RE: Comments on draft charter [Was: Agenda: Verifiable Claims Teleconference - Tuesday, March 8th 2016]

Browser-independence should mandatorily be possible, IMO

Jörg

From: Timothy Holborn [mailto:timothy.holborn@gmail.com]
Sent: Montag, 14. März 2016 04:37
To: Steven Rowat; public-credentials@w3.org
Subject: Re: Comments on draft charter [Was: Agenda: Verifiable Claims Teleconference - Tuesday, March 8th 2016]

Re: Scope - can we insert 'browser independent' somewhere?  or is that impractical?

On Mon, 14 Mar 2016 at 12:06 Timothy Holborn <timothy.holborn@gmail.com<mailto:timothy.holborn@gmail.com>> wrote:
An important part of this requirement also relates to URI's and means in which to ensure accounts may be portable.

therein, some sort of 'update' mechanic.


On Mon, 14 Mar 2016 at 10:20 Steven Rowat <steven_rowat@sunshine.net<mailto:steven_rowat@sunshine.net>> wrote:
On 3/13/16 3:44 PM, Dave Longley wrote:
> On 03/12/2016 06:27 PM, Steven Rowat wrote:
>> RE: "Identity fragility"
>>
>> I flagged this a few days ago and got no comments, but on re-reading the
>> Charter draft it still stands out for me, and this time I have a
>> suggested improvement.
>>
>> Currently, the Problem Statement includes:
>>
>> "In existing attribute exchange architectures (like SAML, OpenID
>> Connect, Login with SuperProviderX, etc.), users, and their verifiable
>> claims, do not independently exist from service providers. This means
>> users can't easily change their service provider without losing their
>> digital identity. This leads to vendor lock-in, identity fragility,
>> reduced competition in the marketplace, and reduced privacy for all
>> stakeholders. "
>>
>> As this stands, the main direct problem for the credential holder --
>> besides privacy -- is 'identity fragility'. I'd suggest that:
>> a) that's vague
>> b) there are other things happening: IMO the vendor lock-in leads to
>> identity duplication, confusion, loss, and inaccuracy.
>>
>> Perhaps all those things together could be characterised as 'fragility',
>> but since the vendor lock-in issue is a major reason why verifiable
>> claims are needed, IMO it's best to spell it out. I suggest the last
>> sentence be amended to:
>>
>> "This leads to: vendor lock-in, identity fragility (duplication,
>> confusion, loss, and inaccuracy), reduced competition in the
>> marketplace, and reduced privacy for all stakeholders."
>>
>> And of course we could also fight about (I mean discuss) which of those
>> four descriptors are accurate, and/or add others.
>
> "Undue/undesirable fragmentation" is another.

Yes, but now on reconsidering the whole paragraph, I think there's
another problem (and possible improvement) in the previous sentence,
where it states "without losing their digital identity". Because if we
agree that 'identity fragility' contains several things (like
fragmentation, duplication, confusion, inaccuracy, loss), then
'losing' their identity isn't always the most accurate way to view
what's happening. What's happening sometimes is that the identity gets
vague and hard to use or verify; not 'lost'. As you say, it fragments.

So maybe adding 'fragmenting' to that previous sentence would work
(and removing 'loss' from the next one, because it's already used):
something like as follows :

"In existing attribute exchange architectures (like SAML, OpenID
Connect, Login with SuperProviderX, etc.), users, and their verifiable
claims, do not independently exist from service providers. This means
users can't easily change their service provider without losing or
fragmenting their digital identity. This leads to vendor lock-in,
identity fragility (duplication, confusion, and inaccuracy), reduced
competition in the marketplace, and reduced privacy for all
stakeholders. "

Steven Rowat

Received on Monday, 14 March 2016 14:20:52 UTC