W3C home > Mailing lists > Public > public-privacy@w3.org > October to December 2012

Re: [saag] Liking Linkability

From: Henry Story <henry.story@bblfish.net>
Date: Mon, 22 Oct 2012 12:33:06 +0200
Cc: public-identity@w3.org, "public-privacy@w3.org list" <public-privacy@w3.org>, public-webid@w3.org, saag@ietf.org
Message-Id: <7F0FE9D3-995B-4B32-97CB-3B82F590FE92@bblfish.net>
To: Ben Laurie <benl@google.com>
[cutting down on the mailing lists]

On 22 Oct 2012, at 11:54, Ben Laurie <benl@google.com> wrote:

> Where we came in was me pointing out that if you disconnect your
> identities by using multiple WebIDs, then you have a UI problem, and
> since then the aim seems to have been to persuade us that multiple
> WebIDs are not needed.

There is a happy medium on UI experience. For the UI experience
there are two seperate issues, one of which I proposed a fix for
and the other of which is a browser UI issue.

A. Number of WebIDs
-------------------

1. WebID per web site:

You don't want to have one WebID per site you go to, since the point 
of WebID is to allow you to authenticate across sites using the same 
ID ( in the case of TLS, a URL embedded in an X509 Certificate's SAN 
field ).

2. One and only one WebID for the whole internet per person

 WebID does not force any such restrictions (neither would OpenId
or BrowserId for that matter ). 

3. As many WebID's for the whole web as the user feels worth investing in

The first sentence of the spec says so ( http://webid.info/spec/ )

 [[
The WebID protocol enables secure, efficient and maximally user friendly authentication on the Web. It enables people to authenticate onto any site by simply clicking on one of the certificates proposed to them by their browser. These certificates can be created by any Web Site for their users in one click. The identifier, known as the WebID, is a URI whose sense can be found in the associated Profile Page, a type of web page that any Social Network user is familiar with.
 ]] 

( so we are looking for help improving the wording)

Finally, (3) above does not mean that the user can only use WebID. He can still use
all the existing technologies for authenticating to web sites where he 
wishes to have non cross-site linkable identities - e.g. cookies, with username
password for example if needed, ...

UI Experience
-------------

There are two elements to the UI experience

1. Certificate selection

  If the server requesting the certificate from the user makes a CertificateRequest
by leaving the certificate_authorities field blank ( or null, not sure what the
correct wording is ) as explained by the spec currently
 http://www.w3.org/2005/Incubator/webid/spec/#requesting-the-client-certificate

then users with multiple certificates - some of which may not be WebID enabled -
then those users will be presented with a selection box containing certificates
that are not in fact ones the server will accept - leading to confusion and a 
bad UI. I just proposed on the WebID mailing list that WebID certificate chains
be signed (at some point) by CN=WebID,O=∅ to solve this issue.
  http://lists.w3.org/Archives/Public/public-webid/2012Oct/0188.html

2. Transparency of Identity

 It is not clear currently when you go to a web site if you are authenticated or not,
or with what identities you are. Even Google Chromes' Profile feature does not do so.
This is something I really hope they will fix by inspiring themselves from Aza Raskin's
work 
  http://www.azarask.in/blog/post/identity-in-the-browser-firefox/


I hope this helps,

	Henry

Social Web Architect
http://bblfish.net/



Received on Monday, 22 October 2012 10:33:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 22 October 2012 10:33:47 GMT