W3C home > Mailing lists > Public > public-rww@w3.org > January 2014

Re: Web Identity 1.0 -- Draft Spec

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Thu, 9 Jan 2014 14:27:27 +1100
Message-ID: <CAM1Sok0_Z789OBjtvDZ1owQJ25DGS2Ct0UwiUcsX9F6ePu+aww@mail.gmail.com>
To: Kingsley Idehen <kidehen@openlinksw.com>, Melvin Carvalho <melvincarvalho@gmail.com>
Cc: public-rww <public-rww@w3.org>
re: G+[1] i agree with Kingsley almost; and the underlying differentiation,
is in seeking to define 'persona' as a separate 'identity' for the purpose
of identity management.

Some ideas (sorry for the length; ideas are still draft).

There's a couple of different sorts of 'things' that interact.  WebID seems
to make the most sense for 'things that speak internet' (and knows what to
do with a cert).  WebID [2] seems to provide a method to deploy x509 with
RDF, which is beneficial for IoT / WoT; therefore reinforcing identity /
privacy methods, especially when applied to an RWW Account (LDP / RDF +
storage + base services).

*Web We (DON'T) WANT*
Web2 creates multiple persona via www.mysocialnetwork.com +
www.myonlinemail.com + etc.

However the aggregation method poorly supports user persona.

using a historically fabricated example; if 1950's social issues were
applied to facebook...

1. I think Indigenous Australians[4] should be entitled to human rights,
discuss it widely
2. Met girl in drama class; Girl got pregnant, i'm poor and Anglican she's
18 in a well-off catholic family who wants to send her interstate to have
the child, then leave it to be adopted out; then come back to uphold the
family reputation.
3. I like to do a bunch of political work for a political party, thinking i
can contribute
4. I've got a gold mining plot
5. I'm learning about geology, to help me with my mining ideas of becoming
6. I live in a small community.

In that type of fabricated example; my desire to help black people get
human rights might prevent me from politically participating, and the
police might even take the gold mining plot.  Whilst i might love the girl,
her family may uphold the views of the time; and to care for her needs, i
might get all 'dressed-up' and see about finding a path that could mean we
could be a couple, and she could retain her relationship with family; as
i'm not sure if there's gold in that mine, or when i'll be able to bank it
(especially due to my personal beliefs about human rights).

The situation with the girl is tenuous, the community is small, i don't
want to compromise my moral fiber but it's important i finish school so
i've got a better chance at making the mining thing work; and i love the
girl and need to figure out how we can support the child, so i'll need a
bigger house and more income.

SO:  In todays example, these types of elements are all mixed together into
one 'identity' rather than a mixture of 'persona elements'.  if Facebook
existed then; the family would look me up, find out I've got these strange
ideas about human rights (indigenous Australian heritage isn't pretty), i'd
then get queried on google; the names and resources shared with others, and
the likely hood i could sort out the situation in the interests of the
girl, the child or myself - may be damaged irrecoverably because 'persona'
(or privacy) is not applied to these centralised systems.

Of course that example, applies concepts which are now well accepted; and
so the behavioral consequences of socializing that type of case-study is
different once some of the 'current issues' of the time have been resolved,
down the track.   This may be termed 'speculation' at the time; or
gambling, perhaps - but if all such information were available at the time
for people involved with changing some of those social issues - in a manner
such as is expressed in facebook networks, google searches, etc. i'm not
sure those people would have as easily (not saying it was easy at the time)
found means to create change, in whatever way they did at the time.

Whilst the material descriptions of 'current issues' (or emerging issues)
change overtime, the behavioral processes do not; I think the 'diffusion of
innovations'[5] theory provides a reasonable graph; to show the underlying
drivers for the behavioral process

Current web2 sites manage 'persona' by 'owning them' in a db, managed by
the site owner ('intellectual or knowledge capital'?).  What web2 does
provide, is the ability to create accounts on sites 1,2,3,etc.

SO: When thinking about user-environments the 'philosophical' approach
needs to both provide capacity for different authoritative models /
mechanisms whilst also providing means for users to assign different
knowledge graphs; in effect, be capable of recognizing persona as a
personal (identity related) transnational 'agent', where applied rules can
be defined by an identity; upon an array of persona, and related assets /

Given a person is a person; and we're not playing TRON - the idea is that
the online equivalent isn't an identity, but an interactive persona; of
which any person will likely have a multitude to represent the role they
play as an actor in a social-web.

underlying the concept; is a philosophical consideration that identity is
actually a private concept.

identity is offline; but we use 'tools' (things) to interactively
authenticates into web environments; where in-turn we create persona
related elements or documents.  persona is interactive, directive via
identity & interactive with agents.  An identity can have a multitude of
persona, which is in-turn becomes bonded to identities using parameters
set-out in persona doctrine; perhaps technically; authenticated via
'identity chains'.

1.  An identity chain is a predefined process for authentication that may
interact with agents and actors,
1.1 Described using RDF; and,
1.2 Designed to interact with WebID enabled services.
1.3 can provide a 'security level' analysis (trust levels?)

The level of security is defined by the elements and processes defined in
the chain, rather than by specific agent as an independent 'authority'
managing or addressing the actor (subject to law of course).

In theory; if i need to interactively call a bunch of people whilst
interacting with specific URI's simultaniously to verbally parse info; and
link that info back to an array of devices, in a sophisticated realtime
methodology; then the key infrastructure for whatever i'd want to 'lock'
using that type of design, would be more secure than simply a userid/pass
on a machine with or without webid.

without defining or prescribing the method used in a chain; it is simply
the idea of a chain, that seems to make some sense to me overall.   Whether
it be in creating an initial identity system in a manner that is least
reliant on existing AUTH providers; or the ongoing use of accounts, that
depend on compatible identity services. An identity chain method should be
capable of providing a GUI where a user can create a method themselves,
using resources, in a secure environment.

