W3C home > Mailing lists > Public > public-identity@w3.org > October 2011

Re: future of Identity on the Web

From: Harry Halpin <hhalpin@w3.org>
Date: Tue, 25 Oct 2011 20:27:06 +0100 (BST)
Message-ID: <8f630ba5d56845ae1f09a1c0a9f16867.squirrel@webmail-mit.w3.org>
To: "Dan Brickley" <danbri@danbri.org>
Cc: public-identity@w3.org, "Ben Adida" <ben@adida.net>, "Tim Berners-Lee" <timbl@w3.org>
> On 25 October 2011 08:35, Henry Story <henry.story@bblfish.net> wrote:
>> Dear Web Identity Groups,
>> Since both the community forming around the Web Identity javascript
>> cryptography work [1] and the WebID XG are working in the same space, I
>> propose that the two groups work out how these projects can complement
>> each other, so that the W3C can tell a unified identity story. There is
>> a lot in common between them - usage of cryptography in the browser and
>> certificates to prove identity online - and it seems quite clear to me
>> that both the existing WebID solution [2] and the in development version
>> known as BrowserId can complement each other, in fact should as much as
>> possible do so. This could then form the basis for a future WG starting
>> 2012, split hopefully into a number of small independent and closely
>> interrelated parts.
> // Grumble mode on.
> Henry,
> Re "...clear to me that both the existing WebID solution and the in
> development version known as BrowserId", my understanding was that
> WebID is also still "in development" (aka incubation, spec-drafting
> etc.). It may well be older than BrowserID; but then so is OpenID.
> Having taken a long time to not be finished yet or broadly deployed is
> not in-itself a badge of honour! (c.f. FOAF!). This whole field is
> still, after all this time, "in development". I do see a fairly
> detailed *editor's * draft at
> http://www.w3.org/2005/Incubator/webid/spec/ but no link to the
> group's issue tracker (e.g.
> http://www.w3.org/2005/Incubator/webid/track/issues/raised ) nor clear
> indication of any schedule for getting these ideas recorded in a
> stable snapshot on W3C's Technical Reports page. One of the downsides
> of the (otherwise wonderful) trend for W3C to work in public has been
> a drift towards groups using volatile Editor's drafts rather than
> publishing clearly versioned http://www.w3.org/TR/ Working Drafts for
> review by the wider Web community. Until this has happened,
> development as a Web standard can't be said to have been completed. In
> some eyes, it has barely started without a first public Working Draft.
> Harry,
> It seems at some point W3C team's analysis here -- or yours, at least
> -- led to your switching affections from "something like WebID" to
> "something like BrowserId". Despite there having been previous
> detailed team-confidential tech reviews of WebID, and talk of taking
> it WG track, there was no acknowledgement at all of this work in
> http://www.w3.org/2011/08/webidentity-charter.html ... even as
> liaison. Your explanation in
> http://lists.w3.org/Archives/Public/public-identity/2011Oct/0003.html
> "At the workshop, it seemed people wanted to focus on API based work
> first such as the Crypto API, and certificates were discussed but
> thought of as out-of-scope for this future working group" ...is
> phrased in disappointingly passive language for a decision that was,
> ultimately, yours to make (need more active verbs --- *who* thought
> what?). The fact that there was already a WebID incubator does not
> guarantee that community an on-ramp to W3C's standards track; review
> of the incubator's draft spec is a critical step there which we seem
> to be skipping. But it should ensure acknowledgement of those efforts
> while writing related charters. Instead, I read only anecdotal and
> vague reports from 'workshop discussions'.
> In just over a year, we've gone from your actively pursuing the
> FOAF+SSL/WebID group (e.g.
> http://lists.foaf-project.org/pipermail/foaf-protocols/2010-July/002693.html
> ) to pretty much ignoring their existence while drafting charters for
> obviously quite related work. This makes the W3C Team look rather
> fickle, as if picking a winner that can be brought in under W3C's
> brand was the central activity here, rather than a means to an end -
> i.e. improving the Web.  In July last year, you wrote:
>> People should not divide into two camps (or three, or four), but unify
>> over the overriding ethical principle for an distributed private
>> id-aware
>> social web, and then keep that in mind when discussing the architecture.
> I'm sure the draft charter you circulated was put together under great
> time pressure and other constraints, but encourage you think a little
> more generously about the message it sends to others who have worked
> hard and in good faith over the last few years to improve identity in
> the browser, and who went to the trouble of moving their efforts to
> W3C on your specific urging.
> How did we go from
> http://lists.foaf-project.org/pipermail/foaf-protocols/2010-July/002653.html
>> Then, with the help of a member of the Team like myself, a
>> charter can be drawn up for a proposed Working Group, making sure the
>> OpenID community and W3C Membership is involved. So, let's work together
>> to make this happen!
> ...to your curtly and frostily asking that the WebID group stays in
> its own camp and supply only diff requests on the new group's charter:
> http://lists.w3.org/Archives/Public/public-identity/2011Oct/0006.html
>> We are of course following the WebID's work and look forward to your
>> concrete suggestions that comes from any discussion on the WebID list,
>> although I would request that WebID-specific discussions stay on the
>> WebID
>> list and then your group gives the W3C a single list of requested
>> changes
>> to the charter, as discussions on this list should ideally focus on
>> textual changes and scoping to the charter.
> This all paints an unfortunate picture of W3C staff flailing around
> trying to pick a winner and get it W3C-branded ASAP. Would BrowserId
> suffer a similar fate if --for fictional example-- say OpenID Connect
> were offered to W3C for standardization tomorrow? If W3C is to be a
> natural home for several complementary efforts, then their
> interdependencies and relationships are surely deserving of more staff
> time and thought than they appear now (from the outside) to be
> getting. If you don't have the time of day to think such things
> through, please convey to W3M that you need that time. Doubtless there
> has been much internal discussion; last time I saw stats, W3C's
> team-only archives received more team mail than those on the outside.
> But from the outside, this casual brush-off does not make W3C
> incubation and community spec development look an attractive prospect
> for new efforts.


