- From: Tim Holborn <timothy.holborn@gmail.com>
- Date: Wed, 23 Apr 2014 19:15:01 +1000
- To: Anders Rundgren <anders.rundgren.net@gmail.com>
- Cc: public-webid <public-webid@w3.org>
- Message-Id: <98E382F1-E89B-425A-B119-0ABB2DA7A435@gmail.com>
On 23 Apr 2014, at 6:24 pm, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: > On 2014-04-22 19:18, Timothy Holborn wrote: >> http://www.smh.com.au/it-pro/security-it/microsoft-patent-victor-ric-richardson-working-on-nopassword-security-breakthrough-20140422-zqvwk.html > > I get a certain feeling of snake-oil when I read about such breakthroughs… > I think it’s a good example of why these types of scientific methods, need to have a standards based approach. Hopefully, we’re beyond the need of publishing a book on the subject to manage philosophical / sovereign issues on such subjects. we’re all entitled to act lawfully, on different business cases - seeking to participate in society, and all such things of modern life; but nonetheless, the headline certainly got my attention… if a company exclusively owns the system that provides you identity; i’m not sure how identity actually could work securely. perhaps that’s a philosophical view. >> From a WebID perspective I believe the craze created by the FIDO alliance > is more important. Maybe the best alternative for the client-side would > be to base WebID on the FIDO platform? > not sure. i see WebID as an important part of an identity lifecycle (from a practice point of view). I need to do more investigation into http://fidoalliance.org/ never liked biometrics. people find it difficult enough getting their heads around the issues with other tech. that’s not so personalised? can’t think of a better term… if there’s flaws in simple systems, given those simple systems more complexity doesn’t necessarily help solve the problem that existed in the first-place. might help mask it, but doesn’t actually (necessarily) solve the problem / root-cause issue. personally, http://dig.csail.mit.edu/2010/Papers/IAB-privacy/httpa.pdf provides a good description of something that may be facilitated with a block-chain, or similar mechanism. worth exploring in my view, however it is not simply a technical solution - the management of that solution is also quite important, which i’ve highlighted in a web-payments post earlier. (IMHO, of course, as always ;) …) the old skool method of a key / lock - padlock, chest with padlocks, etc. worked rather well. never 100% secure, but manageable risk by the majority of the population. Still the digital alternatives to a key-ring (or bunch of different key-rings, key cutters, lock-smiths, etc.) seem to allude the many. the biggest aspect to me, seems to revolve around the concept of making the concept of identity highly accessible. incorporated entities often have sufficient sophisticated means to manage identity; but natural legal entities most often do not, and that’s not even getting into the complexity from a use-case situation of ensuring such accessibility methods extend to the reach of those with disabilities, seniors. TV has a program called dtv4all. we need similar considerations made for identity / upgrades to the 'good ol’ door key / bank-card / passport (obviously, for different purpose / utility). also needs to be transportable. WebID has made rather significant strides in that direction. perhaps its’ about segmentation. If there is an institutional ‘knowledge provider’ then perhaps they’ve got crypto, that is offered specifically by their organisations; whilst still maintaining a level of crypto for accounts / users, in a manner that means the data is still transportable between institutional providers. the relationship between a ‘own cloud’ (or RWW platform provider) and an application (cimba / or Facebook with RDF / integrated RWW access methods, from personal storage accounts) is likely different to that of a natural / incorporated legal entity and their cloud-storage provider. understanding in some use-cases, people will want to host those systems themselves, either on the cloud or on devices that have a www presence. in terms of WebID; the biggest benefit to me; is that it seems to provide a ‘gate’ that authorises a specific CPU (workstation / device), and makes it more difficult to fake it. whether those ‘keys’ are issued on a device, to several people, or whether the device owner can authorise several identities to that Device ID seems - cloudy atm. the main thing is that i know its’ another type of ‘checkpoint’ that’s useful for cloud-services, to differentiate a device that is familiar to a user-account, and those that are not. Cheaper than sending a txt to a mobile, one might consider… will research fido. timh. > https://fidoalliance.org/news/item/fido-alliance-welcomes-arm-to-the-board-of-directors > https://fidoalliance.org/news/item/the-fido-alliance-appoints-samsung-electronics-to-the-board-of-directors > > Anders > >> >> Sent from my iPad > >
Received on Wednesday, 23 April 2014 09:16:07 UTC