W3C home > Mailing lists > Public > public-xg-webid@w3.org > July 2011

RE: WebID, BrowserID and NSTIC

From: Peter Williams <home_pw@msn.com>
Date: Mon, 25 Jul 2011 22:48:44 -0700
Message-ID: <SNT143-w30B6CA1824050A04D6BFB092320@phx.gbl>
To: <kidehen@openlinksw.com>
CC: "public-xg-webid@w3.org" <public-xg-webid@w3.org>


 webid is supposed to be relying party centric. Its not supposed to be issuer-centric. Supposed is the operative world (allowing for some fudge room, necessary in cryptopolitics). In the CA world, one can present a issued cert to a relying party, that relies once, and issues its own cert "replacing" that issued cert in subsequent communications and transactions between itself and the user (formally known as CA subscriber). It thereafter relies only on its own cert for the user. This model is illustrative of how webid can fudge, similarly. Of course, few PKI users apply the model, noted. A CA can issue a webid in a cert, and a relying party can act in reliance. Said relying party can consume the pubkey and its assurance, and thereafter note that a second foaf card (known to the RPs cache) lists that pubkey bound to a second URI, not listed in the CA's cert inbound via SSL. Should the RP encounter a second SSL client cert with that second URI, it can bind it LOCALLY to the pubkey (and to the first URI). The source of accurate information to do this inference is the RPs foaf card cache, augmented by facts and inferences known only to the RP. One thus has a hybrid CA cert model, with RP-centric trust modelling. One can make further analogies, to OAUTH or ws-trust. In those frameworks, bootstrap credentials enable an RP to swap such a token for an access token to webservices that RP access as client, actingFor the user. Similarly, webid allows one to have the same kind of relationships between multiple agents in delegation flows. In the semantic web way of doing this (so things stay logically rigorous), an RP can mint a cert for the user, which binds to a proxy URI addressing a foaf card at the RP site, which states facts ABOUT the original foaf card. Thus one gets chains of foaf cards, much as one has in ws-trust chains of STS, in PKI chains of certs, or in OAUTH chains of handoffs.  Date: Mon, 25 Jul 2011 22:14:43 -0700
From: fcorella@pomcor.com
To: kidehen@openlinksw.com
CC: public-xg-webid@w3.org; kplewison@pomcor.com
Subject: Re: WebID, BrowserID and NSTIC

> On 7/25/11 7:34 PM, Francisco Corella wrote:
> > Kingsley,
> >
> > > On 7/24/11 8:23 PM, Kingsley Idehen wrote:
> > > > On 7/24/11 7:34 PM, Francisco Corella wrote:
> > > >> This not a theoretical issue, it is a very practical one.  If
> WebID
> > > >> were used as a general purpose WebID, a malicious medical
> insurance
> > > >> company in the US could set up a health information Web site
> with
> > > >> discussion groups.  If a user signed up with a WebID and joined
> a
> > > >> discussion group on cancer, the insurance company could later
> deny
> > > >> insurance to the user on suspicion that the user had cancer
 or
> a
> > > >> dependent who has cancer.  This issue can be avoided by using
> instead
> > > >> a "login certificate" issued by the relying party itself, as we
> > > >> propose in section 4.6 of our white paper.
> > > > But, nothing about WebID implies that a personal is 'You'.
> > > >
> > > > Let's take the Spiderman and Peter Parker scenario. You can have
> WebIDs for both, and only the real identity behind either knows about
> the owl:sameAs relation.
> > > >
> > > > I am saying WebID == Who You Really Are. It just enables
> identifiers to be verified. It basically caters for alter egos etc..
> > >
> > > Meant to say:
> > >
> > > But, nothing about WebID implies that a personal URI refers to
> 'You', specifically. It just enables
 verifiable identifiers that are
> associated with identities :-)
> >
> > OK, WebID can be pseudonymous, but each pseudonym needs to backed by
> a
> > different web of trust, which gets tricky.
> 
> No it doesn't, that's the beauty of this whole system :-) We have OWL
> and RDFS semantics as mechanisms for Trust Logics.
> 
> I can assert, in my own data space, leveraging my own reasoner the
> fact that:
> 
> <PeterParker> owl:sameAs <SpiderMan>.
> 
> I could be the only one privy to this assertion, and be the only one
> capable of applying reasoning to this data space specific fact.