You obviously did not attend the workshop where the decisions that went
into the initial draft charter were made. At the end of the workshop we
did both voting and IETF style humming to determine what was to go into
the initial draft charter. Please see picture at end of report here [1]. I
have been strictly following these results.

Also, your view of the W3C seems contrary to my own. Although things may
be different in the Semantic Web work when you were at W3C, IMHO the job
of the W3C is to produce standards that have consensus by as many members
(including industry) as possible and that clearly increase the value of
the Web for all. The decision of what to standardize is not made by
"personal" decision by myself and I will definitely not push particular
"pet projects". There are academic and open source communities for new
work with limited developer interest and no industry support to mature, as
well as Community Groups at W3C. Efforts like XHTML2 that hope to
standardize without adequate industry backing have in the past clearly led
to failure due to premature optimization. I would prefer to aim for a
minimal and practical charter.

 While I of course believe in open standards and privacy, and thus
personally believe there are some good ideas into looking at a
Web-of-trust model as opposed to CAs for certs in WebID (and thus am
serious about a second workshop focussed on certificates), WebID was not
viewed as very convincing by the vast majority of attendees at the
workshop and there were serious security concerns raised by Brad Hill. As
WebID is still emerging work, I suggest strongly that it stay in another
XG, CG, or WG and that we co-ordinate as needed as WebID matures. I do
think that the Javascript APIs that this WG is aiming at could benefit
WebID, as well as many other identity efforts like OpenID Connect and
BrowserID. In fact, the only identity effort that was viewed as a
widescale deployment success by our membership at the workshop was SAML.

I would suggest to stay on-topic and request particular changes to the
charter rather than grumbling, which is of limited value and best done
off-list. I am happy to add an official liaison request to the WebID XG.
That was left off the earlier charter due to uncertainty over where they
would go after their XG charter closes.


[1] http://www.w3.org/2011/identity-ws/report.html

> Henry,
> In http://lists.w3.org/Archives/Public/public-identity/2011Oct/0017.html
> you comment that "WebID which is a working group and even has a spec".
> As I mentioned in IRC, this might be colloquially true, however in W3C
> convention, an Incubator Group (or Community Group, or Interest Group)
> is quite a different creature from a full (let's capitalise it)
> Working Group. A "Working Group" is a sign of wider endorsement of the
> effort within W3C; specifically, that something has been endorsed as a
> useful area to charter work under by the W3C Advisory Committee.
> Further as I mention above, and Editor's Draft is pretty much just a
> random Web page until it goes through the process of being published
> at W3C as a Technical Report under http://www.w3.org/TR/. This magic
> ritual does still have a concrete purpose --- it signifies to a very
> wide public that a piece of work has been polished and progressed to a
> stage at which it deserves review from Web technologists across the
> globe. While WebID has received significant review already, it is
> critically important that you get this Working Draft out there; there
> is a much larger public waiting to read it. Many of those readers
> don't live and breath this stuff, or read English as their first
> language, but if they see that W3C has gone to the trouble of
> publishing the work in /TR/, they'll go to  the trouble of reading it.
> This needs to happen regardless of how any new group is chartered...
> OK, grumbling over. Keep up the good stuff...
> Dan
>>   Henry
>> [1] http://www.w3.org/2011/08/webidentity-charter.html
>> [2] http://webid.info/spec/
>> Social Web Architect
>> http://bblfish.net/
Received on Tuesday, 25 October 2011 19:27:09 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:00:47 UTC