- From: Henry Story <henry.story@bblfish.net>
- Date: Sat, 2 Jul 2011 10:13:59 +0200
- To: Dirk Pranke <dpranke@chromium.org>
- Cc: Anders Rundgren <anders.rundgren@telia.com>, "public-identity@w3.org" <public-identity@w3.org>
On 2 Jul 2011, at 01:27, Dirk Pranke wrote: > On Wed, Jun 29, 2011 at 12:21 AM, Henry Story <henry.story@bblfish.net> wrote: >> >> On 28 Jun 2011, at 15:05, Anders Rundgren wrote: >> >>> Henry, >>> >>> I don't disagree with what you write but there are initiatives >>> having a higher inertia than WebID because they depend on >>> multiple things to happen at roughly the same time. >>> >>> Anything browser-2-server "protocolish" falls into this category. >> >> yes, that's why with WebID we are very careful to require no browser changes, since those are the most difficult to deploy. > > While I would agree that for most if not all of the 2000's this was > true and a reasonable design constraint, it is not clear that this is > still true or reasonable (as I argued in my presentation at the w3c > summit). While I do grant that there is still a large IE6/7/8 user > base locked out of potential changes, it is not clear that fixing this > is actually more difficult (or important to accomodate) than changing > the bajillion services out there that still require usernames and > passwords, or retraining and providing an upgrade path for the > hundreds of millions of users who have existing usernames and > passwords (or, now, increasingly are getting used to OpenID and/or FB > Connect). It is true that browser deployments are now much faster than they used to be in the 1990ies when I was at AltaVista working on the BabelFish machine translation engine. Which is why I am also hopeful that some of the SSL User Interface Issues can be solved a lot faster. Chrome has been moving very well in that space for a while. They even had a developer working on the improvements I suggested in my video at the workshop: you can see some of the work he did here http://code.google.com/p/chromium/issues/detail?id=29784 I think I convinced him too well of the usefulness of identity and hence social web integration in the browser as he then left to work for the US startup that is building social web platform in chrome - a too heavy approach in my view. > > For example, if we could wave a magic wand and come up with a new > system that worked across all services on the web and in the next > major version of each browser, that might be enough of an upgrade > incentive to make the legacy problem go away. > > Of course that depends on what your goals are ... get new services to > use WebID, or get existing services to change? I think they can be made to work very well together. You can try to automate username password generation - which still requires sites to do some changes, and you can improve the user experience for client side certificate management and selection. In fact the UI experience should be the same [ see the work by Aza Raskin ] The TLS version has the advantage of providing much deeper security, and the disadvantage of requiring changes to the servers. The WebID version also does not require username password state management everywhere, so it is more RESTful. Again these are not antithetical requirements. They are complimentary. The point is to notice that TLS if you look at it with WebID lenses on (ie: without the hierarchical CAs), solves a huge number of problems people have been looking for solutions for. And furthermore in a webby manner. Henry > > -- Dirk > >> The idea is to build momentum on a basis that is not perfect, but that works, and so to build a larger voice: the voice of the users. The browsers were never perfect and were always evolving anyway, but have grown through feedback. >> >>> If we take my pet project, Key Provisioning, it is undoubtedly in >>> the other end of the spectrum compared to WebID but that doesn't render >>> it useless; it just requires much more work on every front you can imagine. >> >> I think I can imagine. It is already so much work to get a simple idea like WebID widely understood and adopted. >> For sure the WebID story does benefit a lot from deeper longer term changes such a DNSsec, DANE, and other infrastructure improvements, including improved provisioning, as these help develop a better future roadmap. >> >>> Is there a short-cut? I haven't seen it at least. That current schemes >>> work for WebID is true but a close to 100% reject of <keygen> and CertEnroll >>> for *other* usages seems to say something as well. >> >> Yes, the provisioning of cryptokeys with WebID does apparently work with keygen >> but the user experience is not very satisfactory, as you can see in the second video >> "WebID and the crypto Stick" on http://bblfish.net/blog/2011/05/25/ >> >> It would be great to have