W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

RE: Position Paper for W3C Workshop on Identity

From: peter williams <home_pw@msn.com>
Date: Wed, 27 Apr 2011 08:21:38 -0700
Message-ID: <SNT143-ds175EE47BECFCDD2771F06B92980@phx.gbl>
To: "'Henry Story'" <henry.story@bblfish.net>
CC: <public-xg-webid@w3.org>
You might want to browse it - being all about the technology topics you
often struggle with. ON the other hand, when looking at life anew, sometimes
ignorance helps - so you is not drawn into the older mental models.

Anyways, there are three terms of art:

Identity  verification
User authentication
Information assurance

A term of art is rarely discussed in Wikipedia or a common dictionary.

Identity verification is that act which a notary performs when he/she
authenticated an individual through personal knowledge or, more likely,
checking your passport or drivers license as evidence of id. The notary
attests to having done that act, while then making a statement. Early in
certs, for use by early Apple Mac users, one got a X.509 cert by first going
to a notary, obtaining the affidavit mentioned, and then sending that as
evidence of (notary-based) id verification to the CA .

User authenication is the presentation of the cert to a relying party, along
with a signature showing control over the private key.

Information assurance has nothing to do with any of the above, except when
computers are used in the processes above. If you want a birth cert from the
state of Hawaii, there is information assurance practices - that support the
status of a bit of paper as a "record". Long form records may be valid
legally, for the purposes of id verification; or may not. Because assurance
rules change, only shoft form record may not be valid, legally. Assurance
rules may require "originals", and not copies, and may distintuish certified
copies (from copies, and from originals). A certified copy may have to be
emboseed, by a particular seal (acting as a unique signing device.)

In the computer world, IA often comes down to the security audit, for the
data center. If you are Comodo selling cert, and your resellers apply
computers to access the minting services, and that channel is protected
poorly, one can have the ridiculous situation in which the auditor performed
investigations and tests that qualified the information assurance legvel as
"sufficient", but non the less the channel is insecure. That's because, IA
is about rules, not security. Its similar to an accounting audit that says
the firm is not crooked, but it goes bust anyways. What matters is that the
tests shew it was not crooked, to "assure" the public, using the services of
public certified accountants.

Yes apple assure the public their phone is safe. Doesn't mean the fine print
of the contract is not set to allow them and their friends to spy on you, in
a manner you find offense - since you didn't KNOW you agreed to it!? Its
deceptive, despite the assurance. The US government assures the public that
new citizens are suitable citizens. Doesn't mean they are not ex-SS
officers, having spent years designed terror weapons, having run factorys
making them and having actually killed 20k civilians...(in London) in
attempt to terrorise an entire population. Assurance means they now fit
American rules, which change with the times.

In the CA world, the government generally seeks assurance that the firms
will "do the right thing" - when asked. (This means spy, when served a
covert order.) Its an important assurance, that the firm has CEO and staff
that are "oriented" - and trustworthy, and can be trusted (to maintain the
secrecy of the covert surveillance order, and scope the interception to the
named individual, not the operators ex-spouse...).

Put a key in the RDFa of the document. See what happens... its not logical,
but then neither is a non-deterministic search that guesses.


-----Original Message-----
From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of Henry Story
Sent: Tuesday, April 26, 2011 11:44 AM
To: peter williams
Cc: 'Dominik Tomaszuk'; public-xg-webid@w3.org
Subject: Re: Position Paper for W3C Workshop on Identity


On 26 Apr 2011, at 20:34, peter williams wrote:

> Please remove the link to
> http://agendabuilder.gartner.com/IAM4/WebPages/SessionList.aspx?Speake
> r=7019
> 95 for my name. Or just remove my name all together (whichever is
easiest).
> I do not want an association with Rapattoni to be inferred by readers.
> 
> Im mostly making a point, tuned to webid, that individuals are in 
> charge - and do NOT need an organizational affiliation. They also do 
> NOT need evidence of standing (such as garner though me worth inviting 
> to talk about the needs of realty, to others deploying websso).
> 
> I know, it's a hard habit to break, since individuals have no standing 
> in academia; only having any authority when introduced as "faculty" 
> (which then governs one's credentials and one's reputations).

But I thought many of your points on this list was on the importance of
Information Assurance. 
Are universities, companies posting profiles about people not well establish
ways of doing information assurance?

Henry


> 
> 
> 
> -----Original Message-----
> From: public-xg-webid-request@w3.org 
> [mailto:public-xg-webid-request@w3.org]
> On Behalf Of Dominik Tomaszuk
> Sent: Tuesday, April 26, 2011 7:43 AM
> To: public-xg-webid@w3.org; Henry Story
> Subject: Re: Position Paper for W3C Workshop on Identity
> 
> On 26.04.2011 12:09, Dominik Tomaszuk wrote:
>> On 26.04.2011 10:36, Henry Story wrote:
>>> Ok, the paper is ready for xhtml export. Any further changes can 
>>> then be edited in the xhtml.
>> OK. In a few hours XHTML+RDFa version will be ready.
> Alpha version without CSS, valid XHTML+RDFa:
> 
> http://ii.uwb.edu.pl/~dtomaszuk/webid.html
> 
> Regards,
> 
> Dominik Tomaszuk
> 

Social Web Architect
http://bblfish.net/
Received on Wednesday, 27 April 2011 15:22:12 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:24 UTC