W3C home > Mailing lists > Public > public-xg-webid@w3.org > October 2011

Re: future of Identity on the Web

From: Harry Halpin <hhalpin@w3.org>
Date: Tue, 25 Oct 2011 11:21:17 +0100 (BST)
Message-ID: <ac4dfba0ea5c7f5933af2bfe5ee16bff.squirrel@webmail-mit.w3.org>
To: "Hannes Tschofenig" <hannes.tschofenig@gmx.net>
Cc: "Henry Story" <henry.story@bblfish.net>, "Hannes Tschofenig" <hannes.tschofenig@gmx.net>, "WebID Incubator Group WG" <public-xg-webid@w3.org>, public-identity@w3.org, "Halpin Harry" <hhalpin@w3.org>, "Ben Adida" <ben@adida.net>, "Tim Berners-Lee" <timbl@w3.org>
> Hi Henry, Hi Harry,
>
> I may be completely misunderstanding the effort that Harry has put
> together with the W3C Web Identity charter
> http://www.w3.org/2011/08/webidentity-charter.html
> but my understanding was that the work in that proposed group is focused
> on APIs (e.g., JavaScript) to allow the browser to access cryptographic
> functions and to indicate other security related state information to the
> browser.
>
> This work can then be used by existing Web identity management protocols
> (like OpenID, OAuth, etc.).
>
> I get the impression that you believe the group will develop the identity
> management protocols themselves (such as the recently invented BrowserID
> solution). This is not the case and the charter needs to make this very
> clear. In fact, mentioning these solutions in the "Identity API" part of
> the charter writeup may lead to that confusion.
>
> I hope that this group will help the industry to improve currently
> deployed Web identity management solutions rather than creating even more
> solutions.

Yes, Hannes is correct. Precisely as Hannes states, we are aiming at
lower-level APIs to help already existing solutions as was requested at
the workshop in detail. These APIs should be usable by people deploying a
wide-range of solutions such as OpenID Connect, BrowserID, and WebID (if
any of the groups so choose), as well as applications not yet imagined but
needing this kind of functionality. I'll try to rewrite the "Identity API"
section to make this very clear before TPAC, and we'll be discussing this
in depth before TPAC. The charter is still up for modification and I'd
appreciate suggestions for textual changes.

We did discuss BrowserID, OpenID Connect, and WebID at the workshop and
gave everyone room to speak, but there was not consensus from the
attendees to focus on any solutions but instead to aim for compatibility
with a broad range via APIs and multi-device sync [2]. None of the above
solutions has achieved wide-scale end-user usage and all are still under
development in different places.  Therefore, including any of them as a
Rec-track deliverable was not included (although their use-cases and work
will all be taken as input as the kind of work we wish to enable), and I
can email later on how such APIs could help their effort. The people from
Mozilla seemed to think BrowserID was quite experimental, OpenID Connect
is maturing at OpenID Foundation and we have sent a request for review to
them, and WebID is happening in the XG and there was a similar request for
review for them.  We look forward to their reviews.

My particular stance, given the state of flux of the field, I think
focussing on any particular "solution" right now - especially as identity
is a "wicked" problem as Dirk put it [1] - would be a case of premature
optimization. This was also the feeling I got from the workshop [2].
However allowing basic cryptographic primitives - as well as perhaps  
identity-related session state information to be accessed in the Web
platform and sync'ed across multiple devices - would definitely help
everyone IMHO.

    cheers,
         harry

[1]http://www.w3.org/2011/identity-ws/slides/Pranke-wicked.pdf
[2]http://www.w3.org/2011/identity-ws/



>
> Ciao
> Hannes
>
> On Oct 25, 2011, at 9:35 AM, Henry Story wrote:
>
>> Dear Web Identity Groups,
>>
>> Since both the community forming around the Web Identity javascript
>> cryptography work [1] and the WebID XG are working in the same space, I
>> propose that the two groups work out how these projects can complement
>> each other, so that the W3C can tell a unified identity story. There is
>> a lot in common between them - usage of cryptography in the browser and
>> certificates to prove identity online - and it seems quite clear to me
>> that both the existing WebID solution [2] and the in development version
>> known as BrowserId can complement each other, in fact should as much as
>> possible do so. This could then form the basis for a future WG starting
>> 2012, split hopefully into a number of small independent and closely
>> interrelated parts.
>>
>>   Henry
>>
>>
>> [1] http://www.w3.org/2011/08/webidentity-charter.html
>> [2] http://webid.info/spec/
>>
>> Social Web Architect
>> http://bblfish.net/
>>
>>
>
>
>
Received on Tuesday, 25 October 2011 10:21:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 25 October 2011 10:21:23 GMT