RE: Technical Review of WebAppSec Credential Management API [2/3] (was Re: Overlap with Credentials/Web Payments CG) from Crispin Cowan on 2015-04-16 (public-webappsec@w3.org from April 2015)

From: Crispin Cowan <crispin@microsoft.com>
Date: Thu, 16 Apr 2015 18:26:48 +0000
To: Jim Manico <jim.manico@owasp.org>
CC: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <BN3PR0301MB1220564199BAC3445B1ADC46BDE40@BN3PR0301MB1220.namprd03.prod.outlook.>

Weak name spaces, like the names parents give babies, allow for collisions, which then require disambiguation. The TSA’s “no fly” list has that problem; if you share a name with a suspected terrorist, you get the same hassles.

Strong name spaces enforce non-collisions. E-mail addresses and Twitter handles enforce uniqueness through one or more authorities issuing the names. GUIDs probabilistically “enforce” uniqueness by randomly choosing 128-bit values ☺

From: Jim Manico [mailto:jim.manico@owasp.org]
Sent: Wednesday, April 15, 2015 8:17 PM
To: Crispin Cowan
Cc: Brad Hill; public-webappsec@w3.org
Subject: Re: Technical Review of WebAppSec Credential Management API [2/3] (was Re: Overlap with Credentials/Web Payments CG)

In general it's bad to identify someone by their name in a software system; it's more of a label than identifying info for authentication.

What if his name is my name, too?
--
Jim Manico
@Manicode
(808) 652-3805

On Apr 15, 2015, at 7:28 PM, Crispin Cowan <crispin@microsoft.com<mailto:crispin@microsoft.com>> wrote:
Credentials and Identities are never the same thing, and getting them confused leads to incredible pain:

•        Identity: who you are. GUIDs, full names like John Jacob Jingleheimer Schmidt, and phone numbers are identifiers.

•        Credential: a proof that you are who you are. Passwords, private keys, shared symmetric keys, OTPs, and the shape of those metal key things in your pocket are credentials.

•        Tragedy: that much of America treated Social Security Numbers (SSNs) as credentials rather than identifiers. Duh ☹

From: Brad Hill [mailto:hillbrad@gmail.com]
Sent: Wednesday, April 15, 2015 7:01 PM
To: public-webappsec@w3.org<mailto:public-webappsec@w3.org>
Subject: Re: Technical Review of WebAppSec Credential Management API [2/3] (was Re: Overlap with Credentials/Web Payments CG)

With <hat=individual>, regarding a suggestion I've seen to change what is being stored/managed from "credential" to "identity": -1

If there is a word that is even more overloaded, fraught with complexity, dense with both technical and lay meaning, and with a history of grandiose attempts to boil the ocean, than the word "Credential", that word is "Identity".

Please, let us not use that word.  My bank account is not an identity. My email address is not an identity.  The means by which I authenticate to them are not identities, and their relationship to each other and my actual identity/identities are many-to-many.

If the proposal on the table at rechartering had been for an "identity manager" I would have leapt out of my chair to keep this group out of that particular tar pit.

In a similar vein, I've filed an issue suggesting changing the name of the "avatar" attribute to "icon" to avoid any connotations of identity.

-Brad Hill

Received on Thursday, 16 April 2015 18:27:16 UTC