W3C home > Mailing lists > Public > public-identity@w3.org > October 2011

Re: Charter Text Confusion

From: Harry Halpin <hhalpin@w3.org>
Date: Wed, 26 Oct 2011 22:17:18 +0100 (BST)
Message-ID: <c8da402e97a7367d4fb4424d1579239c.squirrel@webmail-mit.w3.org>
To: "Hannes Tschofenig" <hannes.tschofenig@gmx.net>
Cc: public-identity@w3.org, "Hannes Tschofenig" <hannes.tschofenig@gmx.net>
> Hi all,
>
> I again read through the charter text and noticed that only the JavaScript
> CryptoAPI work is roughly understandable for me (since I had been at the
> W3C Identity in the Browser workshop). Even with this item there was some
> amount of discussion at the workshop about would exactly be done as part
> of this activity. While the workshop took place many months ago I have not
> seen the scope clarified anywhere.


Clarifying the scope is part of the chartering process at W3C. We have
until the end of Nov. to work out a draft charter with scope. We will be
following the voting results of the end of the workshop on a broad scale
for scope (i.e. a focus on crypto and JS APIs), but the details are up for
debate.

>
> The only requirements alike writeup I am aware of is
> http://www.w3.org/2011/identity-ws/papers/idbrowser2011_submission_28.pdf
>
> Wouldn't it make sense to have at least the scope clarified before going
> into the details of the work as part of the chartering process? For
> example, I would be interested whether the access to key storage and smart
> cards is considered within the scope of the group.


Re keystorage, it's is tricky as keystorage is usually handled by
low-level libraries such as NSS [1]. I do think key storage is within
scope. Ideally, we'd want the API to serve as a generic API across
different platform and browser-specific libraries. I While these libraries
are not part of the browser per se and generally pre-existing, I would say
guidelines and security considerations for the use of these libraries
should be included.

As for smartcards (and other things such as USB media), I'm more
borderline about scope. Anders had some ideas and I'd be happy to hear
from him if he could be constructive rather than complain.  An alternative
approach to DomCrypt would be the proposed (and unimplemented, I believe)
Web Crypto API [2]. It contains draft API calls for loading keys off of
smartcards. I think whether or not that should be included is up for to
debate.

>
> Then, the subsequent items in the charter are in my view badly described.
> Hence, it is not surprising that most of the messages exchanged on this
> list are actually off-topic.

I think we may then need some introductory information. First, we should
probably separate authentication from authorization.  Then, in general
identity can be seen as attaching a session token to an identifier. In
Mozilla's APIs, this is done via attaching a "verified email address" to a
"cookie" which has generally been produced by password-based
authentication. We could imagine attaching stronger kinds authentication
credentials (i.e. public-private key) to different kinds of tokens (even
going from cookies to client certs) and attaching these to other kinds of
identifiers (as done in OpenID Connect).

Session state is then generally if one is "logged-in", "logged-out" of a
session.

Does anyone want to draft this introductory session that defines terms?

Generally it seems Identity API should be discussed before Sync in the
charter, unless there's objections I'll change that.

Let's nail this introductory text down before we change the draft text
around Sync and the Identity API.


>
> Is there a problem description of what Web Identity Sync should do? Is
> Mozilla's implementation sufficient to do standardization work in that
> area? Isn't the purpose of standardization to let various different
> implementations to interwork? Given that the term "identity" is very weak
> defined (in general, not only in the W3C) this item could essentially be
> anything.


On the side, Sync's use-case is that if these credentials are limited to a
single device, that really limits their usage. Ideally, a user wants to
have their identifiers usable across multiple devices, so that when you
create an identity with some stored passwords (or beyond) on one browser
in your smartphone, you can transfer those to a new desktop with a
different browser. Consider it currently cookie transfer between browsers,
although one could imagine different kinds of session tokens and even
credentials being transferred.  Does that use-case make sense?

>
> For the Identity API has anyone bothered to write down a list of
> requirements about what API functionality is generic among different
> identity protocols and should therefore be standardized? Given that
> JavaScript can do almost anything I fear that some folks on this list try
> to standardize their favorite protocol as part of this "API" work.

See above.
>
> Finally, I do not understand why a single charter needs to contain all
> these items? Why isn't it possible to have a more focused charter and get
> some work done in a proper way rather than establishing an open-ended
> group?
>
> Everyone who had even done some work in the identity management area knows
> that the term "identity" has to be avoided at all cost.
>

[1]http://www.mozilla.org/projects/security/pki/nss/
[2]http://html5.creation.net/webcrypto-api/


> Ciao
> Hannes
>
>
>
Received on Wednesday, 26 October 2011 21:17:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 26 October 2011 21:17:25 GMT