W3C home > Mailing lists > Public > public-xg-webid@w3.org > July 2011

Re: Browser ID, WebID & URLs

From: Jeff Sayre <jeff@sayremedia.com>
Date: Mon, 18 Jul 2011 19:54:35 -0700
Message-ID: <3caec09a5ad27ac007be3a21f41435a3.squirrel@webmail.sayremedia.com>
To: "Ben Adida" <ben@adida.net>
Cc: "Henry Story" <henry.story@bblfish.net>, "Tom Scavo" <trscavo@gmail.com>, dev-identity@lists.mozilla.org, "WebID XG" <public-xg-webid@w3.org>
Ben-

For those of us that operate our own communications channels -- websites
-- and act as our own email providers, how will the certification of our
own email addresses work under BrowserID?

Whereas I do have gmail and dotMac email accounts, those are not accounts
that I consider my primary email addresses. In fact, I do not use my gmail
account. It was simply assigned to me when I created a Google account.
Instead, I use my self-created, controlled, and managed email account.

It sounds like BrowseID is really geared toward 3rd-party email idP's and
not people like myself. If that is the case, then this is a salient
advantage that WebID provides.

With WebID, I can fully control my identity and act as my own idP. I can
vouch for myself. I do not need a 3rd party, who truly does not know me,
certify me -- whether for free or a fee. I can demonstrate ownership and
control over my domain. It is then up to others to decide if they wish to
trust me or not. Overtime, I can build up a large Web of Trust of other
users who can also vouch for me. This Web of Trust can then be seamlessly
used to further enhance the authentication process.


Jeff Sayre


> On 7/17/11 8:49 PM, Henry Story wrote:
>>
>>> Yes, and an interesting experiment it is, too.
>>
>> agree.
>
> I'm glad you think so. We think it's important to keep it simple to see
> where it goes.
>
> And though I'm pessimistic about WebID, I'm glad you're experimenting
> with it. I will gladly eat my words if you succeed.
>
>> A lot of people don't want to get into spam registries. The privacy
>> advantage of http URLs is that you can't send e-mails using them. So
>> one could argue that http URLs are more privacy enhancing :-)
>
> It's easy to create an email alias that goes to bitbucket, if we find
> that that's an important use case. I doubt it, though.
>
> I don't think we're going to agree on the privacy properties of HTTP
> URLs that reveal information to anyone who asks, and that effectively
> become logs of all login activity.
>
>> A question on short keys - this is probably something I have not fully
>> understood.
>> But if the keys are short lived, don't you have to go back to your
>> e-mail provider
>> constantly to create new keys?
>
> Indeed. But we are working on the protocol that will let a provider that
> has already certified you re-certify you quietly. So when you log back
> into your email provider, your cert is renewed automatically, in the
> background.
>
>> If so is that not a Usability nuisance?
>
> I'm pretty sure we can make it fully transparent and yet fully
> user-consented. But we've got some work left to do to get there.
>
> -Ben
>
>
Received on Tuesday, 19 July 2011 02:55:02 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:25 UTC