Re: [community] from W3C….Fwd: Proposal: "User" header field

• From: ☮ elf Pavlik ☮ <perpetual-tripper@wwelves.org>
• Date: Thu, 18 Jul 2013 07:01:09 +0000
• To: Nat Sakimura <sakimura@gmail.com>
• Cc: Melvin Carvalho <melvincarvalho@gmail.com>, public-rww <public-rww@w3.org>
• Message-Id: <1374130453-sup-7852@heahdk.net>

Hi Nat,

I understand your concerns, at the same time I already for some years now overwrite headers in my browser to set From: to email address I sent this very email from :)

While in current *dark age* of The Web providing *hint* of ones identity can feel scary. I believe as the web matures and our human culture evolves, it will become very useful and not so scary thing to do. I don't say we should promote such *hinting* as a recommendation today, but work on technologies to have it available to use in near future.

Cheers!
☮ elf Pavlik ☮

Excerpts from Nat Sakimura's message of 2013-07-17 23:56:25 +0000:
> Thanks for reaching out and the clarification.
> 
> I gather that you envision some kind of user interface on the browser so
> that the user can store the user identifier in the URI form (which happen
> to be OpenID 1.0 concept, btw).
> 
> Then, the web sites asks for the header when they want, and the user
> encounters a dialogue whether or not to give it.
> 
> Is that the use case?
> 
> IMHO, there are two problems with it.
> 
> 1. Re: privacy: People will be trained to click Yes, turning the Internet
> Dog into Pavlov's Dog.
> 2. Re: security: Web sites will make mistakes to assume that is an
> authenticated identifier. It is not.
>     It is easy to spoof. It will cause user's accounts being hijacked, etc.
> 3. Re: fraud: Users has no protection layer between the malicious site and
> the web browser.
>     It is a common attack by the fraudulent sites to ask for money when
> they get hold of user's identifier.
>     In the IdP model, IdPs can block and filter the RP request for the user
> identifier protecting the user.
>     It has been a big issue in Japan, at least, since Mobile browsers of
> the feature phones actually
>     sent the user identifier as hint.
> 
> Even if we say "it is just a hint" in the specification, people will not
> read it and make mistakes.
> It is the duty of us protocol designers to consider these "human factors"
> into account and consider the public safety issues.
> 
> I would probably be ok to send the IdP's address as a hint, as it cannot be
> mistaken as a user identifier then by the sites. It poses less  privacy
> issues as well, and users has more protection.
> 
> Best,
> 
> Nat
> 
> 
> 2013/7/18 Melvin Carvalho <melvincarvalho@gmail.com>
> 
> >
> >
> >
> > On 18 July 2013 01:06, Nat Sakimura <sakimura@gmail.com> wrote:
> >
> >> Hi.
> >>
> >> I am forwarding the mail in the identity commons list.
> >>
> >> Apparently, there is an initiative at W3C proposing a new "identity"
> >> header, which I believe is actually harmful for the general public. Simple
> >> web sites are going to take it as authenticated identity and thus will
> >> cause identity theft of their users.
> >>
> >> Their proposal is to include
> >>
> >>   User: http://this.is.the/user/identifier
> >>
> >> in the HTTP header.
> >>
> >> Could those of you active in W3C reach out to them?
> >>
> >> As I have written below, if it were to just include the IdP address as a
> >> hint, I am kind of fine.
> >>
> >
> > Thanks for sharing this.  Since this was my proposal, I hope I can shed a
> > bit of light light.
> >
> > Firstly, it's not the W3C, simply a group of people brainstorming in the a
> > W3C hosted forum (aka community groups).  The proposal has no official
> > standing, but if there are no objections, the idea is to try and push the
> > idea upstream.
> >
> > Yes, the idea is that it is just a hint.  Note the text:
> >
> > "The client SHOULD NOT send the User header field without the user's
> > approval, as it might conflict with the user's privacy interests or their
> > site's security policy. It is strongly recommended that the user be able to
> > disable, enable, and modify the value of this field at any time prior to a
> > request."
> >
> > We asked the IETF if we could use the "From" header for this, but the
> > feedback is that "From" is restricted to email, and this would be difficult
> > to change.  The suggestion was to come up with a new header.  Very happy to
> > have feedback, I've followed IIW work for many years.
> >
> >
> >>
> >> Best,
> >>
> >> Nat
> >>
> >> ---------- Forwarded message ----------
> >> From: Kaliya "Identity Woman" <kaliya-lists@identitywoman.net>
> >> Date: 2013/7/18
> >> Subject: Re: [community] from W3C….Fwd: Proposal: "User" header field
> >> To: Nat Sakimura <sakimura@gmail.com>
> >> Cc: "community@lists.idcommons.net" <community@lists.idcommons.net>
> >>
> >>
> >> Yes Nat,  Thats sort of what I got from reading it.
> >>
> >> Who among us is very active in the W3C world?
> >>
> >> If no one should we be figuring out who should be?
