Re: Browser UI & privacy - a discussion with Ben Laurie

On 4 October 2012 17:10, Hannes Tschofenig <hannes.tschofenig@gmx.net>wrote:

> Hi Melvin,
>
> On Oct 4, 2012, at 4:49 PM, Melvin Carvalho wrote:
>
> > I think the aim is to have an identity system that is universal.  The
> web is predicated on the principle that an identifier in one system (eg a
> browser) will be portable to any other system (eg a search engine) and vice
> versa.  The same principle applied to identity would allow things to scale
> globally.  This has, for example, the benefit of allowing users to take
> their data, or reputation footprint when them across the web.  I think
> there is a focus on WebID because it is the only identity system to date
> (although yadis/openid 1.0 came close) that easily allows this.  I think
> many would be happy to use another system if it was global like WebID,
> rather than another limited context silo.
>
> I think there is a lot of confusion about the difference between
> identifier and identity. You also seem to confuse them.
>
> Here is the difference:
>
>    $ Identifier:   A data object that represents a specific identity of
>       a protocol entity or individual.  See [RFC4949].
>
>  Example: a NAI is an identifier
>
>    $ Identity:   Any subset of an individual's attributes that
>       identifies the individual within a given context.  Individuals
>       usually have multiple identities for use in different contexts.
>
>  Example: the stuff you have at your Facebook account
>
> To illustrate the impact for protocols let me try to explain this with
> OpenID Connect.
>
> OpenID Connect currently uses SWD (Simple Web Discovery) to use a number
> of identifiers to discover the identity provider, see
> http://openid.net/specs/openid-connect-discovery-1_0.html
>
> The identifier will also have a role when the resource owner authenticates
> to the identity provider. The identifier may also be shared with the
> relying party for authorization decisions.
>
> Then, there is the question of how you extract attributes from the
> identity provider and to make them available to the relying party. There,
> very few standards exist (this is the step that follows OAuth). The reason
> for the lack of standards is not that it isn't possible to standardize
> these protocols but there are just too many applications. A social network
> is different from a system that uploads data from a smart meter. Facebook,
> for example, uses their social graph and other services use their own
> proprietary "APIs" as well.
>
> This is the identity issue.
>
> You are mixing all these topics together. This makes it quite difficult to
> figure out what currently deployed systems do not provide.
>

Thank you for the pointer and clarifying terms.

Perhaps it would be illustrative to compare the example


1. OpenID
=========

How do you identify a user?  As per your link above:

1.1 XRI based = @ identifiers are reserved.  Already we're on the road to
incompatibility, XRI was voted down by OASIS and recommended not to be used
in favour or URI by the W3C.  I may be unaware of the latest developments,
in any case a minor point.

1.2 URL identity.  You are forced to strip off the fragment identifier
meaning that all identities are Documents aka Information resource.  Kudos
to OpenID that they've kept this strain in there since the original Yadis
(which was based on FOAF btw), but ti's inconsistent with web architecture
and has incompatibility issues too.

1.3 Anything with an @ is assumed to be an email address.  That's fine
until the acct: scheme gets used then more incompatibility issues.  Did I
mention XMPP, SIP and other schemes with an @ in it.

AFIAK this is still a draft and it has tentatively been agreed to be
replaced with webfinger.  We can only make guesses about the final form at
this stage.

Solution use universal identifiers and have a URI which is deigned for
compatibility and can also include tel: of which there are 5 billion today.


2 Facebook Open Graph Protocol
=============================

Generally a reasonable efffort imho.  The use URLs to describe users and
have their own vocab.  David Recordon thought about using FOAF for this but
decided on the simplicity of a single vocab.  Facebook serve data in turtle
too where the users actually have a fragment identifier meaning a user and
a webpage need not be the same thing.  Why is this important?  Because when
I send money I want it to go to a person and not a document, for example.

I should add tent.io is similar in this category


3 Mozilla Persona
================

To be fair it's a very young initiative but still has some ways to go.
Seems unclear how they define identity at all in their spec.  They are very
keen on the email paradigm, so much so that any other possible identity is
actually forbidden.   This is incompatibility hell.  Furthermore, email
addresses dont even use the mailto: scheme leaving it ambiguous.   Once
again it's harsh to overly criticize this initiative as it is so new.


4 WebID
========

Users are represented as a URI.  Bingo!  Compatibility heaven.  The answer
was hidden in plain site.

People tend to focus on HTTP and X.509 when talking about it, but simply
it's about using PKI to verify a URI.  People do fairly criticize WebID on
usability, so hopefully that's something that can be addressed.  But
fundamentally what we are aiming for in interoperability.


So to summarize we have a bunch of specs that originally aimed at solving
the "walled garden" problem of Web 2.0 (incompatibility of website) but
you've simply replaced one set of walled (websites) gardens with another
(APIs).  The web was designed to bring all these systems together, but
today we still see fragmentation.  But if we can at least start using
compatible identifiers the walled garden problem will finally start to go
away.


> Ciao
> Hannes
>
>