W3C home > Mailing lists > Public > public-credentials@w3.org > March 2018

Re: DIDs, DID Auth & Browser Cookies

From: Dennis Yurkevich <dennis@mediaiqdigital.com>
Date: Wed, 21 Mar 2018 09:41:01 +0000
Message-ID: <CANamN+5GHgyowwRjbZecjcL9o84P0gYrxX=ZvHEVzu3EnOdtnw@mail.gmail.com>
To: "=Drummond Reed" <drummond.reed@evernym.com>
Cc: "Jordan, John CITZ:EX" <John.Jordan@gov.bc.ca>, "public-credentials@w3.org" <public-credentials@w3.org>
Thank you Drummond and John for your replies.

I understand the concept and benefits of DID auth, however I am more
thinking of how this can be implemented in the short term as websites will
not (most likely) switch over from current auth workflow to DIDs all at
once, and they will want to cater for users who do not have capability to
authorise using DIDs.

But lets say I am using my mobile device on which I have stored my *privK*,
to authenticate on a website. If we say take the uPort approach and show a
QR code to facilitate this - what happens if I shutdown my browser
(accidentally) and want to log back in? Does this group feel that
implementers will still be forced to use session cookies?

And the second question still stands, many people are using cookie based
tracking and analysis in their apps - what do you envisage companies such
as this with no direction user interaction would do?

I think these are important questions (and many more) when we think about
the DID auth spec to ensure we capture real world use cases in such a way
adoption possibility is increased.

Best,
Dennis

On Wed, Mar 21, 2018 at 4:38 AM, =Drummond Reed <drummond.reed@evernym.com>
wrote:

> +1 to John's reply. DIDs essentially inverse the traditional cookie
> relationship, i.e., rather than a site handing you a cookie (over which you
> have no control other than to delete it), you hand the site a DID. Because
> you control the private key, you can always prove control of that DID. You
> can even rotate the public/private key pair associated with the DID and
> still prove control.
>
> That's why they are sea change in both identification and authentication
> (and, in conjunction with verifiable credentials, in authorization as well).
>
> =D
>
> On Tue, Mar 20, 2018 at 5:08 AM, Jordan, John CITZ:EX <
> John.Jordan@gov.bc.ca> wrote:
>
>> Hi Dennis
>>
>> There are deeper experts here however my thinking is there is no more
>> “remember me” as there will no longer be a “login”.  One will simply
>> connect to a service at which point DID Auth will occur. You will already
>> be authenticated via the device you are using to control your private keys.
>> Ideally DIDs are pairwise unique so I guess a site could use your DID for
>> preferences and so forth.
>>
>> Remember me and cookies a hack to solve user experience issues around
>> user logon and sessions.
>>
>> Not sure what to say about tracking. I think there needs to be consent
>> and withdrawal of consent at least :) ... maybe DIDs can help with user
>> control of consent.
>>
>> J
>>
>> On Mar 20, 2018, at 05:06, Dennis Yurkevich <dennis@mediaiqdigital.com
>> <mailto:dennis@mediaiqdigital.com>> wrote:
>>
>> Hello All,
>>
>> I have quite a general question on which I am yet to find an answer
>> anywhere on the github repo.
>>
>> How does this group see DIDs and specifically DID Auth interacting with
>> traditional browser cookies, specifically my questions are:
>>
>>   *   If a user checks the "remember me" button on a site which uses DID
>> Auth, what would be the implementation flow?
>>   *   In the scenarios where a site uses various third party analytics
>> systems which set tracking cookies, is there a better way to do this using
>> DIDs?
>>
>> Thanks!
>> Dennis
>>
>> --
>> [Vital Design]<http://www.mediaiqdigital.com/>
>> Dennis Yurkevich
>>
>> 5th Floor | High Holborn House | 52-54 High Holborn | London | WC1V 6RL
>> <https://maps.google.com/?q=52-54+High+Holborn+%7C+London+%7C+WC1V+6RL&entry=gmail&source=g>
>> dennis@mediaiqdigital.com<mailto:dennis@mediaiqdigital.com>
>> tel +44 (0)20 700 0420 | mobile +44 (0) 7794 597783
>> [Twitter]<http://www.mediaiqdigital.com> [Blog] <
>> https://www.facebook.com/MediaiQDigital>  [Facebook] <
>> https://twitter.com/mediaiqdigital>  [LinkedIn] <
>> https://www.instagram.com/mediaiqdigital>  [Foursquare] <
>> https://www.linkedin.com/company/media-iq-digital-ltd>  [Pinterest] <
>> http://www.mediaiqdigital.com/inspirethroughinsights>
>>
>> Disclaimer: This email and its attachments may be confidential and are
>> intended solely for the use of the individual to whom it is addressed. Any
>> views or opinions expressed are solely those of the author and do not
>> necessarily represent those of Media iQ Digital Limited. If you are not the
>> intended recipient of this email and its attachments, you must take no
>> action based upon them, nor must you copy or show them to anyone. No
>> contracts or official orders shall be concluded by means of this email.
>> Please contact the sender if you believe you have received this e-mail in
>> error.
>>
>> Media iQ Digital Limited is a company registered in England and Wales |
>> Company Number 07321732 | VAT No: GB995910763
>>
>
>


-- 
[image: Vital Design] <http://www.mediaiqdigital.com/>
Dennis Yurkevich
5th Floor | High Holborn House | 52-54 High Holborn | London | WC1V 6RL
dennis@mediaiqdigital.com
tel +44 (0)20 700 0420 | mobile +44 (0) 7794 597783
[image: Twitter] <http://www.mediaiqdigital.com> [image: Blog]
<https://www.facebook.com/MediaiQDigital> [image: Facebook]
<https://twitter.com/mediaiqdigital> [image: LinkedIn]
<https://www.instagram.com/mediaiqdigital> [image: Foursquare]
<https://www.linkedin.com/company/media-iq-digital-ltd> [image: Pinterest]
<http://www.mediaiqdigital.com/inspirethroughinsights>
*Disclaimer: *This email and its attachments may be confidential and are
intended solely for the use of the individual to whom it is addressed. Any
views or opinions expressed are solely those of the author and do not
necessarily represent those of Media iQ Digital Limited. If you are not the
intended recipient of this email and its attachments, you must take no
action based upon them, nor must you copy or show them to anyone. No
contracts or official orders shall be concluded by means of this email.
Please contact the sender if you believe you have received this e-mail in
error.

Media iQ Digital Limited is a company registered in England and Wales |
Company Number 07321732 | VAT No: GB995910763
Received on Wednesday, 21 March 2018 09:42:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:18:25 UTC