W3C home > Mailing lists > Public > public-webid@w3.org > September 2012

Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME"

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 26 Sep 2012 11:03:46 +0200
Cc: Kingsley Idehen <kidehen@openlinksw.com>, "public-webid@w3.org" <public-webid@w3.org>
Message-Id: <B371E5F0-EC4B-48AF-A717-F647EC4792A3@bblfish.net>
To: Ben Laurie <benl@google.com>

On 26 Sep 2012, at 10:44, Ben Laurie <benl@google.com> wrote:

> On 25 September 2012 23:39, Kingsley Idehen <kidehen@openlinksw.com> wrote:
>> On 9/25/12 5:31 PM, Ben Laurie wrote:
>>> On 25 September 2012 20:16, Kingsley Idehen <kidehen@openlinksw.com>
>>> wrote:
>>>> On 9/25/12 2:44 PM, Henry Story wrote:
>>>>>    I am just ccing Andrei, because Ben
>>>>> (http://research.google.com/pubs/author9639.html  ) - has found a bug
>>>>> inhttps://my-profile.eu/  . (see below) My guess is that Ben logged in
>>>>> with
>>>>> a certificate that is not WebID enabled. So that's a good extra test
>>>>> case to
>>>>> add. Of course for people like Ben, the failure of having a Logout
>>>>> button on
>>>>> chrome is going to add to that inconvenience - because having logged in
>>>>> with
>>>>> a certificate that may not be signed by a CA my-profile.eu knows about,
>>>>> he
>>>>> won't be able to change his certificate later after having made a new
>>>>> one.
>>>> Ben,
>>>> Wondering if you evaluated WebID using any other services or scenarios?
>>>> Your
>>>> feedback would be much appreciated.
>>>> Henry: I keep on telling you, one implementation doesn't canonically
>>>> reflect
>>>> WebID. As you can imagine, Ben is time challenged, if he plays with a
>>>> solution that's pitched as canonical its natural for him to draw blanket
>>>> conclusions.
>>>> I continue to encourage you to separate the concept and virtues of WebID
>>>> from a specific WebID solution that aligns with your personal world view
>>>> etc..
>>>> In my world view, the simplest demonstration of WebID's value takes the
>>>> following form:
>>>> 1. A resource is published to the Web
>>>> 2. The resource is ACL protected
>>>> 3. Existence of the resource is published via email, tweet, blog post
>>>> etc..
>>>> 4. A user tries to access the resource -- they fail or succeed subject to
>>>> ACL membership
>>>> 5. User requests access to resource by providing their WebID to resource
>>>> owner -- this is also where signed email are useful since the WebID can
>>>> be
>>>> nipped from the senders signed email certificate.
>>>> In addition to the above, the resource acl document can itself have ACLs
>>>> that enable a variety of users expand its ACL memebership thereby making
>>>> an
>>>> organic social network.
>>> Gah! What does this have to do with WebID? If I substitue "magic pixie
>>> dust" for "WebID" in the above, well, I have a fantastic example of
>>> how magic pixie dust secures the web. Great. Now what?
>>> OK, I guess there's one nugget in there: apparently magic pixie dust
>>> can be nipped from unauthenticated email I sent.
>>> I'm not feeling very enlightened.
>> Ben,
>> I assumed you attempted to explore WebID via my-profile.eu and hit some
>> problems. Hence my comments.
>> If you are interested in taking a quick look at what's possible with WebID
>> and ACLs, I have a simple example on G+. Here are the components in use re.
>> aforementioned demo:
>> 1. WebID -- verifiable identifier in the form of a personal URI
>> 2. X.509 Certificate -- watermarked with a WebID in its SAN slot
>> 3. Profile Document -- a document with structured content based on the RDF
>> data model
>> 4. Access Control List Ontology -- this describes the authorization modes
>> and how they are scoped to WebIDs.
>> Links:
>> 1. http://bit.ly/O4LNKf -- A simple guide to Web-scale verifiable identity
>> that leverages WebID based ACLs .
> A great example of something I could not possibly ask the average end
> user to do.

I absolutely agree with you there, and was expecting this reaction :-)

The problem with getting WebID understood is not that there is much that is technically new here. It is that we need to bring people from 3 different fields of knowledge together that rarely work with one another:

 - cryptography
 - http knowledgeable people
 - (linked)data lovers 
 - semantic web people
 - User interface people

So since the beginning we have often had solutions that address one of the problems (linked data and security, but not UI for example). And UI can easily seem like the least important. And yet it is the most important to getting the message out. Of course if you do crypto+(ok)UI without linked data - the current usage of public keys - then you get a mostly useless result.

> Is anyone planning to address my questions?

Andrei is fixing my-profile. It will be working today for you, he told me. I think Andrei should also add a logout button for people using Mozilla, so you  can see why that is important.


Social Web Architect
Received on Wednesday, 26 September 2012 09:04:21 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:54:35 UTC