W3C home > Mailing lists > Public > public-rww@w3.org > November 2012

Re: AccessControl : update + inference

From: Jan Wrobel <wrr@mixedbit.org>
Date: Wed, 14 Nov 2012 22:47:08 +0100
Message-ID: <CACm05o856MGV26ZwP9Bh6hLPPKTT+ENwc6g9T=csWCcwEjXggg@mail.gmail.com>
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: Michiel de Jong <michiel@unhosted.org>, public-rww@w3.org
On Tue, Nov 13, 2012 at 11:50 AM, Melvin Carvalho
<melvincarvalho@gmail.com> wrote:
>
>
> On 13 November 2012 02:18, Michiel de Jong <michiel@unhosted.org> wrote:
>>
>> i feel the LDP page misses the point. it describes ways in which you
>> can use, say, an Oracle database, to describe if certain credentials
>> which the client sent are sufficient for a certain action or not. What
>> they don't describe is how the client can actually send these
>> credentials, and how the server can check their validity.
>>
>> Let's look at the basic use case first: Alice has a website, and Bob
>> is allowed to edit it.
>>
>> No irrelevant things about 'Bob is within a 500m radius of a certain
>> geo location' or 'Alice uses an Oracle database to run her website'.
>> Imho that misses the point. There is a small note at the bottom of the
>> LDP page saying "identity: WebID". That is what we should be looking
>> at, i think:
>>
>> 1) how does Bob send his credentials
>> 2) how does Alice's web server check them
>>
>> For this, i'm aware of the following options:
>>
>> - username/password (doesn't scale of course if Bob has many friends)
>
>
> Username / pw is really what got the web going, but the issue is security
> and password fatigue.
>
>>
>> - WebID (favourite of this CG!)
>
>
> I would hope we try to be neutral to an extent, and not pick favourites, but
> WebID does have a lot of appealing properties, for those that are linked
> data oriented.
>
>>
>> - OpenID (sadly probably deprecated)
>
>
> I followed OpenID from almost the start, am a huge fan, in that they changed
> the conversation from being about walled gardens and passport, to about
> trying to be open.  I had been looking forward to the user centric elements
> of openid, but there is little business case to interest the foundation
> there, which I can accept.
>
>>
>> - Persona (promising imho)
>
>
> Indeed very promising.  Great UI and lots of buzz.  A couple of things I'd
> love to see in persona, is that it becomes an identity system that can
> easily interoperate with other identity ecosystems, tho that's not currently
> on the roadmap.  Similarly they take a reasonable stance of saying 'your
> email provider can read your mail already, so they can already access your
> external data'.  This seems an acceptable compromise for the majority, but
> some security conscious folks may prefer not to use it for sensitive data
> such as financial transactions.
>
>>
>> - Dialback (same)
>
>
> Some buzz around this one, dependent on webfinger, which seems to change
> from month to month.
>
>>
>> - Salmon (specific for blogpost-comments, and probably deprecated by
>> dialback?)
>
>
> A nice system, but it seems everyone implements it a different way.
>
> Also dont forget
> - Cookies

I'm not sure if cookies belong to the same category. Aside from WebID
and HTTP basic and digest auth many mentioned mechanism depend on
cookies. OpenID or Persona (I don't know about Dialback and Salmon)
are used to authenticate the first request and then cookies are used
to associate following requests with the authenticated user. So
cookies are rather used to persist authentication info not to
authenticate.

Cheers,
Jan
Received on Wednesday, 14 November 2012 21:47:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 14 November 2012 21:47:37 GMT