The UI part of credentials from Henry Story on 2018-07-20 (public-credentials@w3.org from July 2018)

From: Henry Story <henry.story@bblfish.net>
Date: Fri, 20 Jul 2018 12:18:40 +0200
To: Credentials Community Group <public-credentials@w3.org>
Message-Id: <413EAF48-D757-4992-A80A-57C4C962670A@bblfish.net>

Hi all,

   I have been thinking a bit about servers and applications credentials recently
which is the opposite of what I have been doing for a long time namely user 
credentials. But since that also falls under Verifiable Claims, I thought you'd 
be interested.

   Discussing this topic  in various forums one often
finds one resistance to new ideas relating to the huge failure in the space of 
user interfaces for this technology. Many have been burned by the many
failures in that space. So I decided to address that problem with a 
light weight and quite intuitive detour through modal logic. If you have ever 
dealt with a salesman coming to your door, then you can follow the reasoning.... 
This is then mapped to the UI problem where I came to the conclusion to my amazement 
that there is actually a very useful cyber-security application for the 
MacBook TouchBar! 

Phishing in Context
Epistemology of the Screen
https://medium.com/cybersoton/phishing-in-context-9c84ca451314

That follows up on a previous post 

"Stopping (https) Phishing"
https://medium.com/cybersoton/stopping-https-phishing-42226ca9e7d9

which shows that the problem with X509 server certs is the complete poverty of data that
comes with it. So I make a case that one needs much richer Verifiable Server Claim 
information if it is to be interesting to the user finding out about the web site 
he is looking at. (or the app he is using) 

The flexible answer is to allow the browser to go online and fetch the information
from the institutional web of trust. But the efficient one would be for the server
to send a verifiable claim containing the same info and signed by the institution. 
I think one could be flexible and allow both. But for that one would need very 
flexible verifiable claims that could contain pretty much any data 
(as shown in the example of info from Company House). So I think that means X509 is out
long term. Then one could have Verifiable claims with 1 day time to live. 

So this may be an additional angle that can be useful to further the causes this group
is interested in.


Feedback welcome,

Henry Story

Received on Friday, 20 July 2018 10:19:15 UTC