Re: The Challenges. Re: The Internet Identity (WG) Crisis

On 2 Jul 2011, at 08:23, Anders Rundgren wrote:

> I believe there are some very different challenges involved in
> the various identity endeavors.
> 
> WebID's primary challenge is persuading large social network providers
> to upgrade.  This would (IMO) be much more realistic if there was some kind
> of mechanism that allowed them with the help of some javascript automatically
> redirect the login if the user had a [suitable] WebID.

This is quite easy to do I believe, and I have been wanting to implement it 
as a way to show how WebID deals with the NASCAR problem.

http://factoryjoe.com/blog/2009/04/06/does-openid-need-to-be-hard/

The answer is simple again: place the login endpoint behind an https service that asks for the client certificates optionally. 

If the user has a certificate 
	his browser will ask him to choose one 
        (or select the last one he took for the site) 
     resulting in his being logged in. 
Else 
        the browser returns a NASCAR selection box

So no need for Javascript, or anything new to get things working. 
Of course there are huge improvements that browser vendors can then make, but one does not
need to start ex-nihilo.

Anyway this is not something that takes away from the usefulness of the W3C 
discussing and working on KeyGen2/SKS type improvements, that will be rolled
out in the future. 

> KeyGen2/SKS suffers from an entirely different set of hurdles since it
> (at least initially) targets an existing market/user-base which currently
> is using proprietary client software.  Dropping the proprietary software is
> not going to happen unless the browser vendors unite on a suitable replacement.
> Due to that I'm proposing a protocol extension mechanism that isn't limited to
> any particular "keygen" or "websign" and rather let the market decide...
> 
> As a comparison it is interesting (actually quite depressing) noting that
> even a giant such as Microsoft can fail in spite of good intent and huge
> resources, here thinking of CardSpace (aka Information Cards).  In this
> particular case which I followed since day #1 of its public launch, I think
> a major road-block is that they focused on one *new* technique instead of a
> more universal browser identity client solution addressing *established*
> two-factor schemes as well, like PKI and OTP.
> 
> Lately I have begun thinking: Maybe the PC as a vehicle for innovation
> in the ID space is toast?  The mobile phone platforms seems to be much more
> vibrant.  A difficulty for us "outsiders" is that anything profound on the
> client side can realistically only be performed by a handful of vendors.

Well with mobile phones you have the problem of huge legacy too, and those phones
are even less able to be updated than desktop machines.

