- From: Adrian Hope-Bailie <adrian@hopebailie.com>
- Date: Wed, 25 Mar 2015 16:18:20 +0200
- To: "Wiley, Glen" <gwiley@verisign.com>
- Cc: Eric Korb <eric.korb@accreditrust.com>, Manu Sporny <msporny@digitalbazaar.com>, "public-credentials@w3.org" <public-credentials@w3.org>
- Message-ID: <CA+eFz_LsKgB83-tR466d4dMyk7aFrjTzLx4ANz5KRajUn3o0Tw@mail.gmail.com>
On 23 March 2015 at 16:11, Wiley, Glen <gwiley@verisign.com> wrote: > Think of an email address as one of many possible locators. I agree > that it may not solve all the cases but it offers one of the most well > recognized “handles” to the less technical segments of our population. > Even the non-tech savy internet users understand how to exchange email > addresses. > +1 > It may be that email serves an adoption boost that gives people a bridge > to better locators. > +1 this would be the ideal > -- > Glen Wiley > Principal Engineer > Verisign, Inc. > (571) 230-7917 > > A5E5 E373 3C75 5B3E 2E24 > 6A0F DC65 2354 9946 C63A > > From: Eric Korb <eric.korb@accreditrust.com> > Date: Monday, March 23, 2015 at 9:51 AM > To: Wiley Glen <gwiley@verisign.com> > Cc: Manu Sporny <msporny@digitalbazaar.com>, "public-credentials@w3.org" < > public-credentials@w3.org> > Subject: Re: Leveraging DNS and email addresses > > I'm not in love with the idea of using email as a keying mechanism, > except I do agree it is something people do remember. > > However, I think an important to point out that an "entity" can be a > person, place or thing. Yes, a place and thing can be assigned an email > address. But, we need to keep in mind that that first-proof of ownership > of an identity credential does need to be validated and signed by some > authority, which is likely the IdP. Therefore, the method of using an > email keying mechanism for place or thing needs to be thought through > between an IdP and an entity of type place or thing. > > I also agree that we need to consider that a person may have multiple > emails for various reasons, be it business, personal, educational, etc. > So, being able to change the associated email address with your IdP is a > use case we need to consider. > > Eric > > > *"Trust only credentials that are TrueCred*™ *verified."* > ---------------------------------- > Eric Korb, President/CEO - accreditrust.com > <https://www.accreditrust.com> > GoogleVoice: 908-248-4252 > http://www.linkedin.com/in/erickorb @erickorb @accreditrust > > On Mon, Mar 23, 2015 at 12:09 AM, Wiley, Glen <gwiley@verisign.com> wrote: > >> There are some active discussions in the DNS community about how to handle >> this and Verisign has put together some proof of concept code to allow >> folks to experiment with it. The substrate leverages DNSSEC and DANE to >> ensure reliably secure delivery. The problem of how to address key >> material for users who do not have privileges to modify a zone is the real >> problem. >> >> One of the proposals I have made in the DNS circles (speaking on it at >> IETF92 this week in Dallas) is to provide more effective authorizations to >> users within zones. >> >> One of the reasons people leveraging email providers (like gmail) would >> want this is that they still want a way to sign and encrypt their >> communications. While many of us who are more security aware balk at the >> idea, it isn¹t a question of ³best², rather it is a question of ³good >> enough² for mass adoption. A few of us at Verisign are working through >> ideas about how to solve this for the large email services in an open and >> interoperable way that is simple enough to be adopted by non-technical >> users but still offers a reasonable degree of security. >> -- >> Glen Wiley >> >> Principal Engineer >> Verisign, Inc. >> (571) 230-7917 >> >> A5E5 E373 3C75 5B3E 2E24 >> 6A0F DC65 2354 9946 C63A >> >> >> >> >> On 3/22/15, 11:24 PM, "Manu Sporny" <msporny@digitalbazaar.com> wrote: >> >> >On 03/16/2015 04:02 AM, Adrian Hope-Bailie wrote: >> >> I have been thinking lately about the challenge of keying an >> >> identity in a way that: >> >> >> >> * Is easy to transfer and remember (even for humans) * Can be >> >> normalised in a standard way and used as part of a standardised >> >> discovery process by a client to discover the Identity Provider >> >> (IdP) for that identity >> > >> >We've been doing quite a bit of thinking in this area for years, some >> >background reading on the current status of this thinking: >> > >> >http://manu.sporny.org/2014/credential-based-login/ >> >http://manu.sporny.org/2014/identity-credentials/ >> > >> >The rest of this post assumes you've read the blog posts above. >> > >> >> To my mind the obvious