Re: WebID, BrowserID and NSTIC from Nathan on 2011-07-24 (public-xg-webid@w3.org from July 2011)

From: Nathan <nathan@webr3.org>
Date: Sun, 24 Jul 2011 23:29:29 +0100
To: Francisco Corella <fcorella@pomcor.com>
CC: Henry Story <henry.story@bblfish.net>, WebID XG <public-xg-webid@w3.org>, Karen Lewison <kplewison@pomcor.com>
Message-ID: <4E2C9CC9.4030405@webr3.org>

Hi Francisco,

First let me just say, you have a fantastic collection of white papers, 
I'm thoroughly enjoying reading them, especially Mechanising Set theory, 
and NSTIC architecture proposal.

A few minor comments on what you've written:

Francisco Corella wrote:
> The privacy goals of NSTIC include revealing as little information as
> necessary to the relying party, and preventing relying parties that
> share information from jointly tracking the user if at all possible.
> WebID, if used as a general purpose identifier for the Web at large,
> does not meet that goal.  
> 
> This not a theoretical issue, it is a very practical one.  If WebID
> were used as a general purpose WebID, a malicious medical insurance
> company in the US could set up a health information Web site with
> discussion groups.  If a user signed up with a WebID and joined a
> discussion group on cancer, the insurance company could later deny
> insurance to the user on suspicion that the user had cancer or a
> dependent who has cancer.  This issue can be avoided by using instead
> a "login certificate" issued by the relying party itself, as we
> propose in section 4.6 of our white paper.

Assuming a single WebID per person, then yes there would be an issue, 
however there is no reason why a specific website or application cannot 
issue each user with their own, unique to that website, WebID, 
certificate and all. It appears to me that this would be equivalent to a 
login certificate, indeed that's exactly what it would be, surely?

As a user I'm very keen to get away from the one person one identifier 
side of the web, just looking at google dashboard is somewhat scary - 
the sooner we can have multiple profiles, one for each side of our life, 
with only us as an individual knowing the correlation, the better. Thus, 
any identity solution must, at the least, easily support multiple 
identifiers and sets of credentials. WebID seems to allow this?

Best,

Nathan

>> ________________________________
>> From: Henry Story <henry.story@bblfish.net>
>> To: WebID XG <public-xg-webid@w3.org>
>> Sent: Wednesday, July 20, 2011 1:48 AM
>> Subject: WebID, BrowserID and NSTIC
>>
>> A very interesting article is up "BrowserID and NSTIC" http://bit.ly/oIKw1P . 
>> NSTIC stands for "National Strategy for Trusted Identities in Cyberspace"
>>
>> The article finally points us to the documentation of the BrowserId spec "The verified e-mail protocol"
>>   https://wiki.mozilla.org/Identity/Verified_Email_Protocol/Latest
>> which is nice. Weird how that link never seems to have appeared anywhere.
>>
>> And it points to a very interesting PDF that I have not had time to read in full
>> detail "proposed NSTIC architecture".[1]
>>
>> I pointed out the relation between WebID and BrowserId on that blog post, and perhaps we
>> will be able to have Francisco Corella talk to us a bit more about what is going
>> on at NSTIC and how WebID could be used there.
>>
>>     Henry
>>
>>
>> [1] http://pomcor.com/whitepapers/ProposedNSTICArchitecture.pdf
>>
>> Social Web Architect
>> http://bblfish.net/
>>
>>
>>
>>
>>

Received on Sunday, 24 July 2011 22:30:07 UTC