- From: Kingsley Idehen <kidehen@openlinksw.com>
- Date: Sat, 23 Apr 2011 13:06:06 -0400
- To: public-xg-webid@w3.org
On 4/23/11 12:54 PM, peter williams wrote: > Good (ignoring the quips). Even worked Quadaffi in (but no Assad!?) > > If one wants to reach out to the traditionalists (still tied to certs), one > takes a foaf card and one relates the id to a URI pointing at a .crt file of > a CA (just like the wot vocab points to a .sig file, minted using the PGP > tool). Then, like wot, one uses a trust metric (PGP in wot's case) to > compute a confidence value on a chain of relations (relating webids to .crt > URIs). If this all falls within bounds, designed probably using formal risk > analysis, one deems the authentication valid. This model scales, and is > solid (being used for years). > > The point is ... the above metric and system is neither better nor worse > than any other. We are agnostic. What matters is that a common logic > framework is doing the relating, and a thousand trust models exist (like > thousands of ISPs existed for a few years, in 1995 era). Over time, this > will reduce to 10 and lots of resellers (changing the font, and adding an > insurance policy and some nominal governance regime), as usual. In realty, > there is large fanout of the governance space (down to each city, and often > areas within cities if they have different population migration > characteristics). In the world of the commodity social web, of course, its > small fanout - live/hotmail, google, yahoo (and their many resellers) and > then paypal - though paypal seems to be losing its nerve after the wikileaks > exposure (from what a little birdy tells me). > > A good model for us is VISA and PCI, where a thousand+ resellers of 10 main > banks now divvy up the trust space, forcing different security criteria on > the merchants under their governance control. In reality, its little more > than a market for selling insurance (as satisfying the technical criteria > udner audit costs way more than the insurance premium). But, this is all > part of the game; which verges on social extortion. Webid will eventually > become an insurance selling space, just like [server] certs sell warranties > tied back to Lloyds. Formally, this is the commodity trust basis known as > "compensating controls". To you and me, in the bar, its flogging insurance, > so the risk is spread across the public, acting as a large population able > to collectively sustain local damages. > > I don't think we want to say this to the browser guys, who are all engineers > and product managers probably, though. But if one does, its part of the > information assurance topic. Demonstrating that webid fits into the way the > security world actually works, at scale. It is the meaning of life property > though (since it's about making the money from trust...that pays for > salaries etc) > > > -----Original Message----- > From: Henry Story [mailto:henry.story@bblfish.net] > Sent: Saturday, April 23, 2011 8:42 AM > To: peter williams > Cc: public-xg-webid@w3.org > Subject: Re: Position Paper for W3C Workshop on Identity > > > On 23 Apr 2011, at 17:05, peter williams wrote: > >> Webid doesn't solve the trust problem. It just binds a key to a >> name/identifier, and specifies a validation procedure (for SSL). > yes, saying it solves the trust problem is wrong. It allows it to be > expressed in the way trust should be: very flexibly. Each agent can decide > on his own trust policy. Some may choose to trust Rappatoni, others the CIA, > and yet others Kadhaffi's enlightened leadership. > >> Nicely, the same validation procedure works for other secure channel >> protocols (e.g. websso). [snip] > It would be tempting to discuss the meaningoflife issue (42) here, but I > have a few other priorities on my plate right now, sadly. > > Henry > > Social Web Architect > http://bblfish.net/ > > > > Peter, We should put this stuff into a Google Docs hosted Presentation or Scribd doc. The key thing here is that you grok the big picture narrative that needs to act as a WebID segue in presentation format. Of course, you can dump as a mail response and others can pick up this action. Key is to get this narrative out there as WebID segue. -- Regards, Kingsley Idehen President& CEO OpenLink Software Web: http://www.openlinksw.com Weblog: http://www.openlinksw.com/blog/~kidehen Twitter/Identi.ca: kidehen
Received on Saturday, 23 April 2011 17:06:29 UTC