W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

RE: us national id plan - cooping user-centric. impact on webid

From: peter williams <home_pw@msn.com>
Date: Fri, 15 Apr 2011 17:07:21 -0700
Message-ID: <SNT143-ds93E391D6CCF7678A70FCD92AF0@phx.gbl>
To: "'Henry Story'" <henry.story@bblfish.net>, "'WebID XG'" <public-xg-webid@w3.org>
The most immediate viral application of webid is in the websso world (since
its exploding in adoption, right now). 

 

What I want, but can never get, is some _legitimization_ of a non https
(i.e. non semwebby (sic), non pure web archy (sic))  use case of webid's
validation methods. 

 

Signed websso delivers signed blobs as client authn - supported by user
selected certs (chained, or self-signed). These go through a cert validator
..at the server endpoint. This validation act can implement exactly what the
validation spec says. It just does it for a signed websso assertion event,
rather than a signed client authn event from TLS. The validation procedure
doesn't care..

 

Having wrapped up my webid validator as a cert validator class, I already
attach it in the windows world EITHER to a TLS endpoint server side OR to a
websso endpoint, server side. It makes no difference. both binding elements
in  both stacks get configured NOT to do "PKIX chained trust"  but offload
to my validating class .to validate the cert according to our spec.

 

This was/is Kingsley's point. If you want mass enrollment and usage today,
it IS possible. One just has to COOPERATE with less than pure web stuff.
Otherwise, we have to wait for the revolution, which tend to get easily
de-railed with a simple  cheque, selectively delivered to the right parties
(as happened in the openid movement, as it started to stumble during pure
UCI adoption).

 

Every time we assert this pragmatic line, we tend to get a lecture on how we
need to stay the course with pure web architecture, and feed the revolution.
It feels a bit like Orwellian Spain, 1935.

 

Consider carefully. One can **seed** the usage of webid validation methods -
that do semweb - by applying them even to impure uses of the web
architectures. It all helps! And, for probably 90% of the web, this probably
an easier first intro to applying the semweb, rather than requiring them to
even understand the concept of an ontologly-driven webapp.

 

Hope, Im saying this diplomatically, and purposefully. Its NOT meant to
subvert the wider goal of the semweb movement. Its meant to get it going, by
JUST deploying simple foaf cards and just doing simple sparql queries. With
that done, the resistance to more advanced semweb will be diminished, since
all the usual reasons trotted out agin server-side RDF per se, will have
been proven wrong. Everyone is doing it already. happenstance in a websso
protocol run.

 

 

 

 

 

 

 

 

 

 

From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of Henry Story
Sent: Friday, April 15, 2011 12:46 PM
To: WebID XG
Cc: Peter Williams
Subject: Re: us national id plan - cooping user-centric. impact on webid

 

The only way to help WebId grow as far and as fast as possible to the good
user centric identity you like, is to develop really good viral apps where
user centric is the reason of being of those apps, and where every new app
added to the network strengthens it. Think FreedomBox. 

 

As Nietzsche said: Life is will to power and nothing else.  Ie: you don't
get goodness just by wishing nice things to come about. You get it by
building more powerful systems, by working with values that open more
potentials up, that create larger and more powerful spaces of freedom.
Reminder: these values are not thing that can be bought or sold.

 

Henry

 

 

On 15 Apr 2011, at 21:25, peter williams wrote:





From
http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_04151
1.pdf

 

"The realization of this vision is the user-centric "Identity Ecosystem"
described in this Strategy"

 

If you note, the US commerce secretary only conceives of individuals as
consumers (relating to businesses). He sees little point in calling
individuals "individuals", talking unto other individuals in groupware. As a
"commerce" secretary, this seems not unreasonable. He doesn't focus on that
upon which we focus in webid - anything but commerce. He focuses on the
relations between users as consumers/subscribers/businesses.

 

Now, a few years ago, our design space was characterized by the moniker
"UCI"  - or user-centric identity. What it meant was: self-assertions. And
it was supposed to be protocol independent (being a mode of orchestrated
interactions). You could go to identity commons groups, and folks would
bleat on about its properties with about as much religion as semantic web
folks exhibit. It had its prophets and sponsors, and VC-funded startups. One
had in the openid protocol incarnation, for example, self-assertions from
one's wordpress blog site (actually several million in number), or the
self-assertion of mapped name in the identity delegation of openid that
shielded an relying party site from the "property " of an IDP (such as an
IDP's copyrighted name for its subscriber, to be bound to the local account
name).

 

If one looks at the "national security" priority expressed (why is a
"national security" priority, meaning military power is now authorized?),
one sees a co-opting of that phrase "user centric". It now doesn't mean any
of the above. It means you choose your vendor (vs a govt. appointed vendor)
- which _sounds_ good, no? That user-selected vendor (and google is the
archetype here) will probably refuse however to process the self-asserted
names and identity mappings, should you do what UCI originally meant.
Similarly, though Microsoft Azure ACS demo will process the openid
assertions from Google (acting as openid OP and conforming to the public
protocol), it will not process my self-asserted wordpress assertions, even
though thoe sites are conforming OPs. I cannot even configure my ACS tenant
to allow my wordpress OP , in additional to Google OP, even if I WANT to in
JUST my tenant. Self-asserted IDPs using openid are JUST NOT ALLOWED, in the
wonderful world of mainstream infrasrucuture, replete with "user centric
choices" that are "ahem" somewhat limited: to Google and Yahoo. Of course, I
can configure ACS to accept a self-asserted ws-fedp IDP!

 

(Anyone want to build a public openid/wordpress -> Ws-fedp bridge, an ACS
for ACS??)

 

As webid continues, in its self-assertion orientation, its going to come
under "pressure" to no longer be based on self-assertion principles I bet.
I'll give it 12 months, before folks in formal positions here are doing what
I encountered in openid-land 2 years ago: oh "user centric" now got
re-defined, Peter. We decided to do so, in an, ahem, secret set of meeting
with US govt. Oh you were not invited? Sorry. Woops. We decided
collectively, self-assertion between individuals was not in the "national
interest".

 

 

 

 

 

Social Web Architect
http://bblfish.net/

 
Received on Saturday, 16 April 2011 00:07:56 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:24 UTC