My (limited) understanding of WebID is that the relying party decides
to trust a WebID based on the position of the identity asserted by the
WebID within a trust network.  What I meant to say is that, if you use
different WebIDs that assert
 different pseudonyms for different
relying parties, each relying party will make its trust decision based
on the trust relationships of a different pseudonym.  You have to
build trust relationships for all of those pseudonyms so that each can
be trusted by the relying parties that you use it for.  That's what I
think can get tricky.

> 
> >
> > Anyway, independently of what identity technology you use,
> > pseudonyms
> > are not always appropriate, because they allow tracking. 
> 
> The whole InterWeb is laden with fingerprinting though, the key is
> ultimately about integrating anonymity at the appropriate layer. In
> this case, via WebID we do have anonymity. I can be my own IdP and the
> location of my data space could be wherever. Of course, there are some
> fingerprints, but no more than those associated with other URIs such
> as mailto:
 scheme URIs.
> 
> > Colluding
> > real parties can share information to get a complete picture of all
> > your activities under a particular pseudonym. 
> 
> Yes, that's always a possibility. But it isn't one sided, I could also
> make it very hard to decipher "who I am".
> 
> > You can mitigate the
> > attack by using many different pseudonyms, and being careful about
> > which pseudonym you use for which relying party.  But many relying
> > parties just need to know that you are the same user who visited
> > them
> > earlier.
> 
> A relying party doesn't really need to know all your identities. In
> short, this is the kicker since you should be the one asserting
> identifier co-reference(s) not the relying party .
> 
> > In that case you don't need a pseudonym, or equivalently you
> > need
 a pseudonym that's only used for that relying party; that's
> > what
> > a "login certificate" is, in our proposal.
> 
> Yes, but you can achieve that with WebID due to its underlying
> Semantic richness.

I don't doubt it.  But a login certificate is a lot simpler.

> 
> >
> > Preventing tracking by colluding relying parties is an explicit goal
> > of NSTIC, according to Howard Schmidt's post to the White House
> > blog,
> > at
> > http://www.whitehouse.gov/blog/2011/04/26/national-strategy-trusted-identities-cyberspace-and-your-privacy
> > .
> 
> Yes, a vital goal. WebID lets you be your own IdP and that's key to
> addressing this requirement, alongside pseudonyms, anonymity, and the
> semantic prowess of RDFS and OWL :-)

Francisco
 Francisco Corella, PhD
Founder & CEO,
 Pomcor
Twitter: @fcorella
Blog: http://pomcor.com/blog/
Web site: http://pomcor.com
From: Kingsley Idehen <kidehen@openlinksw.com>
To: Francisco Corella <fcorella@pomcor.com>
Cc: "public-xg-webid@w3.org" <public-xg-webid@w3.org>; Karen Lewison <kplewison@pomcor.com>
Sent: Monday, July 25, 2011 3:38 PM
Subject: Re: WebID, BrowserID and NSTIC



  

    
  On 7/25/11 7:34 PM, Francisco Corella wrote:
    
      
        Kingsley,

            

            > On 7/24/11 8:23 PM, Kingsley Idehen wrote:

            > > On 7/24/11 7:34 PM, Francisco Corella wrote:

            > >> This not a theoretical issue, it is a very
            practical one.  If WebID

            > >> were used as a general purpose WebID, a
            malicious medical insurance

            > >> company in the US could set up a health
            information Web site with

            > >> discussion groups.  If a user signed up with a
            WebID and joined a

            > >> discussion group on cancer, the insurance
            company could later deny

            > >> insurance to the user on suspicion that the
            user had cancer or a

            > >> dependent who has cancer.  This issue can be
            avoided by using instead

            > >> a "login certificate" issued by the relying
            party itself, as we

            > >> propose in section 4.6 of our white paper.

            > > But, nothing about WebID implies that a personal
            is 'You'.

            > >

            > > Let's take the Spiderman and Peter Parker
            scenario. You can have WebIDs for both, and only the real
            identity behind either knows about the owl:sameAs relation.

            > >

            > > I am saying WebID == Who You Really Are. It just
            enables identifiers to be verified. It basically caters for
            alter egos etc..

            > 

            > Meant to say:

            > 

            > But, nothing about WebID implies that a personal URI
            refers to 'You', specifically. It just enables verifiable
            identifiers that are associated with identities :-)

            

            OK, WebID can be pseudonymous, but each pseudonym needs to
            backed by a

            different web of trust, which gets tricky.

          
      
    
    

    No it doesn't, that's the beauty of this whole system :-) We have
    OWL and RDFS semantics as mechanisms for Trust Logics. 

