Re: [saag] Liking Linkability from Harry Halpin on 2012-10-22 (public-webid@w3.org from October 2012)

From: Harry Halpin <hhalpin@w3.org>
Date: Mon, 22 Oct 2012 14:32:24 +0200
To: Kingsley Idehen <kidehen@openlinksw.com>
CC: Ben Laurie <benl@google.com>, nathan@webr3.org, Henry Story <henry.story@bblfish.net>, Ben Laurie <ben@links.org>, "public-philoweb@w3.org" <public-philoweb@w3.org>, "public-identity@w3.org" <public-identity@w3.org>, "public-privacy@w3.org" <public-privacy@w3.org>, Sam Hartman <hartmans-ietf@mit.edu>, "public-webid@w3.org" <public-webid@w3.org>, "saag@ietf.org" <saag@ietf.org>, Melvin Carvalho <melvincarvalho@gmail.com>
Message-ID: <50853CD8.8020005@w3.org>

On 10/22/2012 02:03 PM, Kingsley Idehen wrote:
> On 10/22/12 7:26 AM, Ben Laurie wrote:
>> On 22 October 2012 11:59, Kingsley Idehen <kidehen@openlinksw.com> 
>> wrote:
>>> On 10/22/12 5:54 AM, Ben Laurie wrote:
>>>> Where we came in was me pointing out that if you disconnect your
>>>> identities by using multiple WebIDs, then you have a UI problem, and
>>>> since then the aim seems to have been to persuade us that multiple
>>>> WebIDs are not needed.
>>> Multiple WebIDs (or any other cryptographically verifiable 
>>> identifier) are a
>>> must.
>>>
>>> The issue of UI is inherently subjective. It can't be used to 
>>> objectively
>>> validate or invalidate Web-scale verifiable identifier systems such as
>>> WebID or any other mechanism aimed at achieving the same goals.
>> Ultimately what matters is: do users use it correctly? This can be 
>> tested :-)
>>
>> Note that it is necessary to test the cases where the website is evil,
>> too - something that's often conveniently missed out of user testing.
>> For example, its pretty obvious that OpenID fails horribly in this
>> case, so it tends not to get tested.
>
> Okay.
>>
>>> Anyway, Henry, I,  and a few others from the WebID IG (hopefully) 
>>> are going
>>> to knock up some demonstrations to show how this perceived UI/UX
>>> inconvenience can be addressed.
>> Cool.
>
> Okay, ball is in our court to now present a few implementations that 
> address the UI/UX concerns.
>
> Quite relieved to have finally reached this point :-)

No, its not a UI/UX concern, although the UI experience of both identity 
on the Web and with WebID in particular is quite terrible, I agree.

My earlier concern was an information flow concern that causes the issue 
with linkability, which WebID shares to a large extent with other 
server-side information-flow. As stated earlier, as long as you trust 
the browser, BrowserID does ameliorate this. There is also this rather 
odd conflation of "linkability" of URIs with hypertext and URI-enabled 
Semantic Web data" and linkability as a privacy concern.

I do think many people agree stronger cryptographic credentials for 
authentication are a good thing, and BrowserID is based on this and 
OpenID Connect has (albeit not often used) options in this space.  I 
would again, please suggest that the WebID community take on board 
comments in a polite manner and not cc mailing lists.
>
>
>

Received on Monday, 22 October 2012 12:32:53 UTC