W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: Should WebIDs denote people or accounts?

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sat, 17 May 2014 23:18:23 +0200
Message-ID: <CAKaEYhKSm6Wz6rUpq3PtV=LiY5BvUfJx+ymBgUn_Hy5kYtm_Rg@mail.gmail.com>
To: Timothy Holborn <timothy.holborn@gmail.com>
Cc: Sandro Hawke <sandro@w3.org>, "public-webid@w3.org" <public-webid@w3.org>
On 17 May 2014 22:30, Timothy Holborn <timothy.holborn@gmail.com> wrote:

> Timbl has referred to persona in past.

Do you have a pointer to this?

> The notion of multiple accounts is highly important, for security reasons
> if nothing else.  webID has been interpreted as an identity aggregation
> strategy IMHO by some.  The spec itself does not mandate that use-case.
> (Mind, I've debated the need for other ontological options before)
> Sent from my iPad
> > On 18 May 2014, at 1:57 am, Sandro Hawke <sandro@w3.org> wrote:
> >
> > Summary: Most people will be unwilling to give up the idea of having
> multiple separate accounts.  This calls into question the whole idea of
> WebID.
> >
> > First off, as an aside, hello everyone.   I was in the CG for its first
> few weeks to help get things started, but then left when it looked like
> things were well in hand, and I had many other W3C duties.   Since then,
> nearly all of my Working Groups (SPARQL, RDF, GLD, etc) have wrapped up,
> and I'm mostly doing R&D, working with TimBL and Andrei Sambra.   The work
> we're doing needs something like WebID.
> >
> > That said, I have to raise a difficult issue.   Maybe there's a simple
> solution I'm just missing, but I fear there is not.
> >
> > The examples in the spec, and what I saw from Henry when he first
> presented foaf+ssl, show the WebID denoting a person.   In the examples,
> it's often an instance of foaf:Person, and occurs in triples as the subject
> where the predicate is foaf:name, foaf:knows, etc.  Also in triples as the
> object of foaf:knows.
> >
> > So that means that in RDF, my WebID denotes me.   And if I have three
> different WebIDs, they all denote me.    Anything that's said in RDF using
> one of my WebIDs is equally true to say using any of my other WebIDs, and a
> reasoner might well infer it.   That's how it looks like WebIDs are
> supposed to work.
> >
> > This is in stark contrast to how most online identity systems work. The
> usually model is that a person has an account with a particular service
> provider.   In the old days that might have been a bank, while these days
> it might be some kind of "identity provider" like Google or Facebook.
> There is important flexibility in this model.    I have two Google
> accounts, and my kids have many among themselves, so on the computers
> around the house, there are many possible Google accounts saved as possible
> logins.    Behind the scenes, Google may or may not be correctly inferring
> which humans are attached to each of these accounts, but as long it doesn't
> get wrong which accounts can see adult content, or use my credit card, or
> see/edit particular documents, that's okay. Those important features are
> attached to accounts, not people, in systems today.
> >
> > FOAF makes this distinction quite clear, with classes foaf:Person and
> foaf:OnlineAccount.   FOAF, quite reasonably, puts relationships like
> foaf:name and foaf:knows on foaf:Person.   It's interesting to know my name
> and who I know.   It might also be interesting to see which of my accounts
> are linked with other accounts, I suppose, although that's more complicated.
> >
> > I'm not sure exactly why people might have multiple accounts. Sometimes
> an account is provided by an employer or school and goes along with lots of
> resources, but also includes restrictions on use or limitations on privacy.
>  Sometimes an account is obtained with a particular service provider, and
> then one no longer wants to do business with them. Sometimes security on an
> account is compromised and a backup is needed.   Sometimes one just wants
> to separate parts of life, like work-vs-nonwork.   I've asked a few friends
> if they'd be willing to have exactly one computer account, and gotten an
> emphatic "No!".
> >
> > So the my question might be, can WebID allow that separation?   If
> access control is granted by WebID (as I've always seen it done), and WebID
> denotes a person (as I've always seen it), and the computer figures out
> that multiple WebIDs denote the same person (as it's likely to do
> eventually), then isn't it likely to grant the same access to me no matter
> which of my WebIDs I'm using?   Wouldn't that be the technically correct
> thing for it to do?
> >
> > In summary: WebID is doing something quite radical in the identity space
> by identifying humans instead of accounts.   Are we sure that's a good
> thing?    It seems like in practice, humans interacting with service
> providers want to have multiple distinguishable identities with separate
> authentication.  One might try to clean this up with some kind of
> role-based access control [1], but that might not solve the issue that by
> having WebIDs denote people, they prevent people from authenticating
> differently to get different access/behavior.
> >
> > (It's true some identity providers, like Facebook, forbid a human from
> having multiple accounts.  But I think in response we see humans get their
> additional accounts by using other providers.)
> >
> > The conclusion I'm tentatively coming to is that WebIDs should be 1-1
> associated with accounts, not people.  As such, they'll be associated with
> authentication, authorization, and profiles, as they are now.   But the RDF
> modelling will have to be different, with things like { <webid1> foaf:knows
> <webid2> } being disallowed.
> >
> > If we're going to make a change like that, making the WebID one hop away
> from Person, I'd suggest actually making it denote the account's profile
> page, so that it can be a normal URL, denoting an Information Resource.
> >
> >       -- Sandro
> >
> > [1] http://en.wikipedia.org/wiki/Role-based_access_control
> >
Received on Saturday, 17 May 2014 21:18:52 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC