- From: Sandro Hawke <sandro@w3.org>
- Date: Sat, 17 May 2014 20:05:43 -0400
- To: Timothy Holborn <timothy.holborn@gmail.com>,Melvin Carvalho <melvincarvalho@gmail.com>
- CC: "public-webid@w3.org" <public-webid@w3.org>
On May 17, 2014 5:36:12 PM EDT, Timothy Holborn <timothy.holborn@gmail.com> wrote: > > >Sent from my iPad > >> On 18 May 2014, at 7:18 am, Melvin Carvalho ><melvincarvalho@gmail.com> wrote: >> >> >> >> >>> On 17 May 2014 22:30, Timothy Holborn <timothy.holborn@gmail.com> >wrote: >>> Timbl has referred to persona in past. >> >> Do you have a pointer to this? >http://lists.w3.org/Archives/Public/public-rww/2014May/0022.html >> Oh, very interesting. I haven't found an opportunity to talk to TimBL about this specifically, but it sounds like he's thinking in the same direction. In that email he's very clearly showing a WebID denoting a persona, not a person. So far this discussion has strengthened my sense that: - WebIDs to date have been used to denote people and independent software agents - Users need to authenticate and authorize a different kind of entity, such as an account or persona. It seems possible to use a WebID to identify a persona/account by saying that persona/account is a software agent of mine. But that certainly conflicts with what Kinsley is saying and may be too confusing. - Sandro >>> >>> The notion of multiple accounts is highly important, for security >reasons if nothing else. webID has been interpreted as an identity >aggregation strategy IMHO by some. The spec itself does not mandate >that use-case. >>> >>> (Mind, I've debated the need for other ontological options before) >>> >>> Sent from my iPad >>> >>> > On 18 May 2014, at 1:57 am, Sandro Hawke <sandro@w3.org> wrote: >>> > >>> > Summary: Most people will be unwilling to give up the idea of >having multiple separate accounts. This calls into question the whole >idea of WebID. >>> > >>> > First off, as an aside, hello everyone. I was in the CG for its >first few weeks to help get things started, but then left when it >looked like things were well in hand, and I had many other W3C duties. >Since then, nearly all of my Working Groups (SPARQL, RDF, GLD, etc) >have wrapped up, and I'm mostly doing R&D, working with TimBL and >Andrei Sambra. The work we're doing needs something like WebID. >>> > >>> > That said, I have to raise a difficult issue. Maybe there's a >simple solution I'm just missing, but I fear there is not. >>> > >>> > The examples in the spec, and what I saw from Henry when he first >presented foaf+ssl, show the WebID denoting a person. In the >examples, it's often an instance of foaf:Person, and occurs in triples >as the subject where the predicate is foaf:name, foaf:knows, etc. Also >in triples as the object of foaf:knows. >>> > >>> > So that means that in RDF, my WebID denotes me. And if I have >three different WebIDs, they all denote me. Anything that's said in >RDF using one of my WebIDs is equally true to say using any of my other >WebIDs, and a reasoner might well infer it. That's how it looks like >WebIDs are supposed to work. >>> > >>> > This is in stark contrast to how most online identity systems >work. The usually model is that a person has an account with a >particular service provider. In the old days that might have been a >bank, while these days it might be some kind of "identity provider" >like Google or Facebook. There is important flexibility in this >model. I have two Google accounts, and my kids have many among >themselves, so on the computers around the house, there are many >possible Google accounts saved as possible logins. Behind the >scenes, Google may or may not be correctly inferring which humans are >attached to each of these accounts, but as long it doesn't get wrong >which accounts can see adult content, or use my credit card, or >see/edit particular documents, that's okay. Those important features >are attached to accounts, not people, in systems today. >>> > >>> > FOAF makes this distinction quite clear, with classes foaf:Person >and foaf:OnlineAccount. FOAF, quite reasonably, puts relationships >like foaf:name and foaf:knows on foaf:Person. It's interesting to >know my name and who I know. It might also be interesting to see >which of my accounts are linked with other accounts, I suppose, >although that's more complicated. >>> > >>> > I'm not sure exactly why people might have multiple accounts. >Sometimes an account is provided by an employer or school and goes >along with lots of resources, but also includes restrictions on use or >limitations on privacy. Sometimes an account is obtained with a >particular service provider, and then one no longer wants to do >business with them. Sometimes security on an account is compromised and >a backup is needed. Sometimes one just wants to separate parts of >life, like work-vs-nonwork. I've asked a few friends if they'd be >willing to have exactly one computer account, and gotten an emphatic >"No!". >>> > >>> > So the my question might be, can WebID allow that separation? If >access control is granted by WebID (as I've always seen it done), and >WebID denotes a person (as I've always seen it), and the computer >figures out that multiple WebIDs denote the same person (as it's likely >to do eventually), then isn't it likely to grant the same access to me >no matter which of my WebIDs I'm using? Wouldn't that be the >technically correct thing for it to do? >>> > >>> > In summary: WebID is doing something quite radical in the identity >space by identifying humans instead of accounts. Are we sure that's a >good thing? It seems like in practice, humans interacting with >service providers want to have multiple distinguishable identities with >separate authentication. One might try to clean this up with some kind >of role-based access control [1], but that might not solve the issue >that by having WebIDs denote people, they prevent people from >authenticating differently to get different access/behavior. >>> > >>> > (It's true some identity providers, like Facebook, forbid a human >from having multiple accounts. But I think in response we see humans >get their additional accounts by using other providers.) >>> > >>> > The conclusion I'm tentatively coming to is that WebIDs should be >1-1 associated with accounts, not people. As such, they'll be >associated with authentication, authorization, and profiles, as they >are now. But the RDF modelling will have to be different, with things >like { <webid1> foaf:knows <webid2> } being disallowed. >>> > >>> > If we're going to make a change like that, making the WebID one >hop away from Person, I'd suggest actually making it denote the >account's profile page, so that it can be a normal URL, denoting an >Information Resource. >>> > >>> > -- Sandro >>> > >>> > [1] http://en.wikipedia.org/wiki/Role-based_access_control >>> > >>> >>
Received on Sunday, 18 May 2014 00:05:58 UTC