- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Thu, 4 Oct 2012 19:11:11 +0200
- To: bd@thinkmetrics.com
- Cc: Kingsley Idehen <kidehen@openlinksw.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, Henry Story <henry.story@bblfish.net>, public-webid@w3.org, public-identity@w3.org, public-philoweb@w3.org, Ben Laurie <benl@google.com>
- Message-ID: <CAKaEYhKnUqVQsk6fEYU-88bv=u=hzAEmzLX_XyfG-pi3=fFxxA@mail.gmail.com>
On 4 October 2012 18:58, Brandt Dainow <bd@thinkmetrics.com> wrote: > Hi - I'm coming into this discussion late, and though I've tried to catch > up, please forgive me if you think I've missed something in earlier stages > of the debate. However, as a philosopher concerned with online ethics (as > well as a web analyst), I'm disturbed by the tone of this discussion, so > I'm > throwing in my point: > > The idea that a person can be treated like a computing resource is > questionable. It sounds like instrumentalism - treating people as things, > which is the starting point of most human evil. The principle that an > identifier in one system is portable to others refers to computing > resources, not human beings. There are no principles in web computing > which > were ever intended to apply to people. This is why initiatives like WebID > exist at all - they are trying to compensate for the fact the internet has > nothing within it pertaining to humans. > > The concept of a "reputation footprint" is also highly debatable. > Personally, I find the idea that I would have a single online profile, > uniting all my web activities, and traceable back to the real human me, as > horrifically totalitarian, and a step backward. I don't have such a > limitation in the real world. I can be anonymous when I walk the city, > enter shops, and pay by cash. I can conceal my religious or political > beliefs from my workmates, so as to avoid being judged by them on > irrelevant > criteria, or simply because I want to live privately. I can decide my life > has been a mess, then move to a new city, where no one knows me, and start > afresh, my previous history forgotten. We must have the same level of > forgetfulness on the web, the same ability to split our activities and > present only partial views of ourselves to different groups. These are > fundamental aspects of human existence which have remained for thousands of > years. They enable us to work and socialise with others who we otherwise > would be in conflict with. > A reputation footprint need not imply a single identity. With the "sameAs" concept you can tie identities together in a transparent way. There are also techniques to tie identities together in a more private way, such as ACLs, hashing and "zero knowledge proofs". > > Organisations are different. They are not people. Any initiative which > treats organisations, documents and human beings as the same is denying the > essential dignity of the individual, and their right to chose how openly or > privately they wish to live. I can understand why I might want a system > which enables me to lock my identity to a resource, but that should be a > voluntary system, and it should enable me to have multiple WebID's (or > equivalent), and it should permit me to keep my personal identity totally > anonymous. > > WebId is a particularly dangerous concept. It totally depends on the > unbreakability of the private key. Does anyone in this group seriously > believe there's such a thing as unbreakable encryption, or a flawless > computing system? If people trust WebID's, what chance do you think anyone > will have of convincing the world their WebID has been faked or hijacked, > or > their certificate stolen, etc? If WebID was used for government, financial > or employment purposes, what harm could fall on someone under such > circumstances? The same is true of any computing system which seeks to lock > an IT resource to a real person. The connection between the two will > always > be problematic and untrustworthy. > > In terms of online privacy, we cannot possibly imagine what use nasty > people > will make of personal data 10, 20, or 50 years from now. We simply cannot > know what technology or business models people will invent. All we can be > sure of is that stuff we can't imagine now will dominate the web of the > future. This means we can't argue in terms of trying to achieve specific > effects, because we can't know what the full range of effects will be. The > only solution is to focus on avoiding the potential for harm. This means > we > must take a fantastically conservative attitude to online privacy, and > resist every attempt to reduce it. In this light, one has to ask - where > are the anonymity initiatives? Where's my IP-rotation plug-in, my user > agent obfuscation add-on, etc? > > The web is a fairly good thing as it is. Before we seek to "improve" it, > we > need to be absolutely certain we are addressing a genuine problem and that > the solution won't harm more than it helps. In the larger context, this > means "Web-scale verifiable identity" should be no more than a minor item > of > optional technology used by a few people for specific purposes. It should > be enacted in a manner which is aware nasty people and governments could > force it on people as a means of exploitation and control, which means > making it hard to manage centrally and avoiding uniform standards. The > emphasis should always be on the avoidance of possible harm, even if this > means not getting the best technology. > > > Regards, > Brandt Dainow > bd@thinkmetrics.com > www.thinkmetrics.com > PH (UK): (020) 8123 9521 > PH (USA): (801) 938 6808 > PH (IRELAND): (01) 443 3834 > iMedia Articles: www.imediaconnection.com/profiles/brandt.dainow > > This email and any attachments are confidential and may be the subject of > legal privilege. Any use, copying or disclosure other than by the intended > recipient is unauthorised. If you have received this