Henry

> 
> Anders
> 
> On 2011-07-02 01:27, Dirk Pranke wrote:
>> On Wed, Jun 29, 2011 at 12:21 AM, Henry Story <henry.story@bblfish.net> wrote:
>>> 
>>> On 28 Jun 2011, at 15:05, Anders Rundgren wrote:
>>> 
>>>> Henry,
>>>> 
>>>> I don't disagree with what you write but there are initiatives
>>>> having a higher inertia than WebID because they depend on
>>>> multiple things to happen at roughly the same time.
>>>> 
>>>> Anything browser-2-server "protocolish" falls into this category.
>>> 
>>> yes, that's why with WebID we are very careful to require no browser changes, since those are the most difficult to deploy.
>> 
>> While I would agree that for most if not all of the 2000's this was
>> true and a reasonable design constraint, it is not clear that this is
>> still true or reasonable (as I argued in my presentation at the w3c
>> summit). While I do grant that there is still a large IE6/7/8 user
>> base locked out of potential changes, it is not clear that fixing this
>> is actually more difficult (or important to accomodate) than changing
>> the bajillion services out there that still require usernames and
>> passwords, or retraining and providing an upgrade path for the
>> hundreds of millions of users who have existing usernames and
>> passwords (or, now, increasingly are getting used to OpenID and/or FB
>> Connect).
>> 
>> For example, if we could wave a magic wand and come up with a new
>> system that worked across all services on the web and in the next
>> major version of each browser, that might be enough of an upgrade
>> incentive to make the legacy problem go away.
>> 
>> Of course that depends on what your goals are ... get new services to
>> use WebID, or get existing services to change?
>> 
>> -- Dirk
>> 
>>> The idea is to build momentum on a basis that is not perfect, but that works, and so to build a larger voice: the voice of the users. The browsers were never perfect and were always evolving anyway, but have grown through feedback.
>>> 
>>>> If we take my pet project, Key Provisioning, it is undoubtedly in
>>>> the other end of the spectrum compared to WebID but that doesn't render
>>>> it useless; it just requires much more work on every front you can imagine.
>>> 
>>> I think I can imagine. It is already so much work to get a simple idea like WebID widely understood and adopted.
>>> For sure the WebID story does benefit a lot from deeper longer term changes such a DNSsec, DANE, and other infrastructure improvements, including improved provisioning, as these help develop a better future roadmap.
>>> 
>>>> Is there a short-cut?  I haven't seen it at least.  That current schemes
>>>> work for WebID is true but a close to 100% reject of <keygen> and CertEnroll
>>>> for *other* usages seems to say something as well.
>>> 
>>> Yes, the provisioning of cryptokeys with WebID does apparently work with keygen
>>> but the user experience is not very satisfactory, as you can see in the second video
>>> "WebID and the crypto Stick" on http://bblfish.net/blog/2011/05/25/
>>> 
>>> It would be great to have provisioning of such hardware devices be as easy as simple
>>> keygeneration in a browser.
>>> 
>>> I have heard of the keygen2 proposal,
>>> http://webpki.org/auth-token-4-the-cloud.html
>>> but I am not sure what other use cases more the advanced keygens are trying to solve -
>>> probably because I have not yet hit those limits myself.
>>> 
>>> 
>>>> If my long-short works as
>>>> planned, WebID will benefit from a fundamentally better platform including
>>>> a GUI borrowed from Microsoft's [unfortunately failed] Information Card project.
>>> 
>>> Their GUI was a good idea. They did not make it webby enough I can now see from the WebID experience. By tying the information to the WebId, the GUI could be dynamically up to date with information from the web.
>>> 
>>>> 
>>>> "Everybody should have their own business plan"
>>>> 
>>>> I have in my project removed "business" but kept "plan".  Open HW + SW
>>>> clearly isn't what the "authentication industry" is looking for.  However,
>>>> the potential *users* of the technology should have no issues with that :-)
>>> 
>>> The global authentication space is going to be much bigger than anything else, mainly because it will be open, flexible and decentralised. Those are the initial requirements for any global network effect to get going, and those follow exponential curves.
>>> 
>>>> 
>>>> BTW, WebID is great!
>>> 
>>> Thanks. I look forward to a primekey implementation :-) Technical feedback on our spec from implementation experience would be greatly welcome. We are now developing simple test suites to help us narrow down on issues. It would be great to have some of your members joing http://tinyurl.com/webidxg
>>> 
>>>> It will be even greater when you keep your ID in
>>>> the phone.
>>> 
>>> yes, WebID is a killer app in the cell phone. It used to work in the iPhone a few years ago,
>>> and my demos were extremely convincing.
>>> 
>>> http://blogs.oracle.com/bblfish/entry/one_click_global_sign_on
>>> 
>>> I am not sure which cell phones it works in now. The iPhone had an SSL problem a while after I wrote that article. And I don't have a cell phone myself now. We need more deployment to help make the case for it.
>>> 
>>> Henry
>>> 
>>> 
>>>> But we have to wait:
>>>> 
>>>> http://www.mobilepaymentstoday.com/blog/5901/Forget-about-the-wallet-wars-here-come-the-IP-wars
>>>> 
>>>> Anders
>>>> 
>>>> 
>>>> On 2011-06-28 14:34, Henry Story wrote:
>>>>> 
>>>>> On 28 Jun 2011, at 13:35, Anders Rundgren wrote:
>>>>> 
>>>>>> On 2011-06-28 12:01, Josh Howlett wrote:
>>>>>>> 
>>>>>>>> A fundamental problem with option #2 is that it seems hard (maybe even
>>>>>>>> impossible) just getting down the basics such as Why, What and How.
>>>>>>> 
>>>>>>> Could you expand on what you mean by that?
>>>>>> 
>>>>>> Well, before you start anything it is always good to know WHY
>>>>>> you are doing it.  This is essentially the "vision" part.
>>>>> 
>>>>> "Philosophy and the Social Web"
>>>>> http://www.slideshare.net/bblfish/philosophy-and-the-social-web-5583083
>>>>> 
>>>>> All about what the web is, how it fits together architecturally and why Identity is core to it,
>>>>> and why it is so important to have it decentralised.
>>>>> 
>>>>>> HOW should presumably describe the necessary deliverables and the
>>>>>> strategy for getting these adopted.   The latter is almost always
>>>>>> missing because that is close to "business plan".
>>>>> 
>>>>> Implementations that interoperate. Everybody should have their own business plan.
>>>>> Bootstrapping is always difficult.
>>>>> 
>>>>>> 
>>>>>> WHAT is the thing that existing charters usually specify.  Like
>>>>>> a secure authentication solution for mobile users.
>>>>> 
>>>>> What, with an order of delivery
>>>>> - WebID for authenticaiton
>>>>> - Authentication ontologies - to describe who can access what resource (ACL work at W3C)
>>>>> - privacy ontologies (what can be done with the data)
>>>>> - logics to tie any other auth system into WebID: so you can can show how different authentiction systems work
>>>>> - formalised trust logics
>>>>> 
>>>>> One does not need the whole stack. WebID works pretty well, combines nicely with openid, and can be used to start building the platform.
>>>>> 
>>>>> My feeling is more that for some psychological reason, the obvious solutions (to me) seem to be invisible to a lot of people in this space.
>>>>> 
>>>>> 
>>>>> Henry
>>>>> 
>>>>>> 
>>>>>> Anders
>>>>>> 
>>>>>>> 
>>>>>>> Josh.
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> JANET(UK) is a trading name of The JNT Association, a company limited
>>>>>>> by guarantee which is registered in England under No. 2881024
>>>>>>> and whose Registered Office is at Lumen House, Library Avenue,
>>>>>>> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>> 
>>>>> Social Web Architect
>>>>> http://bblfish.net/
>>>>> 
>>>>> 
>>>> 
>>>> 
>>> 
>>> Social Web Architect
>>> http://bblfish.net/
>>> 
>>> 
>>> 
>> 
>> 
> 

Social Web Architect
http://bblfish.net/

Received on Saturday, 2 July 2011 07:53:34 UTC