
*important*.  Here follows a few recent real-world examples:
>
>
> The neat enrollment scheme in iPhone which Apple didn't even mention
when <keygen> was standardized [*] by the W3C:


Please note that of course employees speak as individuals, but that your
examples rely on the mistaken assumption that <keygen> is a W3C
Recommendation, which it is not. <keygen> for many years (at least over a
decade) was supported only by Netscape and a source of confusion amongst
developers, and thus was avoided on the Web.

HTML5 is still a Working Draft, although HTML5 is special insofar as it
'de-facto' widely implemented, with <keygen> being proposed in 2009 as
part of HTML5. However, <keygen> is still controversial  - see Adrian
Bateman's reasoning over why keygen is not implemented by IE yet and why
they would like it dropped [2]. That also seems to be a pretty good line
of reasoning about why it's not widely used by Web developers.

>
> http://images.apple.com/iphone/business/docs/iPhone_OTA_Enrollment_Configuration.pdf
>
>
> How enrollment works in this Microsoft preview is currently secret
because the TCG considered this out-of-scope although it is a
> prerequisite for the demo:
>
> http://channel9.msdn.com/Events/BUILD/BUILD2011/HW-462T
>
>
> Almost nothing of this solution is currently publicly documented:
>
> http://mail.google.com/wallet
>
>
> The once very hyped Liberty Alliance Project succeeded fairly
> well except on the client side which again shows that mucking
> around in the client is more than difficult.
>
>
> My conclusion is that the traditional way of establishing standards is
gone.  With the new "Super Providers" Apple and Google, who own
entire
> ecosystems, from the devices to services, the motives for
standardization
> seems pretty marginal.  I have therefore in my private "standardization
efforts" focused on things that Apple and Google do not consider core
business such as upgrading smart cards to work in a web world:
>
> http://webpki.org/papers/keygen2/sks-keygen2-exec-level-presentation.pdf
>

The W3C looking for constructive input, ideally in terms of textual
changes to clarify the scope, and input on how smartcards could work in
the Web via a Crypto API would be of interest.

Also note that Webkit and Mozilla are actually open-source projects too,
so if you can try to contribute via code that's possible. That is usually
the best way to get attention at this stage.

> The primary issue with standardization in the case of universal web
identity
> solutions is that there is no money in it unless your job is "to
standardize".
> Essentially only "The Big Three" really have such resources as well :-(
>
>
> How about WebID?  Well, this is primarily a deployment issue which fate
also is the hands of the "Super Providers".

There were also clear security issues pointed out by Brad Hill with WebID
and this dominated the workshop discussion of it and it is unclear if Brad
or anyone found them addressed [2]. Also note that TLS/cert purchase is
generally not a problem for larger providers, but for smaller operations.
Again, as per the workshop discussions, we're aiming at generic APIs as
per the workshop, not at any identity "solution."

So, I think the most productive thing to do would be to figure out if
there is a reasonable "smartcard" story that would make sense as part of
the chartered work here and that could get widespread support.

[1]http://lists.w3.org/Archives/Public/public-html/2009Sep/0043.html
[2]http://lists.w3.org/Archives/Public/public-xg-webid/2011May/0127.html

>
> Anders
>
> *] A proper market analysis would have revealed that <keygen> de-facto
has less than 5% market-share for on-line enrolled certificates and
therefore never was a candidate for standardization in spite of being
supported by most browser vendors except Microsoft.
>
>
>
>
>
>
>>> The WebID working group is not a working group about certificates. It is
>>> about tying
>>> TLS/SSL to identity to the web using simple web architecture. The most
active list of all
>>> the groups you have created recently is the WebId XG list. Few of us were
>>> present in
>>> California during your discussion. So perhaps you could take that into
account, and allow
>>> us to have a discussion of how webid can tie into these other
>>> protocols.
>>> We did not
>>> look at that in the WebID XG simply in order to make sure we could
deliver
>>> something.
>> Currently the WebID work does depend critically on certificates, which is
>> why I brought that option of another workshop up (as there's no
non-certificate purely API-based option in your draft spec).
>> We are of course following the WebID's work and look forward to your
concrete suggestions that comes from any discussion on the WebID list,
although I would request that WebID-specific discussions stay on the
WebID
>> list and then your group gives the W3C a single list of requested changes
>> to the charter, as discussions on this list should ideally focus on
textual changes and scoping to the charter.
>>> Henry
>>>>        cheers,
>>>>           harry
>>>>> On 18 Oct 2011, at 19:53, Harry Halpin wrote:
>>>>>> Everyone,
>>>>>> While its still not fully baked, we'd like to open the discussion
on
>>>>>> the
>>>>>> list over this draft charter for a "Web Identity" Working Group:
http://www.w3.org/2011/08/webidentity-charter.html
>>>>>> Everything is fair game - I'm not quite comfortable even with the
Working
>>>>>> Group name. Also, there are issues of how we should scope this,
whether
>>>>>> or
>>>>>> not we should split the work into two WGs (one for a Crypto API and
another for a higher-level identity API and hooks for
>>>>>> device/browser-aware
>>>>>> authentication) or stick it in one WG - and of course relations to
other
>>>>>> standards bodies.
>>>>>> Also, if any of you are near Silicon Valley we can discuss this in
person
>>>>>> at the W3C Technical Plenary on Nov 1st. I'll send that email out
in
>>>>>> one
>>>>>> sec..
>>>>>> And if anyone is at Internet Identity Workshop I'm here to discuss the
>>>>>> charter.
>>>>>> cheers,
>>>>>>       harry
>>>>> Social Web Architect
>>>>> http://bblfish.net/
>>> Social Web Architect
>>> http://bblfish.net/
>
>
>
Received on Tuesday, 25 October 2011 11:17:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 25 October 2011 11:17:39 GMT