Re: The Payment Identity Problem from Manu Sporny on 2014-07-17 (public-webpayments@w3.org from July 2014)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Wed, 16 Jul 2014 23:48:08 -0400
To: public-webpayments@w3.org
Message-ID: <53C74778.2020309@digitalbazaar.com>
On 06/26/2014 11:55 PM, Melvin Carvalho wrote:
> Regarding Identity (as opposed to authentication, and user 
> experience)
> 
> Could you sum up your objections to the WebID spec (and I dont mean 
> WebID+TLS)
> 
> As far as I can see there are 2 sticking points:

My responses here are with my chair hat off. They're general
observations over the past 7 years of Linked Data use and adoption failures.

> 1. You object to the use of the Term Agent, which is the parent class
> of Person

The terminology, while important, is of little concern to me. I'm sure
we can come up with the right terminology once we scope the problem
correctly.

> 2. You object to mandatory serialization of turtle

Yes, I'd rather mandate a single serialization that has strong adoption
and that supports graph names. JSON-LD is the only one that fits the
bill, imho. Alternative serializations like NQuads, TURTLE, etc. are
just fine. To be clear, my objection to TURTLE has to do with technical
issues as well as adoption issues. It's not that I don't like TURTLE,
it's that it isn't technically capable of doing certain things that
we'll need to do (namely, cleanly signing provenance information).

> Fragmentation will be an influence on whether both efforts succeed or
> fail.

I have the same concerns.

> Is there anything else that you view as a show stopper.  Is there
> any room for compromise?

There is certainly always room for compromise. Here's a quick review of
the spec and my concerns:

http://www.w3.org/2005/Incubator/webid/spec/identity/

* The WebID group's leadership and lack of progress over 7+ years. I
  personally feel that the groups leadership is out of touch with
  business requirements for this technology and is not capable of
  bringing big players to the table. To provide a counter example,
  we've only been at the Identity Credentials stuff for a little under
  a year and we already have strong interest and deep contacts in the
  US Federal Reserve, World Bank, large education companies, the
  United Nations' Internet Governance area, and a number of other
  large players in the identity and education ecosystem.

* Dependence on TURTLE and RDFa. I suggest removal of both as
  requirements, allowing developers to optionally encode information
  using those technologies. The only MUST should be JSON-LD.

* Reliance on FOAF. Let it die, use schema.org.

* Dependence on hash URIs and 303 redirects. Most developers won't care
  to understand why 303s exist. Hash URIs, while useful, shouldn't be
  used in the spec because you have to then get into why you "should"
  use them in the first place. Applications can reason on whether
  something is a document or a referral to a concept via other means.
  Stay away from the HTTP Range stuff, it complicates the solution.

* TimBL fandom. Please take all references to Tim Berners-Lee out of
  the specification, they're distracting. Use a generic example.

* There is no mechanism described that provides a way to express
  information that has been digitally signed by 3rd parties. This is
  vital to the Web Payments and High-stakes Credentials use cases.
  I'm fine if a spec, like Identity Credentials, is layered on top
  to provide the functionality.

* re: Privacy. The only privacy that the mechanism provides via
  WebACL is protection from who can read/write the information. There is
  no pervasive monitoring protection against identity providers.
  Identity providers can track your every move. To provide real
  privacy and tracking protection, you need more than just WebACL.

If you strip/change much of the stuff above, you're left with a 1-2 page
document that doesn't do much other than set the groundwork for the
really important stuff (setting and getting high-stakes credentials in a
privacy-protecting / anti-tracking manner). Personally, I'd rather fold
those 1-2 pages into a more comprehensive specification than require the
reader to bounce between a 1-2 page document and the spec (Identity
Credentials) that actually does something useful.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Marathonic Dawn of Web Payments
http://manu.sporny.org/2014/dawn-of-web-payments/
Received on Thursday, 17 July 2014 03:48:38 UTC