- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Sat, 17 May 2014 23:18:23 +0200
- To: Timothy Holborn <timothy.holborn@gmail.com>
- Cc: Sandro Hawke <sandro@w3.org>, "public-webid@w3.org" <public-webid@w3.org>
- Message-ID: <CAKaEYhKSm6Wz6rUpq3PtV=LiY5BvUfJx+ymBgUn_Hy5kYtm_Rg@mail.gmail.com>
On 17 May 2014 22:30, Timothy Holborn <timothy.holborn@gmail.com> wrote:
> Timbl has referred to persona in past.
>
Do you have a pointer to this?
>
> The notion of multiple accounts is highly important, for security reasons
> if nothing else. webID has been interpreted as an identity aggregation
> strategy IMHO by some. The spec itself does not mandate that use-case.
>
> (Mind, I've debated the need for other ontological options before)
>
> Sent from my iPad
>
> > On 18 May 2014, at 1:57 am, Sandro Hawke <sandro@w3.org> wrote:
> >
> > Summary: Most people will be unwilling to give up the idea of having
> multiple separate accounts. This calls into question the whole idea of
> WebID.
> >
> > First off, as an aside, hello everyone. I was in the CG for its first
> few weeks to help get things started, but then left when it looked like
> things were well in hand, and I had many other W3C duties. Since then,
> nearly all of my Working Groups (SPARQL, RDF, GLD, etc) have wrapped up,
> and I'm mostly doing R&D, working with TimBL and Andrei Sambra. The work
> we're doing needs something like WebID.
> >
> > That said, I have to raise a difficult issue. Maybe there's a simple
> solution I'm just missing, but I fear there is not.
> >
> > The examples in the spec, and what I saw from Henry when he first
> presented foaf+ssl, show the WebID denoting a person. In the examples,
> it's often an instance of foaf:Person, and occurs in triples as the subject
> where the predicate is foaf:name, foaf:knows, etc. Also in triples as the
> object of foaf:knows.
> >
> > So that means that in RDF, my WebID denotes me. And if I have three
> different WebIDs, they all denote me. Anything that's said in RDF using
> one of my WebIDs is equally true to say using any of my other WebIDs, and a
> reasoner might well infer it. That's how it looks like WebIDs are
> supposed to work.
> >
> > This is in stark contrast to how most online identity systems work. The
> usually model is that a person has an account with a particular service
> provider. In the old days that might have been a bank, while these days
> it might be some kind of "identity provider" like Google or Facebook.
> There is important flexibility in this model. I have two Google
> accounts, and my kids have many among themselves, so on the computers
> around the house, there are many possible Google accounts saved as possible
> logins. Behind the scenes, Google may or may not be correctly inferring
> which humans are attached to each of these accounts, but as long it doesn't
> get wrong which accounts can see adult content, or use my credit card, or
> see/edit particular documents, that's okay. Those important features are
> attached to accounts, not people, in systems today.
> >
> > FOAF makes this distinction quite clear, with classes foaf:Person and
> foaf:OnlineAccount. FOAF, quite reasonably, puts relationships like
> foaf:name and foaf:knows on foaf:Person. It's interesting to know my name
> and who I know. It might also be interesting to see which of my accounts
> are linked with other accounts, I suppose, although that's more complicated.
> >
> > I'm not sure exactly why people might have multiple accounts. Sometimes
> an account is provided by an employer or school and goes along with lots of
> resources, but also includes restrictions on use or limitations on privacy.
> Sometimes an account is obtained with a particular service provider, and
> then one no longer wants to do business with them. Sometimes security on an
> account is compromised and a backup is needed. Sometimes one just wants
> to separate parts of life, like work-vs-nonwork. I've asked a few friends
> if they'd be willing to have exactly one computer account, and gotten an
> emphatic "No!".
> >
> > So the my question might be, can WebID allow that separation? If
> access control is granted by WebID (as I've always seen it done), and WebID
> denotes a person (as I've always seen it), and the computer figures out
> that multiple WebIDs denote the same person (as it's likely to do
> eventually), then isn't it likely to grant the same access to me no matter
> which of my WebIDs I'm using? Wouldn't that be the technically correct
> thing for it to do?
> >
> > In summary: WebID is doing something quite radical in the identity space
> by identifying humans instead of accounts. Are we sure that's a good
> thing? It seems like in practice, humans interacting with service
> providers want to have multiple distinguishable identities with separate
> authentication. One might try to clean this up with some kind of
> role-based access control [1], but that might not solve the issue that by
> having WebIDs denote people, they prevent people from authenticating
> differently to get different access/behavior.
> >
> > (It's true some identity providers, like Facebook, forbid a human from
> having multiple accounts. But I think in response we see humans get their
> additional accounts by using other providers.)
> >
> > The conclusion I'm tentatively coming to is that WebIDs should be 1-1
> associated with accounts, not people. As such, they'll be associated with
> authentication, authorization, and profiles, as they are now. But the RDF
> modelling will have to be different, with things like { <webid1> foaf:knows
> <webid2> } being disallowed.
> >
> > If we're going to make a change like that, making the WebID one hop away
> from Person, I'd suggest actually making it denote the account's profile
> page, so that it can be a normal URL, denoting an Information Resource.
> >
> > -- Sandro
> >
> > [1] http://en.wikipedia.org/wiki/Role-based_access_control
> >
>
>
Received on Saturday, 17 May 2014 21:18:52 UTC