It makes little sense to have a multitude of 'competing' AUTH standards;
both methods have different purposes, which should work well together.

Theoretically; someone sets-up an identity chain with a persona that lives
on 'my knowledge banking account - which means an RWW Server somewhere...
 I have enabled WebID, which means agents I create, authorized links (ACLS)
and have a network of x509 certs they use to be authorized agents (WAC[3])
when undertaking a task interacting with with other agents.

*Basic Example* An addresscard (basic kind of foaf profile) where persona1
(home) gives personal details[6] and persona2(work) gives business card; or
allowing a friend to browse your photos with ACL info provided earlier.

Another interesting example; is that a deceased person may have a WebID;
for the purpose of 'linking records', much like any other flora, fauna or
subjective concept; but in-turn, who owns the deceased persons WebID? does
it live in a 'commons' territory?  how does it interact with Web Identity
and/or persona? problem is of course; that some form of auth. is needed to
ensure data / info is reliable and adaptable; yet an array of 'things' are
'commons' property (meaning, human knowledge which should be free, easily
accessible and update-able or link-able).  It seems 'reputation' may need
to play a role, and i'm not sure how that can be defined or managed yet.


PERSONA 1: HOME / FAMILY - Home Shopping
I've applied to my account that i use my phone to get my digital receipts;
which means i tap my phone at the register and click ok; on my phone.  if i
forget my phone, i can use the RFID 'key' in my pocket.

I needed to get some toilet paper for the office; so assign that from my
personal 'persona' to my work 'persona' for accounting purposes.

Don't like electronic check-outs, so i always go visit the check-out person
(I think morally, supermarkets should employ people).

PERSONA 2: Employment role 1 ('company persona')

I drive my Tesla Model S; go park somewhere when going to work, and plug it
in; I authorise when i'm in the car; tell it to do the integrated approach
and pay for the parking and the power; i then go home, plug in the car; and
set 50% of the battery charge to 'grid utility' (to stablise the grid,
because solar panels don't generate much energy at night, and my trip to
work tomorrow is only a 15 minutes drive.

My company persona, links to my home persona and its electricity account;
the battery is leased as part of the energy equipment & services agreement
with the car (allowing me to drop the battery out on a long-trip) and the
account is managed by the business.  The business doesn't pay for my home
electricity bill, so the accounts are offset using WebID's connected to
different agents; in whatever business model is applied (cars stablising
grids obtain 'feed in tariff's' for example).

Next day; i goto a cafe; my ipad connects using my webid to the cafe's
hotspot, asks me about billing and connects me to the net billing to an
account connected to my webid.

Work doesn't pay for internet on my ipad because i like BYOD (like my logs
to stay on my account); however it's a meeting, so i can assign the receipt
to my business persona - for taxation purposes.

Company gives me a tag to pay for coffee with clients though, so i use that
and the digital receipt is assigned to the company, relating to the persona
'linked' to my identity.

We need to express persona. The examples above try to provide a bunch of
situations where the ability to share persona in semantic web use-cases; is
as important as being able to protect privacy, in-order to maintain liberty
and privacy through identity services. The model therein; follows
real-world examples, considering the 'units' expressed, and the difference
between a persons intent to share 'identity' vs. 'persona' when interacting
with others, in an array of different circumstances; for which, an identity
should be made capable of defining themselves (rather than having
definitions subjectively pushed upon them).

[1] https://plus.google.com/u/0/+ManuSporny/posts/94fooRHDb6T -- Manu's post
[2] https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html --
WebID spec
[3] http://www.w3.org/wiki/WebAccessControl
[4] http://en.wikipedia.org/wiki/Indigenous_Australians
[5] http://en.wikipedia.org/wiki/Diffusion_of_innovations
[6] http://linkeddata.github.io/rdflib.js/example/people/social_book.html

On 9 January 2014 00:04, Kingsley Idehen <kidehen@openlinksw.com> wrote:

>  On 1/7/14 11:22 PM, Melvin Carvalho wrote:
>  This spec has been updated and fleshed out quite a bit.  Section 4 now
> includes reading, writing, access control, signatures, claims and
> endorsements.
> https://web-payments.org/specs/source/web-identity/
> This spec, as per comments I made to Manu on his G+ thread [1], currently
> doesn't acknowledge the fact that a WebID is an HTTP URI that denotes an
> agent. To avert confusion, it is really important that we have a common
> understanding of what the term WebID denotes.
> Accepting the established definition of WebID [2] is compatible with "Web
> Identity 1.0" once some tweaks are made to existing term definitions,
> basically we end up with:
> *identifier*
> An HTTP URI that denotes an entity.
> *identity card*
> Information that can be used to identify a particular entity such as a
> person, animal, or organization.
> *identity card owner*
> An entity that is in control of a particular identity card.
> *identity card provider (or host)*
> A website providing access to an identity or set of identities.
> *requestor*
> A user agent that is requesting to access and/or modify an identity.
> Links:
> [1] https://plus.google.com/u/0/+ManuSporny/posts/94fooRHDb6T -- Manu's
> post
> [2] https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html-- WebID spec (*which is currently marooned in this pre official release
> state*).
> --
> Regards,
> Kingsley Idehen	
> Founder & CEO
> OpenLink Software
> Company Web: http://www.openlinksw.com
> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
> Twitter Profile: https://twitter.com/kidehen
> Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
> LinkedIn Profile: http://www.linkedin.com/in/kidehen
Received on Thursday, 9 January 2014 03:28:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:10:44 UTC