Re: [WebCrypto.Next] Linking web identities with real-world identities from Colin Gallagher on 2015-02-14 (public-web-security@w3.org from February 2015)

From: Colin Gallagher <colingallagher.rpcv@gmail.com>
Date: Sat, 14 Feb 2015 06:43:37 -0800
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: public-web-security@w3.org, "dsr@w3.org Raggett" <dsr@w3.org>
Message-ID: <CABghAMhr0rYsqrYvzas28iaBDVRHuAeBZxr=XHRWexkCzJ0cxw@mail.gmail.com>
Anders, if what you are talking about is this -
http://blog.chromium.org/2013/10/connecting-chrome-apps-and-extensions.html?m=1
maybe, but it would have to work in a way that respects any user's
applications the user has installed including those that have been placed
on banned website lists or restricted or banned app use. In other words, no
discrimination against user choice, and no imposing choices on the users
(no legal demands for eIDs, no Windhover group industry "standards," no
banking "requirements" to keep people out of services, and no imposing
group identity at birth or after).  I still disagree with web standards
here that have to do with user identity because I see that industry led
groups will corrupt them, with the possible exception of groups working
together on privacy issues like Mozilla, Iceweasel, and EFF, who hopefully
will work together on such issues.

As Russia, France, and UK are prominent examples of corporation-states that
have recently blocked websites without a court order, banned encryption or
are in process of attempting to do so legally, banning anonymity and
pseudonymity, and have enacted their own "bans against bitcoin," and
similar peer to peer applications, we observe the following:

Openbazaar is a peer to peer, uncensorable decentralized market application
which to the user is displayed in for all intents and purposes as you would
see it in any web browser. It makes RPC calls to 127.0.0.1 and uses
distributed hash tables. The application relies also upon the strength of
bitcoin and bitmessage, which are incorporated and visible from the primary
app window.

Russia, for example, and possibly France now as well, blocks bitcoin.org
but that does not keep people from running bitcoin itself in their computer
(though they may have to use Gnupg to communicate with others via encrypted
mail to get updates due to the site blockages). OpenBazaar must be run
through ports and some ports are closed in some countries and in others it
is not. Simple Example:
https://github.com/OpenBazaar/OpenBazaar/issues/994#issuecomment-63180173

Ciao
 On Feb 14, 2015 5:49 AM, "Anders Rundgren" <anders.rundgren.net@gmail.com>
wrote:

> On 2015-02-14 14:23, Colin Gallagher wrote:
>
>>
>> Nobody learns from history. Even the "need" to prove you are a child or
>> an adult means something darker is at work. There is no need for the user
>> to disclose anything to anyone across the web and no need for "idemix"
>> style services that demand you "prove who you are." It is one thing for a
>> user to voluntarily broadcast such information from keys stored locally
>> (keybase model) which can also be integrated with the web. It is another
>> entirely to demand that users be identified through protocols you would
>> develop; this calls to mind the Holocaust, as I have pointed out in the
>> past.
>>
>> The only standard if you were to proceed with one here should be
>> completely zero knowledge based. But based on the discussion I've seen thus
>> far I can't imagine any protocols will evolve that will protect the users
>> since your intent seems to be to identify them, group us, and yes,
>> Holocaust us for corporation-states. Therefore I cannot support these
>> proposals.
>>
>>
> If we stick to technical stuff, would a browser extension scheme of the
> kind I have outlined [1] work for your system as well?
>
> Anders
>
> 1] https://lists.w3.org/Archives/Public/public-web-intents/
> 2015Feb/0000.html
>
>
>  On Feb 14, 2015 4:46 AM, "Anders Rundgren" <anders.rundgren.net@gmail.com
>> <mailto:anders.rundgren.net@gmail.com>> wrote:
>>
>>     On 2015-02-14 11:31, Dave Raggett wrote:
>>
>>>
>>>      On 13 Feb 2015, at 21:22, Mike O'Neill <michael.oneill@baycloud.com
>>>> <mailto:michael.oneill@baycloud.com>> wrote:
>>>>
>>>>     I agree that an identity verification protocol based on explicit
>>>> consent should be a standard component of the web platform, but I think it
>>>> should be designed so there would no need for a fixed “real-world” identity.
>>>>
>>>>     The third-party entities could validate an arbitrary set of
>>>> attributes, some of which may identify a legal person i.e. passport or
>>>> birth certificate, but others could be anonymous attributes such as
>>>> membership of a club, a child’s age, an anonymous audience category, or any
>>>> attribute that the parties need and agree to without the necessity to
>>>> inform any of the parties, including the validating parties, of other
>>>> identifying attributes.
>>>>
>>>
>>>     These refer to additional use cases, e.g. to prove that I am a child
>>> for access to a safe site for children.  I would encourage you to describe
>>> the use cases, since this is important for justifying work on a standard.
>>> There are no major technical barriers to pseudo-anonymous identity
>>> verification, so this is mostly about consensus building.
>>>
>>>     I built a demo for this kind of approach some years back around a
>>> use case where you need to prove you are a current student at a given
>>> university to gain access to a site run by students for students. The demo
>>> uses a Firefox extension for idemix. More details are given at:
>>>
>>>     http://people.w3.org/~dsr/blog/?p=95 <http://people.w3.org/%7Edsr/
>>> blog/?p=95>
>>>
>>>
>>     This is an interesting example because it uses a browser-specific
>> extension which I believe also has ceased to work (java) which again points
>> to the need for a real (W3C) standard for extending browsers through calls
>> to native applications.   Building on such a standard makes it much more
>> realistic creating new standards of the kind you are interested in.
>>
>>
>>      It might be easier, however, to start with work on a standard for
>>> simple comparisons against attributes, where the website/app already knows
>>> your name and address etc., and wants to verify that the web identity you
>>> are logged in with corresponds to that real-world identity. This doesn’t
>>> involve a loss of privacy since the website and the identity agent being
>>> asked to perform the verification already know your real-world identity..
>>>
>>>     —
>>>        Dave Raggett <dsr@w3.org <mailto:dsr@w3.org>>
>>>
>>>
>>>
>>>
>>
>
Received on Saturday, 14 February 2015 14:45:28 UTC