WebID. Re: Draft Web Identithy Working Group Charter for Discussion from Anders Rundgren on 2011-10-19 (public-identity@w3.org from October 2011)

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Wed, 19 Oct 2011 14:13:01 +0200
To: Harry Halpin <hhalpin@w3.org>
CC: Henry Story <henry.story@bblfish.net>, public-identity@w3.org
Message-ID: <4E9EBECD.7020202@telia.com>
On 2011-10-18 21:58, Harry Halpin wrote:
>>
>> On 18 Oct 2011, at 21:05, Harry Halpin wrote:
>>
>>>> sounds good, but why no mention of WebID?
>>>>
>>>> Henry
>>>
>>> At the workshop, it seemed people wanted to focus on API based work
>>> first
>>> such as the Crypto API, and certificates were discussed but thought of
>>> as
>>> out-of-scope for this future working group, although the W3C would be
>>> happy to see future work around certificates (everyone agrees current
>>> situation is a mess). The one idea that came up was a possible future
>>> workshop focused more narrowly on certificates.

A problem as I see it is that the people from "The Big Three" at the
workshop do not really represent their employers' ideas of what is
*important*.  Here follows a few recent real-world examples:


The neat enrollment scheme in iPhone which Apple didn't even mention
when <keygen> was standardized [*] by the W3C:

http://images.apple.com/iphone/business/docs/iPhone_OTA_Enrollment_Configuration.pdf


How enrollment works in this Microsoft preview is currently secret
because the TCG considered this out-of-scope although it is a
prerequisite for the demo:

http://channel9.msdn.com/Events/BUILD/BUILD2011/HW-462T


Almost nothing of this solution is currently publicly documented:

http://mail.google.com/wallet


The once very hyped Liberty Alliance Project succeeded fairly
well except on the client side which again shows that mucking
around in the client is more than difficult.


My conclusion is that the traditional way of establishing standards
is gone.  With the new "Super Providers" Apple and Google, who own entire
ecosystems, from the devices to services, the motives for standardization
seems pretty marginal.  I have therefore in my private "standardization
efforts" focused on things that Apple and Google do not consider core
business such as upgrading smart cards to work in a web world:

http://webpki.org/papers/keygen2/sks-keygen2-exec-level-presentation.pdf

The primary issue with standardization in the case of universal web identity
solutions is that there is no money in it unless your job is "to standardize".
Essentially only "The Big Three" really have such resources as well :-(


How about WebID?  Well, this is primarily a deployment issue which
fate also is the hands of the "Super Providers".

Anders

*] A proper market analysis would have revealed that <keygen> de-facto
has less than 5% market-share for on-line enrolled certificates and
therefore never was a candidate for standardization in spite of being
supported by most browser vendors except Microsoft.






>>
>> The WebID working group is not a working group about certificates. It is
>> about tying
>> TLS/SSL to identity to the web using simple web architecture. The most
>> active list of all
>> the groups you have created recently is the WebId XG list. Few of us were
>> present in
>> California during your discussion. So perhaps you could take that into
>> account, and allow
>> us to have a discussion of how webid can tie into these other protocols.
>> We did not
>> look at that in the WebID XG simply in order to make sure we could deliver
>> something.
>>
> 
> Currently the WebID work does depend critically on certificates, which is
> why I brought that option of another workshop up (as there's no
> non-certificate purely API-based option in your draft spec).
> 
> We are of course following the WebID's work and look forward to your
> concrete suggestions that comes from any discussion on the WebID list,
> although I would request that WebID-specific discussions stay on the WebID
> list and then your group gives the W3C a single list of requested changes
> to the charter, as discussions on this list should ideally focus on
> textual changes and scoping to the charter.
> 
> 
>>
>> Henry
>>
>>>
>>>        cheers,
>>>           harry
>>>
>>>>
>>>> On 18 Oct 2011, at 19:53, Harry Halpin wrote:
>>>>
>>>>> Everyone,
>>>>>
>>>>> While its still not fully baked, we'd like to open the discussion on
>>>>> the
>>>>> list over this draft charter for a "Web Identity" Working Group:
>>>>>
>>>>> http://www.w3.org/2011/08/webidentity-charter.html
>>>>>
>>>>> Everything is fair game - I'm not quite comfortable even with the
>>>>> Working
>>>>> Group name. Also, there are issues of how we should scope this,
>>>>> whether
>>>>> or
>>>>> not we should split the work into two WGs (one for a Crypto API and
>>>>> another for a higher-level identity API and hooks for
>>>>> device/browser-aware
>>>>> authentication) or stick it in one WG - and of course relations to
>>>>> other
>>>>> standards bodies.
>>>>>
>>>>> Also, if any of you are near Silicon Valley we can discuss this in
>>>>> person
>>>>> at the W3C Technical Plenary on Nov 1st. I'll send that email out in
>>>>> one
>>>>> sec..
>>>>>
>>>>> And if anyone is at Internet Identity Workshop I'm here to discuss the
>>>>> charter.
>>>>>
>>>>> cheers,
>>>>>       harry
>>>>>
>>>>>
>>>>
>>>> Social Web Architect
>>>> http://bblfish.net/
>>>>
>>>>
>>>>
>>>
>>
>> Social Web Architect
>> http://bblfish.net/
>>
>>
> 
> 
>
Received on Wednesday, 19 October 2011 12:13:35 UTC