solution is to use the email address format as >> >> this is already a well-known standard which user's understand. >> > >> >+1 to using email addresses as the /keying/ mechanism used to discover >> >an IdP. >> > >> >-1 to making the IdP the same domain as the email address. Doing that >> >creates a monopoly (Google for gmail.com addresses, for example). >> > >> >-1 to using email addresses as the thing that you tie a credential to - >> >doing that leads to monopolistic behavior. Tying a credential to >> >anything that's not completely portable and under the recipients control >> >is ceding control of that credential to someone other than the recipient. >> > >> >> It seems to me that the only argument against an email address >> >> format is that the domain part is often not under the control of the >> >> identity owner. I don't see that is a good enough reason to force >> >> users to try and change their thinking and use URIs as their >> >> identifiers. >> > >> >That's the wrong way to look at it - the fact is that /both/ email >> >addresses and URLs are bad things to tie credentials to. Email addresses >> >are good as a lookup mechanism because it's been proven that people can >> >remember them easily. URLs are bad as a lookup mechanism, and they're >> >bad as a thing to tie credentials to, but they're good for hanging >> >machine-readable information off of. >> > >> >> I don't have statistics to back this up (perhaps somebody does) but I >> >> consider the relative obscurity of OpenID as a login option as >> >> evidence that this is a bad idea. >> > >> >Yep, OpenID URLs are a bad idea. >> > >> >> So how do we help the user that has an email address @gmail.com >> >> <http://gmail.com> or @hotmail.com <http://hotmail.com> or @yahoo.com >> >> <http://yahoo.com> but wishes to host their identity themselves or at >> >> a different IdP? >> > >> >Yep, exactly the question you should be asking. >> > >> >> First, we define a mechanism or standard algorithm/protocol for >> >> translating their email address into a service discovery process that >> >> may start with their home domain but ultimately result in the client >> >> accessing the identity somewhere else. Then we pressure the large >> >> email providers to abide by this standard. I acknowledge that this >> >> may be difficult but I would say it is not impossible. >> > >> >That's what Mozilla Persona was about, and it failed. The blog posts >> >above explain why Persona failed. >> > >> >> I imagine the user experience being something like the following: >> >> >> >> 1. I log in to my account with this email provider, go to my account >> >> settings and provide the URL of my IdP. 2. When I use my identity >> >> online the client executes the service discovery protocol as >> >> defined, contacts my email provider and is given the URL I have >> >> configured as part of this process. 3. The client negotiates with my >> >> IdP of choice to get my identity information. >> > >> >You've basically re-invented Persona and added a redirection mechanism, >> >and I don't think that'll work. >> > >> >> If we have designed the protocol correctly (very close to what is >> >> already in place today) my email provider only knows who my IdP is >> >> but nothing more about the identity I have defined their unless I >> >> choose to share it. >> > >> >Why would Google adopt this for gmail.com? What's in it for them? Same >> >question goes for all the major email providers. >> > >> >> Where a user has a primary email address with a provider who is not >> >> following the standard the user has two choices: >> >> >> >> 1. Change email providers >> > >> >I don't think people with a gmail.com address will do this. >> > >> >> 2. Use an identity that is different from their primary email >> >> address. >> > >> >I don't think people will understand why they have to have two email >> >addresses. >> > >> >> Is there a compelling case for using a URI as an identity key as >> >> opposed to the familar form of an email address? >> > >> >Email addresses change throughout your lifetime. Tying identity to a URL >> >is also a bad idea. The world needs a decentralized identifier that's >> >portable, full stop. The blog posts go into it a bit more... the >> >identus.org demo is something you should look at... I'd be happy to go >> >through it w/ you at some point. >> > >> >-- manu >> > >> >-- >> >Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) >> >Founder/CEO - Digital Bazaar, Inc. >> >blog: The Marathonic Dawn of Web Payments >> >http://manu.sporny.org/2014/dawn-of-web-payments/ >> > >> >> >> >> >
Received on Wednesday, 25 March 2015 14:18:54 UTC