Should WebIDs denote people or accounts?

Summary: Most people will be unwilling to give up the idea of having 
multiple separate accounts.  This calls into question the whole idea of 
WebID.

First off, as an aside, hello everyone.   I was in the CG for its first 
few weeks to help get things started, but then left when it looked like 
things were well in hand, and I had many other W3C duties.   Since then, 
nearly all of my Working Groups (SPARQL, RDF, GLD, etc) have wrapped up, 
and I'm mostly doing R&D, working with TimBL and Andrei Sambra.   The 
work we're doing needs something like WebID.

That said, I have to raise a difficult issue.   Maybe there's a simple 
solution I'm just missing, but I fear there is not.

The examples in the spec, and what I saw from Henry when he first 
presented foaf+ssl, show the WebID denoting a person.   In the examples, 
it's often an instance of foaf:Person, and occurs in triples as the 
subject where the predicate is foaf:name, foaf:knows, etc.  Also in 
triples as the object of foaf:knows.

So that means that in RDF, my WebID denotes me.   And if I have three 
different WebIDs, they all denote me.    Anything that's said in RDF 
using one of my WebIDs is equally true to say using any of my other 
WebIDs, and a reasoner might well infer it.   That's how it looks like 
WebIDs are supposed to work.

This is in stark contrast to how most online identity systems work. The 
usually model is that a person has an account with a particular service 
provider.   In the old days that might have been a bank, while these 
days it might be some kind of "identity provider" like Google or 
Facebook.   There is important flexibility in this model.    I have two 
Google accounts, and my kids have many among themselves, so on the 
computers around the house, there are many possible Google accounts 
saved as possible logins.    Behind the scenes, Google may or may not be 
correctly inferring which humans are attached to each of these accounts, 
but as long it doesn't get wrong which accounts can see adult content, 
or use my credit card, or see/edit particular documents, that's okay. 
Those important features are attached to accounts, not people, in 
systems today.

FOAF makes this distinction quite clear, with classes foaf:Person and 
foaf:OnlineAccount.   FOAF, quite reasonably, puts relationships like 
foaf:name and foaf:knows on foaf:Person.   It's interesting to know my 
name and who I know.   It might also be interesting to see which of my 
accounts are linked with other accounts, I suppose, although that's more 
complicated.

I'm not sure exactly why people might have multiple accounts. Sometimes 
an account is provided by an employer or school and goes along with lots 
of resources, but also includes restrictions on use or limitations on 
privacy.  Sometimes an account is obtained with a particular service 
provider, and then one no longer wants to do business with them. 
Sometimes security on an account is compromised and a backup is needed. 
   Sometimes one just wants to separate parts of life, like 
work-vs-nonwork.   I've asked a few friends if they'd be willing to have 
exactly one computer account, and gotten an emphatic "No!".

So the my question might be, can WebID allow that separation?   If 
access control is granted by WebID (as I've always seen it done), and 
WebID denotes a person (as I've always seen it), and the computer 
figures out that multiple WebIDs denote the same person (as it's likely 
to do eventually), then isn't it likely to grant the same access to me 
no matter which of my WebIDs I'm using?   Wouldn't that be the 
technically correct thing for it to do?

In summary: WebID is doing something quite radical in the identity space 
by identifying humans instead of accounts.   Are we sure that's a good 
thing?    It seems like in practice, humans interacting with service 
providers want to have multiple distinguishable identities with separate 
authentication.  One might try to clean this up with some kind of 
role-based access control [1], but that might not solve the issue that 
by having WebIDs denote people, they prevent people from authenticating 
differently to get different access/behavior.

(It's true some identity providers, like Facebook, forbid a human from 
having multiple accounts.  But I think in response we see humans get 
their additional accounts by using other providers.)

The conclusion I'm tentatively coming to is that WebIDs should be 1-1 
associated with accounts, not people.  As such, they'll be associated 
with authentication, authorization, and profiles, as they are now.   But 
the RDF modelling will have to be different, with things like { <webid1> 
foaf:knows <webid2> } being disallowed.

If we're going to make a change like that, making the WebID one hop away 
from Person, I'd suggest actually making it denote the account's profile 
page, so that it can be a normal URL, denoting an Information Resource.

        -- Sandro

[1] http://en.wikipedia.org/wiki/Role-based_access_control

Received on Saturday, 17 May 2014 15:57:25 UTC