W3C home > Mailing lists > Public > public-rww@w3.org > August 2012

Re: Fwd: wwwhisper project announcement (#ACL & https://login.persona.org)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sun, 12 Aug 2012 19:21:43 +0200
Message-ID: <CAKaEYhLSZ2gd9ZWrZc4uc9oC-eBeTh3YASaPVP4r4fDoqa3QrA@mail.gmail.com>
To: Jan Wrobel <wrr@mixedbit.org>
Cc: public-rww <public-rww@w3.org>
On 12 August 2012 13:54, Jan Wrobel <wrr@mixedbit.org> wrote:

> Hi,
> I'm Jan from the wwwhisper project. Let me comment on some issues
> raised in this thread (sorry I'm not citing original emails but I was
> not subscribed to the list).

Welcome to the list! :)

> At the moment wwwhisper supports only email identities verified with
> Persona. From the technical perspective, once nginx is able to pass a
> certificate to a backend, extending wwwhisper to support WebID should
> be pretty straightforward. The notion of a user id needs to be
> generalized  to accept URLs and the code that verifies Persona
> assertions needs to be generalized to verify validity of the TLS
> certificates (this is Python code, so doing such stuff is much easier
> than in a low level HTTP server code). wwwhisper uses Persona
> assertion only for an initial authentication, once assertion is
> verified, a session cookie is set to identify the user. With WebID, a
> better solution would probably be to always rely on the certificate
> and do not set the cookie at all.

Yes it would be awesome if both mailto: and http: style identifier were

> >From non-technical perspective, I think that using WebID for Web ACLs
> would be of a very limited use today. The single most important
> feature of Web ACL system is the size of the audience (i.e. how many
> people you can share with?). Persona solves the critical mass problem
> by piggybacking on email ids. Because of this, I can share with
> everyone with an email. Emails are also well understand. It will be a
> long time until a question 'what is you WebID?' is as clear to an
> average Internet users as 'what is you email?'. Sure, having email is
> not enough to be able to authenticate to the wwwhisper protected
> service, a user needs to use Persona to prove ownership of an email.
> But the act of sharing does not require any action from the person
> that I share with, which is critical from the usability perspective.
> With WebID, I first need to ask the user to create WebID (not very
> easy process) and only than I can share with this user.

I do see your point in that there's a big advantage of going with the
network effect, and this can help prioritize and focus.

> I don't understand why you call Persona 'a silo'. Unlike for example
> Facebook ids, Persona is a distributed system. Every email provider
> can run its own verifier. If you have your own domain and a mail
> server you can also run a verification server and be in total control
> of your identity.

Facebook open graph is distributed, anyone can run   graph.network.com
...  or mnot's suggestion of   network.com/.well-known/user/bob perhaps
even better

But the critical mass is the system that supports all types of
identifiers.  Picking winners and losers is not attractive in web
architecture (principle of tolerance).  The silo is the one that
essentially says 'my way or the high way'.  Persona have architected their
system in such a way as to make it hard to interop with anything else.
WebID on the other hand can handle any kind of identifier, therefore is
universal and user centric.

> Thanks,
> Jan
Received on Sunday, 12 August 2012 17:22:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:10:32 UTC