W3C home > Mailing lists > Public > public-webid@w3.org > October 2012

Re: Browser UI & privacy - a discussion with Ben Laurie

From: Henry Story <henry.story@bblfish.net>
Date: Fri, 5 Oct 2012 13:51:17 +0200
Cc: Melvin Carvalho <melvincarvalho@gmail.com>, "public-webid@w3.org" <public-webid@w3.org>, public-identity@w3.org, "public-philoweb@w3.org" <public-philoweb@w3.org>, Ben Laurie <benl@google.com>
Message-Id: <07281C6A-2B3E-4BF0-BDB6-ADE0C6EF7747@bblfish.net>
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>

On 4 Oct 2012, at 18:04, Hannes Tschofenig <Hannes.Tschofenig@gmx.net> wrote:

> You are too focused on your WebID idea.
> 
> Everyone can easily create new protocols on the fly that do all sorts of things. Getting them deployed is a completely different story.

Good so I take it you don't really see any problems with WebID. It's just that it is not deployed enough.

> I am interested to discuss privacy topics that are of more general applicability. If this exchange is only about promoting WebID then I focus on other work instead. 

I pointed to a way in which you distinction identifier, Identity, could be tied in with 
work in Logic, and  philosophy of logic. You can't get more general than that. 

At the end you illustrated your point with a reference to OpenID. You then state that 
it is not possible to get the attributes standardised because there are too many possibilities. 
To which my answer was: that is why the semantic web was designed, and it is growing fast 
in adoption - check out LinkedData on the web to  see. 

Then you say that I am focusing only on WebID. But in in fact tying WebIDs and OpenIDs 
together is simple once you move to the semantic level.
Let's imagine the simplest situation where your OpenID profile just is your WebID profile.

Let us imagine Joe's OpenID and WebID profile documents are published 
at https://joe.example/profile. We can represent the relevant semantics
(we are interested in here) in Turtle ( http://www.w3.org/TR/turtle/ )
as: 

------
@prefix foaf: <http://xmlns.com/foaf/0.1/>.
@prefix cert: <http://www.w3.org/ns/auth/cert#> .

<> a openid:Profile, foaf:PersonalProfileDocument;
   foaf:primaryTopic <#me> .

<#me> a foaf:Person;    //<#me> is the WebID
     foaf:openid <> ;   //<> is the OpenId
     cert:key [ a cert:RSAPublicKey; cert:modulus "...."^^xsd:hexBinary; cert:exponent 65554 ]
------

or if you turn make the URLs' absolute this can be clearer

------
<https://joe.example/profile> a openid:Profile, foaf:PersonalProfileDocument;
   foaf:primaryTopic <https://joe.example/profile#me> .

<https://joe.example/profile#me> a foaf:Person;    //<https://joe.example/profile#me> is the WebID
     foaf:openid <https://joe.example/profile> ;   //<https://joe.example/profile> is the OpenId
     cert:key [ a cert:RSAPublicKey; cert:modulus "...."^^xsd:hexBinary; cert:exponent 65554 ]
-------


So you can tie those two together in a document. With WebID we just essentially remove the need
for the OpenId Attribute Exchange, because you can use RESTful requests to fetch that information
by following links. But we don't need to outlaw openid. The two can work together, just as http 
and ftp could and always can.


> 
> 
> On Oct 4, 2012, at 6:46 PM, Henry Story wrote:
> 
>> 
>> On 4 Oct 2012, at 17:10, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>> 
>>> Hi Melvin, 
>>> 
>>> On Oct 4, 2012, at 4:49 PM, Melvin Carvalho wrote:
>>> 
>>>> I think the aim is to have an identity system that is universal.  The web is predicated on the principle that an identifier in one system (eg a browser) will be portable to any other system (eg a search engine) and vice versa.  The same principle applied to identity would allow things to scale globally.  This has, for example, the benefit of allowing users to take their data, or reputation footprint when them across the web.  I think there is a focus on WebID because it is the only identity system to date (although yadis/openid 1.0 came close) that easily allows this.  I think many would be happy to use another system if it was global like WebID, rather than another limited context silo.
>>> 
>>> I think there is a lot of confusion about the difference between identifier and identity. You also seem to confuse them. 
>>> 
>>> Here is the difference: 
>>> 
>>>  $ Identifier:   A data object that represents a specific identity of
>>>     a protocol entity or individual.  See [RFC4949].
>>> 
>>> Example: a NAI is an identifier 
>>> 
>>>  $ Identity:   Any subset of an individual's attributes that
>>>     identifies the individual within a given context.  Individuals
>>>     usually have multiple identities for use in different contexts.
>>> 
>>> Example: the stuff you have at your Facebook account
>> 
>> This is a well know distinction in philosopohy. You can refer to things in two ways:
>> - with names ( identifiers ) 
>> - with existential variables ( anonymous names if you want ), and attaching a description to that
>>   thing that identifies it uniquely among all other things
>> 
>> So for example Bertrand Russell considered that "The Present King of France" in "The Present King of France is Bald" was
>> not acting like a proper name, but as an existential variable with a definite description. That is in 
>> mathematical logic he translated that phrase to:
>> 
>>   ∃x[PKoF(x) & ∀y[PKoF(y) → y=x] & B(x)]
>> 
>> See http://en.wikipedia.org/wiki/Definite_description
>> Harry Halpin goes into this in this Philosophy of the Web Thesis
>>  http://journal.webscience.org/324/
>> http://www.ibiblio.org/hhalpin/homepage/thesis/
>> 
>> So yes we know this, and understand this very well. The Semantic Web is an outgrowth of 
>> Fregean logic, tied to the Web through URIs, and with some of the best logicians 
>> in the world  having worked on its design. This is our bread and butter.
>> 
>> In fact in WebID we are using this to our advantage. What we do is we use 
>> a URI - a universal identifier - to identify a person, in such a way that it is
>> tied to a definite description as "the agent ID that knows the private key of public
>> key Key".
>> 
>> <graphic  http://www.w3.org/wiki/images/4/49/X509-Sense-and-Reference.jpg >
>> 
>> So in the above the Identifier is "http://bblfish.net/#hjs" which referes to me 
>> <http://bblfish.net/#hjs> which you can recognise as the knower of the private key
>> published on the http://bblfish.net/ web page (in RDFa, in this case)
>> 
>> 
>>> 
>>> To illustrate the impact for protocols let me try to explain this with OpenID Connect. 
>>> 
>>> OpenID Connect currently uses SWD (Simple Web Discovery) to use a number of identifiers to discover the identity provider, see http://openid.net/specs/openid-connect-discovery-1_0.html 
>>> 
>>> The identifier will also have a role when the resource owner authenticates to the identity provider. The identifier may also be shared with the relying party for authorization decisions. 
>>> 
>>> Then, there is the question of how you extract attributes from the identity provider and to make them available to the relying party.
>> 
>> In WebID that is easy for public info: you use HTTP GET.
>> Otherwise you put protected info into protected resources, link to them from the WebID profile, 
>> and apply WebID recursively to the people requesting information about that resource. Ie: you
>> protect the resources containing information that needs protecting.
>> 
>> This makes it possible to describe people and their relations extremely richly,
>> and it allows one to be very fine grained in who one allows access to information.
>> 
>> 
>>> There, very few standards exist (this is the step that follows OAuth). The reason for the lack of standards is not that it isn't possible to standardize these protocols but there are just too many applications. A social network is different from a system that uploads data from a smart meter. Facebook, for example, uses their social graph and other services use their own proprietary "APIs" as well. 
>> 
>> Yes, I know people keep saying its impossible, and then we have trouble showing them - 
>> since the impossible cannot be seen.
>> 
>> Btw in WebID we use
>> 
>> The one well know api: HTTP.
>> A semantic/logic model: RDF and mappings from syntax to that model - which
>> is based on Relations which I think Bertrand Russel showed to be pretty much all you needed.
>> 
>> Then it is a question of working together and developing vocabularies that metastabilise.
>> (More on that in a future video). 
>> 
>>> 
>>> This is the identity issue. 
>>> 
>>> You are mixing all these topics together. This makes it quite difficult to figure out what currently deployed systems do not provide. 
>>> 
>>> Ciao
>>> Hannes
>>> 
>> 
>> Social Web Architect
>> http://bblfish.net/
>> 
> 

Social Web Architect
http://bblfish.net/



Received on Friday, 5 October 2012 11:51:51 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:54:37 UTC