W3C home > Mailing lists > Public > public-xg-webid@w3.org > February 2011

RE: WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec]

From: Peter Williams <home_pw@msn.com>
Date: Thu, 3 Feb 2011 19:14:35 -0800
Message-ID: <SNT143-w48DC1437FDDB95E86C372A92E60@phx.gbl>
To: <nathan@webr3.org>
CC: <public-xg-webid@w3.org>

So I definately believe we should liase strongly with the internet folks. But lets remember, IETF is good a some things and not good at others; a cultural issue.
 
but first, before on liases, we have to have something to say. We have to be able to articulate what the web wants (vs the internet).
 
here is my high level - written off the cuff
 
the web wants a particular kind of cloud pattern to evolve (one that complements the public web)
 
the web wants a universal, not national, identity arrangement
 
the web wants individuals to be as powerful as organizations in matters of security
 
the web wants a de-centralized model of administration by default, centralized by consent
 
the web wants a default interoperability, with stepups for more assurance, strength, and private community compartments (e.g. DoD, milnet, enterprise infranets...)
 
the web wants the solution to apply equally effective to to humans consumer as as machines consumers (and vice versa)
 
the web wants wants higher level security primitives - the SSL handshake - that support reasoning
 
the web wants to work with both connection and connectionless security worlds and a wide range of devices
 
the web wants security to work with very high speed media, including video, voice, realtime calls, conferencing, etc
 
the web wants the group to coperate with group-enabled security, cipherhing, authentication, authorization, etc
 
the web wants the a common security infrastructure to be deriving a wide range of applications leveragin websso and restful services
 
what does the web not want:
 
it doesnt want to be standarding some protocol for other to do identity management, like a 100 vendors already fight over
it doesnt want to be involved in assurance of systems (let others do it)
it doesnt want to be involved in forensics, spying, controlled covert release (let others do that)
it doesnt want to to promote authority structure for certification, audit, governance (shoes that other already fill)
it doesnt want to work with harmonizing with ongoing law reform or privacy debates
it doesnt want to be involved in cybercommand, or a means of conducting cyberwarfare.
 
it doesnt want to be a vector, becuase to little assurance creates another spam culture, comment span culture, virus culture, impolitic socialization patterns, message management cultures...
 
----
 
To me there is are two projects going on here - short and medium term.
 
a trivial to execute project in which a million old home pages get some RDFa'd text, so that (self-signed) client certs in todays browser with URL work in the web culture to access control at resource servers (for the first time). Ideally, it cooperates with the various websso revolution happening NOW
 
redefinition of https (distinguished from TLS at layer 4), so it gets upgraded for the multi-party flows underlying the data-centric web (and all that the web otherwise wants, see above). 
 
 
  		 	   		  
Received on Friday, 4 February 2011 03:15:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:22 UTC