- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Tue, 22 Jul 2014 07:37:10 +0100
- To: Timothy Holborn <timothy.holborn@gmail.com>
- CC: Sandro Hawke <sandro@w3.org>, "public-webid@w3.org" <public-webid@w3.org>
On 2014-07-22 00:20, Timothy Holborn wrote: > WebID = URI - v.simple. > > Then of course - WebID-TLS starts to include that uri into an AUTH solution. > > ATM - the "mind position" of WebID is arguably the certificate experience, and the uri moreover considered whether or not someone has a "foaf uri". > > For WebID to have a "mind position" of "w3c identity & verification solutions" (to verify, one needs auth I imagine) then it needs to be shifted. > > This should include the existing spec IMHO. The only thing I have tried to say is that Google (and banks currently serving more than 50M users), have concluded (through their specifications) that asymmetric-key-based challenge-response protocols riding on top of HTTPS are better mousetraps than HTTPS CCA. Such a system would only replace TLS CCA in WebID-TLS, everything else can be left untouched. I have provided an "input specification" but since the WebID group in similarity to the WebPayments group DO NOT intend to build on enhanced browsers I think it will only be of (possible) interest to the Social Web WG. Anyway, the Social Web WG now needs to evaluate FIDO since it has gotten a clear yes by the industry which WebID-TLS never got. > > Mind position = "what is the brand for cola?" > > So... Anders = WebPKI... ;) Well, unlike W3C, I don't claim any ownership to what I do. There are no fees either :-) Anders > >> On 22 Jul 2014, at 4:09 am, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: >> >>> On 21 July 2014 19:32, Sandro Hawke <sandro@w3.org <mailto:sandro@w3.org> wrote: >> <snip> >>> >>> The point is that identity is separable, and so it has been separated. Otherwise it would be too big a piece of work for one WG. >>> >>> Your oblique mention of Tantek reminds me, I don't know if this >>> group has ever talked about the solution he's currently endorsing, IndieAuth: >>> >>> https://indieauth.com/ >> >> Nope, never heard about it before. >> >>> >>> It's fascinatingly minimalist. >> >> Indeed. >> >> >> IMO, a more developed version of WebID+PKI could be even better because it >> would be "phishfree", offering PKI-strength, not requiring any text input and >> enabling *user-provided* icons[1]. > > How might this WebID+PKI system work? > > How is it ENTIRELY decentralised? How can it be used in a centralised / decentralised manner (ie: you loose you keys - too bad / no problem). > > I believe there is currently a service available? WebPKI I think it is? Where is the source? How do I install it on my system? (Or any 3rd party) > > Perhaps let me know if I'm wrong, but it assume controlling the auth server (inc. Sovereignty considerations) is an important variable? > >> >> Such a solution is also independent on if people own domains or not. >> >> Anders >> >> [1] making it simple managing multiple IDs (if needed). >> >>
Received on Tuesday, 22 July 2014 06:37:45 UTC