W3C home > Mailing lists > Public > public-xg-webid@w3.org > July 2011

Re: Browser ID

From: Ben Adida <ben@adida.net>
Date: Fri, 15 Jul 2011 22:20:43 -0700
Message-ID: <4E211FAB.40306@adida.net>
To: nathan@webr3.org
CC: Kingsley Idehen <kidehen@openlinksw.com>, WebID XG <public-xg-webid@w3.org>

Hi Nathan,

Thanks for your note.

> Generally speaking it seems at a non technical level, that BrowserID is
> a nice abstraction layer on top of WebID, that makes it more user friendly.

Right, at a non-technical level, but if you dig into the technical 
details, the big difference is that BrowserID delivers an assertion in 
the application layer, while WebID delivers it in the network security 
layer.

No doubt that WebID delivers a more hardened solution, but also one that 
is much harder for server-side developers to tap into. (Probably not so 
hard when you're doing development and you've got the whole stack just 
an API call away, but much harder when those layers start existing on 
different machines.)

As per my previous email, I sense that this will create difficulties 
much like Digest Auth.

>> We're trying to solve a very thin problem: login. I don't think we
>> need to build that on stable, long-term keys, as crypto tokens with
>> long validity periods create all sorts of problems when users lose
>> devices, etc.
>
> I agree, but if they could be added with next to no cost, preferably
> behind the interface, then it may be a good addition.

Do you mean assertions for stuff other than logging in? Maybe, as long 
as we're not reusing keys for different purposes. There *is* a risk to 
expanding the scope of a given key, or to enabling longer-lived certs 
for the same scope.

>> "Simple for the developer" is very important. Of course, there is a
>> lower bound if you want to be secure, but we want to get closer to
>> that simplicity lower bound than other technologies have done so far.
>
> Perhaps layers of abstraction, and different layers one can interface at?

I don't see it yet, because of the stack issue mentioned above.

> The ability to work stateless, tls on the wire forced,

Stateless... at the app layer you mean? Right, we're back to playing 
with different layers of the stack. The flipside of that coin is as 
above: harder for implementers.

> and the benefits of open profiles

Open in what sense? Access? Not good. Data model? Good. We're not there 
yet, though. We're only certifying the federated identifier.

> If BrowserID/WebID can be merged and become an single adequate and long
> term login/auth solution, then it would perhaps be better than yet more
> different and competing solutions - at the end of the day, it's users
> who will pay the price of having to manage multiple login mechanisms and
> auths.

I hear you, but if the merger weakens the model (by having long-lived 
certs that require revocation) or complicates developers' lives, then 
those are significant downsides that could scuttle the whole effort.

Right now, I'm still seeing some fundamental differences, where the same 
property is something WebID sees as an advantage, while BrowserID sees 
it as a problem.

-Ben
Received on Saturday, 16 July 2011 05:21:18 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:25 UTC