    

    I can assert, in my own data space, leveraging my own reasoner the
    fact that:

    

    <PeterParker> owl:sameAs <SpiderMan>. 

    

    I could be the only one privy to this assertion, and be the only one
    capable of applying reasoning to this data space specific fact. 

    

    

    
      
        

            Anyway, independently of what identity technology you use,
            pseudonyms

            are not always appropriate, because they allow tracking.  
      
    
    

    The whole InterWeb is laden with fingerprinting though, the key is
    ultimately about integrating anonymity at the appropriate layer. In
    this case, via WebID we do have anonymity. I can be my own IdP and
    the location of my data space could be wherever. Of course, there
    are some fingerprints, but no more than those associated with other
    URIs such as mailto: scheme URIs.

    

    
      
        Colluding

            real parties can share information to get a complete picture
            of all

            your activities under a particular pseudonym.  
      
    
    

    Yes, that's always a possibility. But it isn't one sided, I could
    also make it very hard to decipher "who I am". 

    

    
      
        You can mitigate the

            attack by using many different pseudonyms, and being careful
            about

            which pseudonym you use for which relying party.  But many
            relying

            parties just need to know that you are the same user who
            visited them

            earlier. 

          
      
    
    

    A relying party doesn't really need to know all your identities. In
    short, this is the kicker since you should be the one asserting
    identifier co-reference(s) not the relying party .

    

    
      
         In that case you don't need a pseudonym, or
            equivalently you

            need a pseudonym that's only used for that relying party;
            that's what

            a "login certificate" is, in our proposal.

          
      
    
    

    Yes, but you can achieve that with WebID due to its underlying
    Semantic richness. 

    

    
      
        

            Preventing tracking by colluding relying parties is an
            explicit goal

            of NSTIC, according to Howard Schmidt's post to the White
            House blog,

            at

            http://www.whitehouse.gov/blog/2011/04/26/national-strategy-trusted-identities-cyberspace-and-your-privacy
            .

          
      
    
    

    Yes, a vital goal. WebID lets you be your own IdP and that's key to
    addressing this requirement, alongside pseudonyms, anonymity, and
    the semantic prowess of RDFS and OWL :-)

    

    

    Kingsley 

    
      
        

            Francisco

        
         

        
        Francisco Corella, PhD

          Founder & CEO, Pomcor

          Twitter: @fcorella

          Blog: http://pomcor.com/blog/

          Email: fcorella@pomcor.com

          Web site: http://pomcor.com

          
            
              
                  From:
                  Kingsley Idehen <kidehen@openlinksw.com>

                  To:
                  public-xg-webid@w3.org

                  Sent:
                  Sunday, July 24, 2011 2:36 PM

                  Subject:
                  Re: WebID, BrowserID and NSTIC

                

                On 7/24/11 8:23 PM, Kingsley Idehen wrote:

                > On 7/24/11 7:34 PM, Francisco Corella wrote:

                >> This not a theoretical issue, it is a very
                practical one.  If WebID

                >> were used as a general purpose WebID, a
                malicious medical insurance

                >> company in the US could set up a health
                information Web site with

                >> discussion groups.  If a user signed up with a
                WebID and joined a

                >> discussion group on cancer, the insurance
                company could later deny

                >> insurance to the user on suspicion that the
                user had cancer or a

                >> dependent who has cancer.  This issue can be
                avoided by using instead

                >> a "login certificate" issued by the relying
                party itself, as we

                >> propose in section 4.6 of our white paper.

                > But, nothing about WebID implies that a personal is
                'You'.

                > 

                > Let's take the Spiderman and Peter Parker scenario.
                You can have WebIDs for both, and only the real identity
                behind either knows about the owl:sameAs relation.

                > 

                > I am saying WebID == Who You Really Are. It just
                enables identifiers to be verified. It basically caters
                for alter egos etc.. 

                

                Meant to say:

                

                But, nothing about WebID implies that a personal URI
                refers to 'You', specifically. It just enables
                verifiable identifiers that are associated with
                identities :-)

                

                -- 

                Regards,

                

                Kingsley Idehen    

                President&  CEO

                OpenLink Software

                Web: http://www.openlinksw.com

                Weblog: http://www.openlinksw.com/blog/~kidehen

                Twitter/Identi.ca: kidehen

                

                

                

                

                

                

                

                

              
            
          
        
      
    
    

    

    -- 

Regards,

Kingsley Idehen	      
President & CEO 
OpenLink Software     
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen 





  


 		 	   		  
Received on Tuesday, 26 July 2011 05:49:14 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:25 UTC