Re: Position Paper for W3C Workshop on Identity from Kingsley Idehen on 2011-04-23 (public-xg-webid@w3.org from April 2011)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Sat, 23 Apr 2011 12:14:19 -0400
To: public-xg-webid@w3.org
Message-ID: <4DB2FADB.6000409@openlinksw.com>
On 4/23/11 11:05 AM, peter williams wrote:
> Webid doesn’t solve the trust problem. It just binds a key to a
> name/identifier, and specifies a validation procedure (for SSL).
>
> Nicely, the same validation procedure works for other secure channel
> protocols (e.g. websso). If the browser posting an openid assertion to the
> consumer also release the SSL client cert to the relying party site, the
> site can augment its relying party control set with the webid validation
> procedure, for example. This resulting foaf card might "qualify" the openid
> OP, leading to the super-position of a foaf (not webid) trust model on
> openid.
>
> We have to decide:
>
> Is the term webid the URI in cert idea?
Yes, that's the Personal URI in the Cert.
> Is it the use of a client cert (with...) in SSL (only)?

That's the WebID Protocol aspect that covers validation.

> Is it the validation procedure , working with http/s URIs (only)?

Yes, but not "only". WebID is an acronym that covers: Personal 
Identifier and a validation/verification protocol.

> Is it the validation procedure, with any scheme of URI?

Yes.

> Is it the tie in to federation social networks, which impose webbiness on
> each and every step (users may NOT generate certs on their PC, they MUST use
> a web provider)?

Webbines != WWW. To me Linked Data graphs are data object oriented 
networks/webs.

> Is webid the use of particular foaf or other ontologies relationship specs,
> when computing trust chains?

There is a trust logic in play, but it isn't confined to any syntax. Its 
a conceptual thing that has first-order logic as the definition and 
constrains mechanism re. content of resources that bear the profile graph.

> For me, webid is the first 4 (above). It stops as federated social networks.
> For all i care, one can use webid in nntps, creating groupware concept based
> on threaded conversations.

Yep! And that's exactly how we've implemented it, and we do infact use 
it with nntp based threaded discussions (which isn't always obvious to 
users).

It is scheme agnostic.

> This can use PKI trust or social feedback in an
> nntps context, that never ever uses a foaf-card borne relationship
> statement.

There has to be a discernible pathway that binds a WebID to one or more 
public keys in a data oriented address space hosting a graph structure.

> If one seeks mass adoption in a crypto-political sphere full of well-manned
> roadblocks, one has to decouple the security protocol from the (motivating)
> application. That is: you have to let HTTP be used for the evil SOAP, if you
> are to get buyin to HTTP for the web architecture you really believe in. You
> have to give, to get. If you get 30% of what you set out for at the outset
> of a social plan in crypto-politics, you are usually doing pretty well! What
> I want is massive number of foaf cards as homepages, with SOME set of
> triples being consumed thereby, to create the beachhead from which one
> expands further.

Try to think less about FOAF and more about a network addressable data 
structure that represents a structured profile. FOAF is just an example :-)

Kingsley
>
>
>
>
> -----Original Message-----
> From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
> On Behalf Of Stéphane Corlosquet
> Sent: Saturday, April 23, 2011 6:52 AM
> To: Henry Story
> Cc: WebID XG
> Subject: Re: Position Paper for W3C Workshop on Identity
>
> [[[
> The user can create and control his own, self sign his certificates, and if
> needed use short lived, throwaway ones.
> ]]]
> control his own what? "The user can create and control his own, self signed
> certificates" maybe?
>
> [[[
> The selected X509 certificate is sent back ]]] be more precise than "sent
> back": i.e. the browser sends the selected certificate to the server. The
> following shows an excerpt of the certificate:...
>
> The indentation of the last 2 lines looks odd, they should be indented
> further right than the line above them:
> X509v3 extensions:
>   X509v3 Subject Alternative Name:
>               URI:https://bob.net/id/bob
>
> Do you mean to have a yellow background? a box around it would probably look
> better.
>
> Make sure you're using the same WebID for Bob, the certificate specifies
> https://bob.net/id/bob and further in 6. you use https://bob.net/id/bob#me
>
> The point 7. is beyond the WebID authentication realm but that's good to
> give an idea of the type of things you can do once you have a WebID. I
> wonder if this could be made optional though, as otherwise it might make the
> reader think that WebID requires to have a whole FOAF network - quite the
> opposite, you can start using WebID with just one WebID URI and a public key
> in your profile document (as simple as that).
>
> [[[
> Passwords are difficult to remember or they are bad ]]] what do you mean by
> passwords being bad? because they are made too weak to be easier to
> remember? or are you criticizing the whole concept of using passwords?
>
> [[[
> as shipped in current browser
> ]]]
> s/browser/browsers
>
> [[[
> solving the trust problem - the biggest issue of WebID ]]] The biggest issue
> of WebID is the trust problem? you probably mean that the biggest issue
> WebID solves is the trust problem?
>
> Make sure to spell OpenID with uppercase ID: s/OpenId/OpenID
>
> [[[
> OpenId is especially important for a number of devices (cell phones
> often) that have not implemented client side certificates properly.
> ]]]
> I would add 'yet' so it reads "that have not yet implemented client side
> certificates properly", giving hope that they will in the future, and
> emphasizing that it is something that can be fixed by the browser vendors.
>
> [[[
> The browser could then make use of the information found in the WebID
> profile ....
> This WebID anchor can then be used by browsers ]]] Firefox Weave does not
> use WebID yet, right? so be consistent with could/can, I believe you want to
> use could here, otherwise 'can'
> implies it is already available...
>
> [[[
> With the rollout of critical infrastructure element such as DNSsec and
> IPV6 WebID should rise
> ]]]
> add comma after IPV6
> s/IPV6/IPv6
> s/DNSsec/DNSSEC
>
> [[[
>   that encompass everything from to personally controlled identities ]]]
> s/from to/from
>
> [[[
> role playing and employee identities
> ]]]
> what's a role playing identity???
>
> The HTML is not very clean and several spaces break the read flow at
> times....
>
> Steph.
>
> On Fri, Apr 22, 2011 at 6:42 AM, Henry Story<henry.story@bblfish.net>
> wrote:
>>  From yesterdays comments I have now tweaked the paper to the following
>>
>>   http://bblfish.net/tmp/2011/04/22/
>>
>> I think we really are there, it reads very well now, is clear, open to
>> new protocols (ldap included), makes friends in the TLS, dane, openid
>> and freedom box community, whilst also showing the government how they
>> can get some of what they want for little cost (important in the
> government cut back season, when Democratic presidents have to work with
> Republicans).
>> I'll  start passing this to members of this group who are not
>> participating here so actively, probably due to combined reason of
>> volume of mail  and holiday season, to see if we can get some other
>> feedback, some other points of views.
>>
>> We can review some of this on Monday.
>>
>> Henry
>>
>>
>>
>>
>
>
>
>


-- 

Regards,

Kingsley Idehen	
President&  CEO
OpenLink Software
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen
Received on Saturday, 23 April 2011 16:14:42 UTC