W3C home > Mailing lists > Public > public-xg-webid@w3.org > February 2011

Re: Account Management in Firefox 5

From: Henry Story <henry.story@bblfish.net>
Date: Tue, 8 Feb 2011 23:18:13 +0100
Cc: WebID Incubator Group WG <public-xg-webid@w3.org>
Message-Id: <C61FB875-A638-4484-8265-C819FC633E56@bblfish.net>
To: Dominik Tomaszuk <ddooss@wp.pl>

On 8 Feb 2011, at 18:06, Dominik Tomaszuk wrote:

> An interesting idea is proposed by Mozilla. Maybe WebID can be one of profiles in spec [1]. More about this idea is in [2]
> 
> [1] https://wiki.mozilla.org/Labs/Weave/Identity/Account_Manager/Spec/3

so essentially this is a contention for a web site to point to a document that 
allows a machine discover where:

  1. to create an account
  2. to change a password
  3. to login
     (optionally with openid)

One could create an ontology for this quite easily and mark up  html in rdfa directly. But their proposal will work too, and clearly this format is easier to parse for browsers.

One has to see how this is meant to tie in with the user interface. I wrote this
up a while ago (not sure where they are now) in this blog post that contains illustrations of their UI

http://blogs.sun.com/bblfish/entry/identity_in_the_browser_firefox

The idea is to make the browser show the user what account he is logged in as. The UI ideas are great, and could be applied just as well to connection with SSL (see the chromium issue 29784 I link to in ISSUE-14 ) This is especially useful as the browser could  create very strong passwords per account, without the user  remembering them.

On the other hand it does make shifting between browsers a lot more difficult, and between devices. Devices really now need to synchronise all the passwords, since the user has probably never even seen the passwords, and so could not remember them.
   But mozilla is also working on that. It will encrypt all that information and deposit it on a remote server, with a user chosen password. Which means the user still needs to remember a URL to fetch it when going to a new computer - just as with WebID - but with the added danger that someone who did this on a public terminal would make all his passwords available to a potentioally evil host after downloading it.
   The only serious solution to that problem is a crypto stick as we saw was being used this morning by governments intent on eID. A cryptostick is my term for a hardware device that does the encryption without ever releasing the password. In fact I think one could ask it to be legislated that public terminals not be allowed unless they provide such card access.

The other piece I find this misses is that it recreates the local account names for each account, instead of helping tie people together in a social web. Where WebID identitifies agents with URIs,  this is still thinking very much in client/server mode. It is true that the OpenId login profile does partially overcome that, that is if openid is used with a foaf profile which they rarely are.

But if one could tie their UI in with TLS then it would cover fully the login space, in a backward compatible way allowing sites that work with passwords to continue to work that way, but moving forward also to a secure networked social web. 

So my wish would be AccountManager functionality tied in with TLS.

> [2] http://hacks.mozilla.org/2010/04/account-manager-coming-to-firefox/
> 
> Best,
> 
> Dominik 'domel' Tomaszuk
> 
> 

Social Web Architect
http://bblfish.net/
Received on Tuesday, 8 February 2011 22:18:52 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:22 UTC