- From: Lionel Wolberger <lionel@userway.org>
- Date: Wed, 6 Apr 2022 16:22:55 +0300
- To: RQTF <public-rqtf@w3.org>
- Cc: Janina Sajka <janina@rednote.net>
- Message-ID: <CAHOHNHew79bpS8rWRV+v_jRda0uwVejaL=Nd4KpEM=46DdO+zw@mail.gmail.com>
At the request of the chair, sharing Janina's reach out to Manu, and Manu's response. His response is first, followed by Janina's original mail. - Lionel On 4/1/22 8:24 AM, Janina Sajka wrote: > I'm reaching out to ask after level of activity on Authentication related > specifications and APIs in W3C. I believe you might know, but I could be > wrong. Please feel to tell me if you're not up to speed on current activity > in this W3C area of work. Hi Janina, so good to hear from you! I know of a subset of the ecosystem and am heading up in a pilot-going-to-production program in the US (152,000+ retail locations, 200 million user base) that achieves the "proof of personhood" bar and shifts the mechanism to the individual and their software instead of relying on the publisher to provide that service. It's a non-profit run age verification system, that performs in-person vetting, and is truly GDPR privacy-respecting -- using untraceable-by-the-website single-use tokens. I can go into more detail on that if you're interested. I believe this is the ultimate, and "controversial", goal you alluded to at the end. It's not controversial to us -- we're deploying it into production this year (and it's built on W3C open standards -- Decentralized Identifiers (DID) and Verifiable Credentials (VC)). I'm sharing all of this with you to try and convey that, yes, I get the use case and think it's a vitally important one for a11y. I do want to warn you that all is not solved... that the client-side stuff, the digital wallets that people use to convey this information, have a11y challenges. As you also know, I came to present the concept of an "Accessibility Profile" that could be used by people to the APA, powered by W3C Verifiable Credentials, many years ago. I have been intending to engage the W3C a11y folks at the right moment, which I believe to still be 6-9 months out, to ensure that we don't screw this up. So, your email is timely as well. > Perhaps you might know that CloudFlare has something called CAP they > believe could protect a user's privacy/identity and yet satisfy a web > content server that the accessing user is really a human. I don't know about CAP, but am happy to read up on it to try and understand how it fits into the landscape. > Frankly, while it doesn't protect privacy, I regard Google's Recaptcha3 as > serving a similar need from the accessibility perspective because it can > attest the personhood of the user without interacting with that user. Yes, well, Google has their own reasons for providing the service... and that's ensuring their dominance in the tracking industry. While it would solve the automated recaptcha problem, it has a centralization and privacy downside. > I'm also aware of technologies like Privacy Pass, solve CAPTCHA once and > keep reusing your tokens. Haven't looked into Privacy Pass either, and will have to read up on it, but these are all variations on a theme. > Is there W3C activity around these issues? Do you know what WG? I know that the W3C VC WG has an interest here, but it's not the same as the initiatives you mentioned. We're in the process of being rechartered and have put in scope "Guidance to enhance Verifiable Credential interoperability -- Verifiable Credential Extension Vocabularies"... which is a fancy way of saying that we are cleared to work on some of what you mention in a non-normative capacity to start. > I would like to reach out re updating our CAPTCHA Note, and possibly asking > to have it elevated to a W3C Statement per most recent W3C Process. A > joint publication would probably be most helpful to achieve that. I expect that you would find support in at least the Credentials Community Group (450+ people), W3C VC WG, and W3C DID WG. > Lastly, and possibly most controversially, I'm looking to explore whether > there's any appetite to shift the reverse Turing test burden to the user > agent and away from the content publishing side. My accessibility reason is > that users could then lock in a service provider of their choosing--whereas > the current content-based CAPTCHA approach essentially means every style of > CAPTCHA will be encountered by individual users, which is clearly not the > best for accessibility. Yes, this is a shared goal for the W3C VC WG. Happy to have a chat about this if you're interested to strategise. -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. News: Digital Bazaar Announces New Case Studies (2021) https://www.digitalbazaar.com/ ========================= Hi, Manu: I'm reaching out to ask after level of activity on Authentication related specifications and APIs in W3C. I believe you might know, but I could be wrong. Please feel to tell me if you're not up to speed on current activity in this W3C area of work. Our APA Working Group is reviving our CAPTCHA Note because of recent advances that promise, very possibly, to simply kill CAPTCHA as no longer recommended. Perhaps you might know that CloudFlare has something called CAP they believe could protect a user's privacy/identity and yet satisfy a web content server that the accessing user is really a human. Frankly, while it doesn't protect privacy, I regard Google's Recaptcha3 as serving a similar need from the accessibility perspective because it can attest the personhood of the user without interacting with that user. I'm also aware of technologies like Privacy Pass, solve CAPTCHA once and keep reusing your tokens. Is there W3C activity around these issues? Do you know what WG? I would like to reach out re updating our CAPTCHA Note, and possibly asking to have it elevated to a W3C Statement per most recent W3C Process. A joint publication would probably be most helpful to achieve that. Lastly, and possibly most controversially, I'm looking to explore whether there's any appetite to shift the reverse Turing test burden to the user agent and away from the content publishing side. My accessibility reason is that users could then lock in a service provider of their choosing--whereas the current content-based CAPTCHA approach essentially means every style of CAPTCHA will be encountered by individual users, which is clearly not the best for accessibility. Hoping you're doing well, Janina -- Janina Sajka (she/her/hers) https://linkedin.com/in/jsajka Linux Foundation Fellow Executive Chair, Accessibility Workgroup: http://a11y.org The World Wide Web Consortium (W3C), Web Accessibility Initiative (WAI) Co-Chair, Accessible Platform Architectures http://www.w3.org/wai/apa Lionel Wolberger COO, UserWay Inc. lionel@userway.org UserWay.org <http://userway.org/> <https://userway.org>[image: text]
Received on Wednesday, 6 April 2022 13:24:44 UTC