Re: new WebID spec published from Henry Story on 2011-11-24 (public-xg-webid@w3.org from November 2011)

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 24 Nov 2011 10:01:31 +0100
To: Peter Williams <home_pw@msn.com>
Cc: "public-xg-webid@w3.org" <public-xg-webid@w3.org>
Message-Id: <1C2C17E4-5F8A-4A8D-8DB8-F321BC6D3538@bblfish.net>
Ok, I am happy to see that this list of issues is a lot shorter than the previous one. So there's progress.

I forgot to add the Change History, which means that I need to do a new release anyway. As it takes a bit of time
I will accept another round of fixes and overwrite the current version - if that is ok.


On 24 Nov 2011, at 03:25, Peter Williams wrote:

> I advise, as the incubator comes to a close: be clear what you are (and stop stating what you are not).
>  
> dont be known as that the group that hates CAs (while then relying on CAs to protect the document endpoints). its just sounds inconsistent, anti-capitalist, etc etc. 
>  
> Dont be thought of as something that is using the old digital ID concept. Its a spec that applies as much to PGP ciphersuites of https as much as those the Mozilla-centric ciphersuites (using X.509 blog formats and .p12 files for private keys and/or references).
>  
> Try NOT to use terminology that make it sound like a UCI-vintage system, given openid 1.0 and UCI essentially failed to get ANY traction from users. Decide if you want paypal on board, or not. Dont diss brands and commerce, if you are looking to the major cloud brands to adopt. Dont believe that wordpress will be bullied (presured), just becuase folks use horrid terminology on blog sites. The web has release the horrid side of humanity, remember.
>  
> Dont tied into the PGP web of trust. Be assertive and be stating that the linked data mesh is something refresingly new. The pgp model is old and tainted (and never broke out of its niche).
>  
> Stand up for the semantic web, as it matures with its new moniker: the linked data mesh. One has to move beyond Harry Halpins first impression (oh nO!, its the old RSS lot back in gear...refigthing old wars).
>  
> I note that opening 1000 words (non-normative) seems to be very political in prhasing, a bit like a politician using a few terms selective, know to be cues for particular voting communities. The result is a mongrel though. its will struggle for mind share, compared to those who have single minded conviction (e.g. the browserID folks). civilian security is a funny business, and needs particular marketing.
>  
> Remember, its supposed to be the result of an incubator, not a working group. Its supposed to be advanced research. If the eventual system that falls out looks more like the things that Kingsley is working on. DONT WORRY. the incubator succeeded. It created a market, and got a some core principles established. If it doesnt get all of them, let it go!
>  
>  
> The text sends mixed messages, in its formalism. At times, its focussed on persons only, Then sometimes it admits its relevant to organizations, and then finally a webid definition starts talking about robots, and groups. perhaps give up on anything than Persons, this time around. Dont feel like one has to carve out space, lest it be lost later.  TLS is 15 years old, and still in active standardization....
>  
> The text still goes on about "Identification Certificate", from the previous attempt at formalism. Its not even defined. Just get rid of it. This spec is never going to have a rigorous security model. Its not why it one should be reading it, either. It has to say what the semantic web is doing (that CA trust networks and kerberos and websso do not).
>  
> The cert :hex arc in the picture has 00 leading bytes... (sigh). This is going to be the bane of this work, I supsect, since folks will do exactly what Henry did (probalby). view a cert, copy its modulus, which includes the 00 byte (which is significant, but only on cert land).

No, that was fixed, look again.

>  
> "information at that URI represents." typos.
>  
> I passed on the first time I got the hint, but its too obvious to do so the second time: "a TLS enabled protocol such as https in order to access a Protected Resource or a Protected Service." What does this mean? Does it mean I can use ftps? EAP-TLS?? SSLVPNs? The vagueness is making a point, and its hanging.
>  
> I really dont like the step 7's implication. The protocol as spec'ed really has nothing to say about linked data mesh, that MIGHT qualify the results of the validation protocol run in some kind of repuation sytsem. Its just confusing folks, who might nbelieve that the spec delivers such a method. It doesnt align (in spirit) with the bare bones text of 7: "a TLS enabled protocol such as https in order to access a Protected Resource or a Protected Service."
>  
> The material in 3.2.1 should just be removed. Specs dont refer to wikis. The material is all too political, too. Your average TLS expert will not know what is being alluded to.
>  
> 3.2.2 make it sound like one is proposing an post-connection SSL setup regime (like the last one W3C specified, that got nowhere). Dont step in it... twice.
>  
> Note the prhase "Since WebID TLS authentication does not rely on CA's signing the certificate" note the politics. One is fomrally breaking with the CA/PKI community. This will make some of even this groups, very lurky technical experts nervous (as that community is rather powerful, in military systems). They tend to be quite manipative, and will happily message against standards that they see as contray to the national interest/policy, etc)
>  
> The NEED and WANT model is lacking. Its a bit of quackery, to be honest. Not trying to be insulting here. but recognize that TLS is hardly new, and terms are established.

yes, I asked you as a security specialist to tell us where that language came from, so that we can reference it.

>  
> 3.2.4.1 makes RDFa processing mandatory (I think, at 99%). Someone needs to make sure RDFa parsers are are lot more widely implemented than today. It should not be e.g. me (a security type in an RDFa application group) that is struggling to parse an RDFa document in a system built using dotNet. If there are not 3 dotnet  and 4 java implementations, its seems strange to me mandating that a security app be using RDFa when, more mainstream and non-securitiy apps have yet to do so on those same platforms.
>  
> 'Assuming the public key is an RSA key, and that its modulus is "9D79BFE2498..." and ' . The ASK query's mod does NOT align with 9D....
>  
>  
> 3.2.5 should make it clear that this spec does none of the things - that are howeever expected or envisaged (perhaps) in the "family of related specification".
>  
> 3.3 goes back to the earlier formalism, about "identity crednetials", identification agents: , or some attempt at a formalisn model now discarded.
>  
> 3.3.2 has a SHOULD (not a MUST) for the key and name. im scratching my head wondering what on earth could induce this not to be MUST. Im wondering if I'm somehow REALLY MISSING the point, somehow. The decisions seems to arbitary, in many ways.
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
> > From: henry.story@bblfish.net
> > Date: Wed, 23 Nov 2011 22:01:16 +0100
> > CC: foaf-protocols@lists.foaf-project.org
> > To: public-xg-webid@w3.org
> > Subject: new WebID spec published
> > 
> > Hi team,
> > 
> > so in the last week we have had a major rewrite of the spec, including new graphics,
> > UML diagrams, change to ontology, etc... It is all up on 
> > 
> > http://www.w3.org/2005/Incubator/webid/spec/
> > 
> > There is a lot more to do of course, but I think this feels a lot more solid that the previous
> > version.
> > 
> > Please send feedback,
> > 
> > Henry
> > 
> > Social Web Architect
> > http://bblfish.net/
> > 
> >

Social Web Architect
http://bblfish.net/
Received on Thursday, 24 November 2011 09:02:08 UTC