W3C home > Mailing lists > Public > public-xg-webid@w3.org > July 2011

Re: WebID, BrowserID and NSTIC

From: Francisco Corella <fcorella@pomcor.com>
Date: Mon, 25 Jul 2011 22:31:03 -0700 (PDT)
Message-ID: <1311658263.56102.YahooMailNeo@web125513.mail.ne1.yahoo.com>
To: Henry Story <henry.story@bblfish.net>
Cc: "nathan@webr3.org" <nathan@webr3.org>, WebID XG <public-xg-webid@w3.org>, Karen Lewison <kplewison@pomcor.com>
> On 25 Jul 2011, at 21:50, Francisco Corella wrote:
> 
> >  We will soon revise the white paper to add WebIDs, and PKI certificates
> > issued by email service providers to assert that the user owns an email address.  We
> > also accomodate the submission of multiple credentials simultaneously,
> > which makes sense in several use cases.
> 
> very nice! Please keep us up to date on feedback from the NSTIC.
> 
> We should also look at using the PKI certificates issued by e-mail
> service providers as BrowserId does. I think it would fall under the
> topic of using WebIds in Issuer Alternative Names. So an e-mail server
> is one possible issuer, but one could also have WebServers be issuers
> (CA) - as they are currently.  After all if the public key used by the
> https server is the same as the one that signed the certificate, there
> is no need for the Relying Party to dereference the WebID, other than
> as a Certificate Revocation and RESTful attribute exchange
> mechanism. (It may also be psychologically helpful for many people,
> because it could be that people have trouble understanding
> certificates that are not signed by a CA.)
> 
> And yes, I agree there are many technologies that can come together.
> Being interested in the social web, my focus has been less on
> anonymity, than in decentralisation of sociality, which I think is the
> biggest issue at present.
> 
> I think that it is very difficult to achieve anonymity, as even if the
> tools are available users will very likely give away a global
> identifier if asked (credit card, e-mail, address), or something to
> the same effect: enough information to be identifiable - and not much
> is required there.  

I agree.  The goal is only to avoid using credentials that reduce
privacy unnecessarily.

> But hey, if the technology to make this possible
> is widely deployed, it will be great to be able to use it :-)

Yes :-)

Francisco


Francisco Corella, PhD
Founder & CEO, Pomcor
Twitter: @fcorella
Blog: http://pomcor.com/blog/
Web site: http://pomcor.com


>________________________________
>From: Henry Story <henry.story@bblfish.net>
>To: Francisco Corella <fcorella@pomcor.com>
>Cc: "nathan@webr3.org" <nathan@webr3.org>; WebID XG <public-xg-webid@w3.org>; Karen Lewison <kplewison@pomcor.com>
>Sent: Monday, July 25, 2011 7:59 PM
>Subject: Re: WebID, BrowserID and NSTIC
>
>
>
>
>On 25 Jul 2011, at 21:50, Francisco Corella wrote:
>
> We will soon revise the white paper to add WebIDs, and PKI certificates
>issued by email service providers to assert that the user owns an email address.  We
>>also accomodate the submission of multiple credentials simultaneously,
>>which makes sense in several use cases.
>
>very nice! Please keep us up to date on feedback from the NSTIC.
>
>
>We should also look at using the PKI certificates issued by e-mail service providers
>as BrowserId does. I think it would fall under the topic of using
>WebIds in Issuer Alternative Names. So an e-mail server is one possible issuer,
>but  one could also have WebServers be  issuers (CA) - as they are currently. 
>After all if the public key used by the https server is the same as the one that signed the 
>certificate, there is no need for the Relying Party to dereference
>the WebID, other than as a Certificate Revocation and RESTful
>attribute exchange mechanism. (It may also be psychologically helpful
>for many people, because it could be that people have trouble understanding
>certificates that are not signed by a CA.)
>
>
>And yes, I agree there are many technologies that can come together.
>Being interested in the social web, my focus has been less on anonymity,
>than in decentralisation of sociality, which I think is the biggest issue
>at present.
>
>
>I think that it is very difficult to achieve anonymity, as even if the tools are available 
>users will very likely give away a global identifier if asked (credit card,
>e-mail, address), or something to the same effect: enough information to
>be identifiable - and not much is required there.  But hey, if the technology to
>make this possible is widely deployed, it will be great to be able to use it :-)
>
>
>Henry
>
>Social Web Architect
>http://bblfish.net/ 
>
>
>
Received on Tuesday, 26 July 2011 05:31:31 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:25 UTC