- From: Francisco Corella <fcorella@pomcor.com>
- Date: Mon, 25 Jul 2011 22:31:03 -0700 (PDT)
- To: Henry Story <henry.story@bblfish.net>
- Cc: "nathan@webr3.org" <nathan@webr3.org>, WebID XG <public-xg-webid@w3.org>, Karen Lewison <kplewison@pomcor.com>
- Message-ID: <1311658263.56102.YahooMailNeo@web125513.mail.ne1.yahoo.com>
> On 25 Jul 2011, at 21:50, Francisco Corella wrote: > > > We will soon revise the white paper to add WebIDs, and PKI certificates > > issued by email service providers to assert that the user owns an email address. We > > also accomodate the submission of multiple credentials simultaneously, > > which makes sense in several use cases. > > very nice! Please keep us up to date on feedback from the NSTIC. > > We should also look at using the PKI certificates issued by e-mail > service providers as BrowserId does. I think it would fall under the > topic of using WebIds in Issuer Alternative Names. So an e-mail server > is one possible issuer, but one could also have WebServers be issuers > (CA) - as they are currently. After all if the public key used by the > https server is the same as the one that signed the certificate, there > is no need for the Relying Party to dereference the WebID, other than > as a Certificate Revocation and RESTful attribute exchange > mechanism. (It may also be psychologically helpful for many people, > because it could be that people have trouble understanding > certificates that are not signed by a CA.) > > And yes, I agree there are many technologies that can come together. > Being interested in the social web, my focus has been less on > anonymity, than in decentralisation of sociality, which I think is the > biggest issue at present. > > I think that it is very difficult to achieve anonymity, as even if the > tools are available users will very likely give away a global > identifier if asked (credit card, e-mail, address), or something to > the same effect: enough information to be identifiable - and not much > is required there. I agree. The goal is only to avoid using credentials that reduce privacy unnecessarily. > But hey, if the technology to make this possible > is widely deployed, it will be great to be able to use it :-) Yes :-) Francisco Francisco Corella, PhD Founder & CEO, Pomcor Twitter: @fcorella Blog: http://pomcor.com/blog/ Web site: http://pomcor.com >________________________________ >From: Henry Story <henry.story@bblfish.net> >To: Francisco Corella <fcorella@pomcor.com> >Cc: "nathan@webr3.org" <nathan@webr3.org>; WebID XG <public-xg-webid@w3.org>; Karen Lewison <kplewison@pomcor.com> >Sent: Monday, July 25, 2011 7:59 PM >Subject: Re: WebID, BrowserID and NSTIC > > > > >On 25 Jul 2011, at 21:50, Francisco Corella wrote: > > We will soon revise the white paper to add WebIDs, and PKI certificates >issued by email service providers to assert that the user owns an email address. We >>also accomodate the submission of multiple credentials simultaneously, >>which makes sense in several use cases. > >very nice! Please keep us up to date on feedback from the NSTIC. > > >We should also look at using the PKI certificates issued by e-mail service providers >as BrowserId does. I think it would fall under the topic of using >WebIds in Issuer Alternative Names. So an e-mail server is one possible issuer, >but one could also have WebServers be issuers (CA) - as they are currently. >After all if the public key used by the https server is the same as the one that signed the >certificate, there is no need for the Relying Party to dereference >the WebID, other than as a Certificate Revocation and RESTful >attribute exchange mechanism. (It may also be psychologically helpful >for many people, because it could be that people have trouble understanding >certificates that are not signed by a CA.) > > >And yes, I agree there are many technologies that can come together. >Being interested in the social web, my focus has been less on anonymity, >than in decentralisation of sociality, which I think is the biggest issue >at present. > > >I think that it is very difficult to achieve anonymity, as even if the tools are available >users will very likely give away a global identifier if asked (credit card, >e-mail, address), or something to the same effect: enough information to >be identifiable - and not much is required there. But hey, if the technology to >make this possible is widely deployed, it will be great to be able to use it :-) > > >Henry > >Social Web Architect >http://bblfish.net/ > > >
Received on Tuesday, 26 July 2011 05:31:31 UTC