message in error, > please delete this message and any copies from your computer and network. > > Whilst we run anti-virus software on all e-mails the sender does not accept > any liability for any loss or damage arising in any way from their receipt > or use. You are advised to run your own anti-virus software in respect of > this e-mail and any attachments. > > > > > -----Original Message----- > From: Kingsley Idehen [mailto:kidehen@openlinksw.com] > Sent: 04 October 2012 16:59 > To: Hannes Tschofenig > Cc: Melvin Carvalho; Henry Story; public-webid@w3.org; > public-identity@w3.org; public-philoweb@w3.org; Ben Laurie > Subject: Re: Browser UI & privacy - a discussion with Ben Laurie > > On 10/4/12 11:10 AM, Hannes Tschofenig wrote: > > Hi Melvin, > > > > On Oct 4, 2012, at 4:49 PM, Melvin Carvalho wrote: > > > >> I think the aim is to have an identity system that is universal. The > web > is predicated on the principle that an identifier in one system (eg a > browser) will be portable to any other system (eg a search engine) and vice > versa. The same principle applied to identity would allow things to scale > globally. This has, for example, the benefit of allowing users to take > their data, or reputation footprint when them across the web. I think > there > is a focus on WebID because it is the only identity system to date > (although > yadis/openid 1.0 came close) that easily allows this. I think many would > be > happy to use another system if it was global like WebID, rather than > another > limited context silo. > > I think there is a lot of confusion about the difference between > identifier and identity. You also seem to confuse them. > > > > Here is the difference: > > > > $ Identifier: A data object that represents a specific identity of > > a protocol entity or individual. See [RFC4949]. > > > > Example: a NAI is an identifier > > A data object is denoted by an identifier. The representation of a data > object is a graph. An data object identifier can resolve to said data > objects representation. > > A Web accessible profile document is an example of a data object. > > On the Web a profile document can be denoted by an HTTP URI/URL. In > addition, the subject (which can be *anything*) of a profile document > can also be denoted by an HTTP URI. Basically, this is what the Linked > Data meme [1] by TimBL is all about. Note, WebID is fundamentally an > application of Linked Data principles specifically aimed at solving the > problem of Web-scale verifiable identity for people, organizations, > software, and other conceivable entities. > > > > > $ Identity: Any subset of an individual's attributes that > > identifies the individual within a given context. Individuals > > usually have multiple identities for use in different contexts. > > > > Example: the stuff you have at your Facebook account > > > > To illustrate the impact for protocols let me try to explain this with > OpenID Connect. > > > > OpenID Connect currently uses SWD (Simple Web Discovery) to use a number > of identifiers to discover the identity provider, see > http://openid.net/specs/openid-connect-discovery-1_0.html > > > > The identifier will also have a role when the resource owner > authenticates > to the identity provider. The identifier may also be shared with the > relying > party for authorization decisions. > > > > Then, there is the question of how you extract attributes from the > identity provider and to make them available to the relying party. There, > very few standards exist (this is the step that follows OAuth). The reason > for the lack of standards is not that it isn't possible to standardize > these > protocols but there are just too many applications. A social network is > different from a system that uploads data from a smart meter. Facebook, for > example, uses their social graph and other services use their own > proprietary "APIs" as well. > > > > This is the identity issue. > > > > You are mixing all these topics together. This makes it quite difficult > to > figure out what currently deployed systems do not provide. > > Henry isn't mixing up the issues. What might be somewhat unclear to you > is the critical role played by Linked Data, and the fact that a WebID is > just a cryptographically verifiable denotation mechanism (an identifier) > for people, organizations, software agents, and other real world > entities that aren't Web realm data objects (or documents). > > Linked Data introduces a power nuance that enables you leverage > *indirection* via the use of HTTP URIs to unambiguously denote a Web > realm data object (e.g., a profile document) and a real world entity > (that's the subject of the profile document) described by said data > object. Net effect, either denotation resolves to the same document > content (actual data or Web resource). The documents in this context are > comprised of RDF data model based structured content i.e., an > entity-attribute-value or subject-predicate-object graph. > > Also note that WebID and OpenID bridges already exist in the wild that > work, and these serve as powerful demonstrations of the value that WebID > brings to bear. > > Links: > > 1. http://www.w3.org/DesignIssues/LinkedData.html -- Linked Data meme > 2. http://bit.ly/OcbR8w -- WebID+OpenID proxy service showing how > password authentication is eliminated from the OpenID flow via WebID > 3. http://bit.ly/PcQg38 -- screenscast showcasing the combined prowess > of OpenID and WebID. > > > Kingsley > > > > > Ciao > > Hannes > > > > > > > > > > > -- > > Regards, > > Kingsley Idehen > Founder & CEO > OpenLink Software > Company Web: http://www.openlinksw.com > Personal Weblog: http://www.openlinksw.com/blog/~kidehen > Twitter/Identi.ca handle: @kidehen > Google+ Profile: https://plus.google.com/112399767740508618350/about > LinkedIn Profile: http://www.linkedin.com/in/kidehen > > > > > > >
Received on Thursday, 4 October 2012 17:11:47 UTC