Re: Fwd: wwwhisper project announcement (#ACL & https://login.persona.org) from Jan Wrobel on 2012-08-12 (public-rww@w3.org from August 2012)

From: Jan Wrobel <wrr@mixedbit.org>
Date: Sun, 12 Aug 2012 13:54:37 +0200
To: public-rww <public-rww@w3.org>
Message-ID: <CACm05o8h8gbaEftNYDMduKxwhdQszCGUvtLy2wKFp3D_kkS1sA@mail.gmail.com>

Hi,

I'm Jan from the wwwhisper project. Let me comment on some issues
raised in this thread (sorry I'm not citing original emails but I was
not subscribed to the list).

At the moment wwwhisper supports only email identities verified with
Persona. From the technical perspective, once nginx is able to pass a
TLS
certificate to a backend, extending wwwhisper to support WebID should
be pretty straightforward. The notion of a user id needs to be
generalized  to accept URLs and the code that verifies Persona
assertions needs to be generalized to verify validity of the TLS
certificates (this is Python code, so doing such stuff is much easier
than in a low level HTTP server code). wwwhisper uses Persona
assertion only for an initial authentication, once assertion is
verified, a session cookie is set to identify the user. With WebID, a
better solution would probably be to always rely on the certificate
and do not set the cookie at all.

>From non-technical perspective, I think that using WebID for Web ACLs
would be of a very limited use today. The single most important
feature of Web ACL system is the size of the audience (i.e. how many
people you can share with?). Persona solves the critical mass problem
by piggybacking on email ids. Because of this, I can share with
everyone with an email. Emails are also well understand. It will be a
long time until a question 'what is you WebID?' is as clear to an
average Internet users as 'what is you email?'. Sure, having email is
not enough to be able to authenticate to the wwwhisper protected
service, a user needs to use Persona to prove ownership of an email.
But the act of sharing does not require any action from the person
that I share with, which is critical from the usability perspective.
With WebID, I first need to ask the user to create WebID (not very
easy process) and only than I can share with this user.

I don't understand why you call Persona 'a silo'. Unlike for example
Facebook ids, Persona is a distributed system. Every email provider
can run its own verifier. If you have your own domain and a mail
server you can also run a verification server and be in total control
of your identity.

Thanks,
Jan

Received on Sunday, 12 August 2012 16:26:04 UTC