Re: Credentials specifications page created

Hi Manu,
I believe our different takes on the subject is due to different visions.

Your (and some other CG folks) vision seems to build on the idea that
we live (or should live) in an open and connected world.

My vision builds on the idea that we even in the future will depend on
different (and "disconnected") trust networks (aka identity silos).  I don't
see how such a vision could be supported by DHT without bringing in usability,
security and privacy issues but that may simply be because I haven't seen any
of this in practice or that I haven't found this in the docs.

The Information Card scheme represented a rather different approach
to service discovery.  My hope FWIW, is that this will become a part of
WebCrypto.Next since the concept key + attributes has many interesting
uses which I tried to illustrate in the WebCrypto++ demo.
Key => Service(s). Key attributes => Information about Services.
However without the ACL key attribute my vision doesn't go far because
we also need a way to distribute trusted payment code.  If this trust model
survives, I think it could have a major impact on web payment systems.
If not, I wouldn't be surprised if secure web-payments takes another route,
probably spearheaded by Apple who with iPhone 6 and NFC support in OS/X
can side-step most of the web.  That is, the web would only be an opaque
channel between the merchant and iPhone, all the gory stuff would be dealt
with in the phone.  It would be close to trivial (for Apple) implementing
such a scheme.

Service discovery doesn't appear to be a part of any open standards
activity, but I could very well be wrong since there are so many activities
and rather little cross-communication.

Anders

On 2014-10-05 22:33, Manu Sporny wrote:
> On 10/04/2014 04:49 AM, Anders Rundgren wrote:
>> On 2014-10-03 23:29, Manu Sporny wrote:
>>> We finally got around to porting the history[1] over for the
>>> Identity Credentials specification today, so the opencreds.org
>>> website finally has a specifications page:
>>>
>>> http://opencreds.org/specs/
>>
>> If I got it correctly, Identity Credentials' WAYF (Where Are You
>> From) mechanism is based on a distributed system (TeleHash) which I
>> haven't seen anywhere else in the identity space, have you?
>
> Telehash is only a few years old at this point. It's not really used in
> any large projects (that we know of). For those that are not familiar
> with Telehash, it's the work of the inventor of the XMPP[1] protocol
> (Jeremy Miller), which is an IETF standard used for decentralized
> messaging. So, while Telehash is new and not widely used and still
> pretty experimental, it's also being built by someone that really knows
> that they're doing and is well respected in the standards community.
>
> I spoke with Jeremy quite a bit before we tried to integrate it with the
> Identity Credentials demo:
>
> https://manu.sporny.org/2014/identity-credentials/
>
> That said, we're thinking of removing the reliance on Telehash. Telehash
> is a bit too alpha for our tastes and Jeremy seems to be too busy to
> properly support the needs of this group, so we may scale the technology
> back a bit and design a simpler DHT implemented over HTTP. We'd be
> taking the best bits of Telehash and IPNS[2] and standardizing that.
>
> Here's the trade-off: either we use a DHT to solve the client cold-start
> problem (a browser needs to know who your identity provider is when you
> use it for the first time), or we promote vendor lock-in, and give up on
> privacy and preventing pervasive monitoring.
>
>> Yes, I know we can't change browsers but I'm not convinced that
>> putting a lot of effort on workarounds is the right approach either,
>> at least not in standards context.
>
> It's not a workaround, it's the way that we expect this stuff to work in
> the end. You need a DHT of some kind to do discovery on identity
> provider / payment provider, etc.
>
>> The real problem is rather that a lot of IC-like schemes [probably]
>> need the same thing but for historic reasons, slightly overblown
>> egos and a general lack of foresight, the critical mass for a
>> unified solution seems to be outside of what can be achieved through
>> a standards process unless we are talking about standardization of
>> something which is already firmly established like it was for XHR.
>
> I don't share your cynicism. :)
>
> We need the right players and the right motivations. Unfortunately, you
> can't see who those players are yet because we're still in preliminary
> talks with many of them and large corporations tend to be very
> conservative about announcing their interest in activities such as this.
>
> If you'll remember, this was my response to you when we were getting the
> players for the Web Payments work together. The response was met with
> skepticism, but the end result was the attendance of Bloomberg, US
> Federal Reserve, Google, ING, Rabobank, European Commission, AT&T, GSMA,
> etc. All of them want this problem solved.
>
> If you were to watch who's in the group now and who shows up to W3C TPAC
> this year, you'll note that there are a set of non-trivial players at
> the table now and they all want to see this happen. I certainly think
> what we're trying to do here is achievable, especially since we're not
> trying to boil the oceans like the previous initiatives did.
>
>> Anyway, I'm fairly convinced that the Information Card principle
>> eventually will be resurrected (in some way...) because it is simple
>> and extensible[*], it only needs a [much] better platform!
>
> There is a large amount of philosophical overlap between what Identity
> Credentials spec/tech does today and the Information Card work did many
> years ago. I guess I don't understand what parts of the Information Card
> stuff you think are vital to success?
>
> -- manu
>
> [1] http://en.wikipedia.org/wiki/XMPP
> [2] https://github.com/jbenet/ipfs
>

Received on Monday, 6 October 2014 05:29:32 UTC