W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

RE: Position Paper for W3C Workshop on Identity

From: peter williams <home_pw@msn.com>
Date: Sat, 23 Apr 2011 09:54:39 -0700
Message-ID: <SNT143-ds21408970008F6BB1630E6D92940@phx.gbl>
To: "'Henry Story'" <henry.story@bblfish.net>
CC: <public-xg-webid@w3.org>
Good (ignoring the quips). Even worked Quadaffi in (but no Assad!?)

If one wants to reach out to the traditionalists (still tied to certs), one
takes a foaf card and one relates the id to a URI pointing at a .crt file of
a CA (just like the wot vocab points to a .sig file, minted using the PGP
tool). Then, like wot, one uses a trust metric (PGP in wot's case) to
compute a confidence value on a chain of relations (relating webids to .crt
URIs). If this all falls within bounds, designed probably using formal risk
analysis, one deems the authentication valid. This model scales, and is
solid (being used for years).

The point is ... the above metric and system is neither better nor worse
than any other. We are agnostic. What matters is that a common logic
framework is doing the relating, and a thousand trust models exist (like
thousands of ISPs existed for a few years, in 1995 era). Over time, this
will reduce to 10 and lots of resellers (changing the font, and adding an
insurance policy and some nominal governance regime), as usual. In realty,
there is large fanout of the governance space (down to each city, and often
areas within cities if they have different population migration
characteristics). In the world of the commodity social web, of course, its
small fanout - live/hotmail, google, yahoo (and their many resellers) and
then paypal - though paypal seems to be losing its nerve after the wikileaks
exposure (from what a little birdy tells me).

A good model for us is VISA and PCI, where a thousand+ resellers of 10 main
banks now divvy up the trust space, forcing different security criteria on
the merchants under their governance control. In reality, its little more
than a market for selling insurance (as satisfying the technical criteria
udner audit costs way more than the insurance premium). But, this is all
part of the game; which verges on social extortion. Webid will eventually
become an insurance selling space, just like [server] certs sell warranties
tied back to Lloyds. Formally, this is the commodity trust basis known as
"compensating controls". To you and me, in the bar, its flogging insurance,
so the risk is spread across the public, acting as a large population able
to collectively sustain local damages.

I don't think we want to say this to the browser guys, who are all engineers
and product managers probably, though. But if one does, its part of the
information assurance topic. Demonstrating that webid fits into the way the
security world actually works, at scale. It is the meaning of life property
though (since it's about making the money from trust...that pays for
salaries etc)


-----Original Message-----
From: Henry Story [mailto:henry.story@bblfish.net] 
Sent: Saturday, April 23, 2011 8:42 AM
To: peter williams
Cc: public-xg-webid@w3.org
Subject: Re: Position Paper for W3C Workshop on Identity


On 23 Apr 2011, at 17:05, peter williams wrote:

> Webid doesn't solve the trust problem. It just binds a key to a 
> name/identifier, and specifies a validation procedure (for SSL).

yes, saying it solves the trust problem is wrong. It allows it to be
expressed in the way trust should be: very flexibly. Each agent can decide
on his own trust policy. Some may choose to trust Rappatoni, others the CIA,
and yet others Kadhaffi's enlightened leadership.

> 
> Nicely, the same validation procedure works for other secure channel 
> protocols (e.g. websso). [snip]

It would be tempting to discuss the meaningoflife issue (42) here, but I
have a few other priorities on my plate right now, sadly.

	Henry

Social Web Architect
http://bblfish.net/
Received on Saturday, 23 April 2011 16:55:06 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:24 UTC