provisioning of such hardware devices be as easy as simple >> keygeneration in a browser. >> >> I have heard of the keygen2 proposal, >> http://webpki.org/auth-token-4-the-cloud.html >> but I am not sure what other use cases more the advanced keygens are trying to solve - >> probably because I have not yet hit those limits myself. >> >> >>> If my long-short works as >>> planned, WebID will benefit from a fundamentally better platform including >>> a GUI borrowed from Microsoft's [unfortunately failed] Information Card project. >> >> Their GUI was a good idea. They did not make it webby enough I can now see from the WebID experience. By tying the information to the WebId, the GUI could be dynamically up to date with information from the web. >> >>> >>> "Everybody should have their own business plan" >>> >>> I have in my project removed "business" but kept "plan". Open HW + SW >>> clearly isn't what the "authentication industry" is looking for. However, >>> the potential *users* of the technology should have no issues with that :-) >> >> The global authentication space is going to be much bigger than anything else, mainly because it will be open, flexible and decentralised. Those are the initial requirements for any global network effect to get going, and those follow exponential curves. >> >>> >>> BTW, WebID is great! >> >> Thanks. I look forward to a primekey implementation :-) Technical feedback on our spec from implementation experience would be greatly welcome. We are now developing simple test suites to help us narrow down on issues. It would be great to have some of your members joing http://tinyurl.com/webidxg >> >>> It will be even greater when you keep your ID in >>> the phone. >> >> yes, WebID is a killer app in the cell phone. It used to work in the iPhone a few years ago, >> and my demos were extremely convincing. >> >> http://blogs.oracle.com/bblfish/entry/one_click_global_sign_on >> >> I am not sure which cell phones it works in now. The iPhone had an SSL problem a while after I wrote that article. And I don't have a cell phone myself now. We need more deployment to help make the case for it. >> >> Henry >> >> >>> But we have to wait: >>> >>> http://www.mobilepaymentstoday.com/blog/5901/Forget-about-the-wallet-wars-here-come-the-IP-wars >>> >>> Anders >>> >>> >>> On 2011-06-28 14:34, Henry Story wrote: >>>> >>>> On 28 Jun 2011, at 13:35, Anders Rundgren wrote: >>>> >>>>> On 2011-06-28 12:01, Josh Howlett wrote: >>>>>> >>>>>>> A fundamental problem with option #2 is that it seems hard (maybe even >>>>>>> impossible) just getting down the basics such as Why, What and How. >>>>>> >>>>>> Could you expand on what you mean by that? >>>>> >>>>> Well, before you start anything it is always good to know WHY >>>>> you are doing it. This is essentially the "vision" part. >>>> >>>> "Philosophy and the Social Web" >>>> http://www.slideshare.net/bblfish/philosophy-and-the-social-web-5583083 >>>> >>>> All about what the web is, how it fits together architecturally and why Identity is core to it, >>>> and why it is so important to have it decentralised. >>>> >>>>> HOW should presumably describe the necessary deliverables and the >>>>> strategy for getting these adopted. The latter is almost always >>>>> missing because that is close to "business plan". >>>> >>>> Implementations that interoperate. Everybody should have their own business plan. >>>> Bootstrapping is always difficult. >>>> >>>>> >>>>> WHAT is the thing that existing charters usually specify. Like >>>>> a secure authentication solution for mobile users. >>>> >>>> What, with an order of delivery >>>> - WebID for authenticaiton >>>> - Authentication ontologies - to describe who can access what resource (ACL work at W3C) >>>> - privacy ontologies (what can be done with the data) >>>> - logics to tie any other auth system into WebID: so you can can show how different authentiction systems work >>>> - formalised trust logics >>>> >>>> One does not need the whole stack. WebID works pretty well, combines nicely with openid, and can be used to start building the platform. >>>> >>>> My feeling is more that for some psychological reason, the obvious solutions (to me) seem to be invisible to a lot of people in this space. >>>> >>>> >>>> Henry >>>> >>>>> >>>>> Anders >>>>> >>>>>> >>>>>> Josh. >>>>>> >>>>>> >>>>>> >>>>>> JANET(UK) is a trading name of The JNT Association, a company limited >>>>>> by guarantee which is registered in England under No. 2881024 >>>>>> and whose Registered Office is at Lumen House, Library Avenue, >>>>>> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> Social Web Architect >>>> http://bblfish.net/ >>>> >>>> >>> >>> >> >> Social Web Architect >> http://bblfish.net/ >> >> >> Social Web Architect http://bblfish.net/
Received on Saturday, 2 July 2011 08:14:42 UTC