> >>
> >> Should we write them a letter asking them to send "identitish" proposals
> >> to IIW? or other forums for good input?
> >>
> >> Maybe we should write something that is like understanding identity
> >> basics for technical specification folks across a range of standards bodies?
> >>
> >> - Kaliya
> >>
> >> On Jul 17, 2013, at 3:32 AM, Nat Sakimura wrote:
> >>
> >> Whoa, what's that?!
> >>
> >> That's not only useless but actually harmful.
> >>
> >> I can kind of see some utility in sending the IdP address, but not the
> >> user.
> >>
> >> =nat via iPhone
> >>
> >> On Jul 16, 2013, at 7:39, "Kaliya \"Identity Woman\"" <
> >> kaliya-lists@identitywoman.net> wrote:
> >>
> >> Hi folks,
> >>  Apparently the W3C wants to send "user" names along in HTTP headers.
> >>   I thought some folks who know about identity and how it
> >> does/could/should work might be up for chiming in over there.
> >>   It seems like Authentication of identity might be a good thing rather
> >> then just assertion.
> >>  - Kaliya
> >>
> >>
> >> Begin forwarded message:
> >>
> >> *From: *Christine
> >>
> >>
> >> As you know, I'm a big proponent of open standards. For this reason I
> >> monitor many groups. You might be interested in the W3C Read Write Web
> >> community group: http://www.w3.org/community/rww/
> >>
> >> I sent you a message a few weeks ago about Tabulator.
> >>
> >> See below messages about User header field. If you are not already a
> >> member, I recommend you join and contribute!
> >>
> >> Christine
> >>
> >>
> >> -------- Original Message --------  Subject: Re: Proposal: "User" header
> >> field  Resent-Date: Sat, 13 Jul 2013 16:19:02 +0000  Resent-From:
> >> public-rww@w3.org  Date: Sat, 13 Jul 2013 12:08:37 -0400  From: Joe
> >> <presbrey@gmail.com> <presbrey@gmail.com>  To: Melvin Carvalho
> >> <melvincarvalho@gmail.com> <melvincarvalho@gmail.com>  CC: public-rww
> >> <public-rww@w3.org> <public-rww@w3.org>
> >>
> >> Great job Melvin!
> >>
> >>  Data.fm sends the User header already :)
> >>
> >>
> >>
> >>
> >> On Jul 13, 2013, at 10:55 AM, Melvin Carvalho <melvincarvalho@gmail.com>
> >> wrote:
> >>
> >>   I would be nice to be able to identify a user in HTTP, especially with
> >> read/write protocols and access control, it can be important to know who is
> >> trying to change something.
> >>
> >> There has been some discussion on whether the "From" header can be used
> >> to identify a user in HTTP, and my from most people is that this would be a
> >> good candidate to send a user, but for historical reasons it's limited to
> >> email, and changing this would perhaps get some pushback from the IETF.
> >>
> >> The suggestion has been to choose another header, so I thought that
> >> "User" might be a good candidate, since we have User Agent arleady.
> >>
> >>  Here's the proposed text:
> >>
> >> [[
> >> User
> >>
> >> The User request-header field, if given, SHOULD contain an identifier for
> >> the human user who controls the requesting user agent. The address SHOULD
> >> be machine-usable, as defined by the "URI General Syntax" RFC 3986
> >>
> >>        User   = "User" ":" URI
> >>
> >> An example is:
> >>
> >>        User: http://www.w3.org/People/Berners-Lee/card#i
> >>
> >> This header field MAY be used for logging purposes and as a means for
> >> identifying the source of invalid or unwanted requests. It SHOULD NOT be
> >> used as an insecure form of access protection. The interpretation of this
> >> field is that the request is being performed on behalf of the person given,
> >> who accepts responsibility for the method performed. In particular, robot
> >> agents SHOULD include this header so that the person responsible for
> >> running the robot can be contacted if problems occur on the receiving end.
> >>
> >> The client SHOULD NOT send the User header field without the user's
> >> approval, as it might conflict with the user's privacy interests or their
> >> site's security policy. It is strongly recommended that the user be able to
> >> disable, enable, and modify the value of this field at any time prior to a
> >> request.
> >>
> >> ]]
> >>
> >>  Feedback welcome!
> >>
> >>
> >>
> >>
> >>
> >> ____________________________________________________________
> >> You received this message as a subscriber on the list:
> >>     community@lists.idcommons.net
> >> To be removed from the list, send any message to:
> >>     community-unsubscribe@lists.idcommons.net
> >>
> >> For all list information and functions, see:
> >>      http://lists.idcommons.net/lists/info/community
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Nat Sakimura (=nat)
> >> Chairman, OpenID Foundation
> >> http://nat.sakimura.org/
> >> @_nat_en
> >>
> >> _______________________________________________
> >> specs mailing list
> >> specs@lists.openid.net
> >> http://lists.openid.net/mailman/listinfo/openid-specs
> >>
> >>
> >
> 

Received on Thursday, 18 July 2013 07:01:39 UTC