W3C home > Mailing lists > Public > public-web-security@w3.org > February 2015

Re: [WebCrypto.Next] Linking web identities with real-world identities

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sat, 14 Feb 2015 13:43:21 +0100
Message-ID: <54DF42E9.7010608@gmail.com>
To: Dave Raggett <dsr@w3.org>
CC: public-web-security@w3.org
On 2015-02-14 11:31, Dave Raggett wrote:
>
>> On 13 Feb 2015, at 21:22, Mike O'Neill <michael.oneill@baycloud.com <mailto:michael.oneill@baycloud.com>> wrote:
>>
>> I agree that an identity verification protocol based on explicit consent should be a standard component of the web platform, but I think it should be designed so there would no need for a fixed “real-world” identity.
>>
>> The third-party entities could validate an arbitrary set of attributes, some of which may identify a legal person i.e. passport or birth certificate, but others could be anonymous attributes such as membership of a club, a child’s age, an anonymous audience category, or any attribute that the parties need and agree to without the necessity to inform any of the parties, including the validating parties, of other identifying attributes.
>
> These refer to additional use cases, e.g. to prove that I am a child for access to a safe site for children.  I would encourage you to describe the use cases, since this is important for justifying work on a standard. There are no major technical barriers to pseudo-anonymous identity verification, so this is mostly about consensus building.
>
> I built a demo for this kind of approach some years back around a use case where you need to prove you are a current student at a given university to gain access to a site run by students for students. The demo uses a Firefox extension for idemix. More details are given at:
>
> http://people.w3.org/~dsr/blog/?p=95 <http://people.w3.org/%7Edsr/blog/?p=95>
>

This is an interesting example because it uses a browser-specific extension which I believe also has ceased to work (java) which again points to the need for a real (W3C) standard for extending browsers through calls to native applications.   Building on such a standard makes it much more realistic creating new standards of the kind you are interested in.


> It might be easier, however, to start with work on a standard for simple comparisons against attributes, where the website/app already knows your name and address etc., and wants to verify that the web identity you are logged in with corresponds to that real-world identity. This doesn’t involve a loss of privacy since the website and the identity agent being asked to perform the verification already know your real-world identity.
>
> —
>    Dave Raggett <dsr@w3.org <mailto:dsr@w3.org>>
>
>
>
Received on Saturday, 14 February 2015 12:44:11 UTC

This archive was generated by hypermail 2.3.1 : Saturday, 14 February 2015 12:44:11 UTC