- From: Dave Raggett <dsr@w3.org>
- Date: Sun, 07 Aug 2011 20:47:05 +0100
- To: Henry Story <henry.story@bblfish.net>
- CC: Anders Rundgren <anders.rundgren@telia.com>, "public-identity@w3.org" <public-identity@w3.org>
On 06/08/11 10:44, Henry Story wrote: > On 6 Aug 2011, at 10:39, Anders Rundgren wrote: > >> I believe we have entered another phase of web development were alternative >> routes to standardization are becoming more common due to the slowness and >> political difficulties associated with SDO processes. >> >> That just about everybody is connected to the Internet and can update >> their SW platform in minutes makes the new ecosystem highly dynamic. >> >> It isn't even necessary getting everything completely right from scratch. >> My experiences @ TrustedComputingGroup indicates that the traditional way >> of developing stuff for the masses is simply put contra-productive. >> >> IMO "all bets are off" regarding the final solution for secure and >> ubiquitous access to the Internet. It presumably lies in the hands of >> browser vendors and service providers. > Yes, but if you look at it you will see that the problem they will all face is the problem of reference, not the problem of cryptography. It is the problem of trust of CAs that will always come back. So unless one works on that - a semantic web task - the issues will always come back. People are always mesmerised by syntax, thinking it is a syntactic problem they are confronting, when in fact it is at a different layer: distributed trust semantics. I agree with the issue of trust. CA's don't really reflect the trust models we have for people and organizations. For businesses, I would like to see credentials provided by national or regional bodies such as Companies House in the UK, as well as organizations charged with responsibilities for oversight of particular industry segments. For individuals, you would have government issued credentials, as well as scoped credentials such as for current membership as a student at a given university. Strong credentials are needed for privacy friendly authentication where the relying party is given a proof that the authenticated party has certain attributes in a strong credential, but via a process satisfying the principle of minimal disclosure of personal information for the task in hand. I plan to work on extending webkit and Mozilla to support this, as working code is always more compelling than just talk. However, to realize the trust models we need to discuss what is needed to support a culture of credentials that match up to real world requirements. -- Dave Raggett<dsr@w3.org> http://www.w3.org/People/Raggett
Received on Sunday, 7 August 2011 19:47:32 UTC