Re: Should WebIDs denote people or accounts?

On May 17, 2014 5:36:12 PM EDT, Timothy Holborn <timothy.holborn@gmail.com> wrote:
>
>
>Sent from my iPad
>
>> On 18 May 2014, at 7:18 am, Melvin Carvalho
><melvincarvalho@gmail.com> wrote:
>> 
>> 
>> 
>> 
>>> On 17 May 2014 22:30, Timothy Holborn <timothy.holborn@gmail.com>
>wrote:
>>> Timbl has referred to persona in past.
>> 
>> Do you have a pointer to this?
>http://lists.w3.org/Archives/Public/public-rww/2014May/0022.html
>>  

Oh, very interesting.   I haven't found an opportunity to talk to TimBL about this specifically, but it sounds like he's thinking in the same direction.   In that email he's very clearly showing a WebID denoting a persona, not a person.

So far this discussion has strengthened my sense that:

- WebIDs to date have been used to denote people and independent software agents

- Users need to authenticate and authorize a different kind of entity, such as an account or persona.

It seems possible to use a WebID to identify a persona/account by saying that persona/account is a software agent of mine.   But that certainly conflicts with what Kinsley is saying and may be too confusing.

    - Sandro


>>> 
>>> The notion of multiple accounts is highly important, for security
>reasons if nothing else.  webID has been interpreted as an identity
>aggregation strategy IMHO by some.  The spec itself does not mandate
>that use-case.
>>> 
>>> (Mind, I've debated the need for other ontological options before)
>>> 
>>> Sent from my iPad
>>> 
>>> > On 18 May 2014, at 1:57 am, Sandro Hawke <sandro@w3.org> wrote:
>>> >
>>> > Summary: Most people will be unwilling to give up the idea of
>having multiple separate accounts.  This calls into question the whole
>idea of WebID.
>>> >
>>> > First off, as an aside, hello everyone.   I was in the CG for its
>first few weeks to help get things started, but then left when it
>looked like things were well in hand, and I had many other W3C duties. 
>Since then, nearly all of my Working Groups (SPARQL, RDF, GLD, etc)
>have wrapped up, and I'm mostly doing R&D, working with TimBL and
>Andrei Sambra.   The work we're doing needs something like WebID.
>>> >
>>> > That said, I have to raise a difficult issue.   Maybe there's a
>simple solution I'm just missing, but I fear there is not.
>>> >
>>> > The examples in the spec, and what I saw from Henry when he first
>presented foaf+ssl, show the WebID denoting a person.   In the
>examples, it's often an instance of foaf:Person, and occurs in triples
>as the subject where the predicate is foaf:name, foaf:knows, etc.  Also
>in triples as the object of foaf:knows.
>>> >
>>> > So that means that in RDF, my WebID denotes me.   And if I have
>three different WebIDs, they all denote me.    Anything that's said in
>RDF using one of my WebIDs is equally true to say using any of my other
>WebIDs, and a reasoner might well infer it.   That's how it looks like
>WebIDs are supposed to work.
>>> >
>>> > This is in stark contrast to how most online identity systems
>work. The usually model is that a person has an account with a
>particular service provider.   In the old days that might have been a
>bank, while these days it might be some kind of "identity provider"
>like Google or Facebook.   There is important flexibility in this
>model.    I have two Google accounts, and my kids have many among
>themselves, so on the computers around the house, there are many
>possible Google accounts saved as possible logins.    Behind the
>scenes, Google may or may not be correctly inferring which humans are
>attached to each of these accounts, but as long it doesn't get wrong
>which accounts can see adult content, or use my credit card, or
>see/edit particular documents, that's okay. Those important features
>are attached to accounts, not people, in systems today.
>>> >
>>> > FOAF makes this distinction quite clear, with classes foaf:Person
>and foaf:OnlineAccount.   FOAF, quite reasonably, puts relationships
>like foaf:name and foaf:knows on foaf:Person.   It's interesting to
>know my name and who I know.   It might also be interesting to see
>which of my accounts are linked with other accounts, I suppose,
>although that's more complicated.
>>> >
>>> > I'm not sure exactly why people might have multiple accounts.
>Sometimes an account is provided by an employer or school and goes
>along with lots of resources, but also includes restrictions on use or
>limitations on privacy.  Sometimes an account is obtained with a
>particular service provider, and then one no longer wants to do
>business with them. Sometimes security on an account is compromised and
>a backup is needed.   Sometimes one just wants to separate parts of
>life, like work-vs-nonwork.   I've asked a few friends if they'd be
>willing to have exactly one computer account, and gotten an emphatic
>"No!".
>>> >
>>> > So the my question might be, can WebID allow that separation?   If
>access control is granted by WebID (as I've always seen it done), and
>WebID denotes a person (as I've always seen it), and the computer
>figures out that multiple WebIDs denote the same person (as it's likely
>to do eventually), then isn't it likely to grant the same access to me
>no matter which of my WebIDs I'm using?   Wouldn't that be the
>technically correct thing for it to do?
>>> >
>>> > In summary: WebID is doing something quite radical in the identity
>space by identifying humans instead of accounts.   Are we sure that's a
>good thing?    It seems like in practice, humans interacting with
>service providers want to have multiple distinguishable identities with
>separate authentication.  One might try to clean this up with some kind
>of role-based access control [1], but that might not solve the issue
>that by having WebIDs denote people, they prevent people from
>authenticating differently to get different access/behavior.
>>> >
>>> > (It's true some identity providers, like Facebook, forbid a human
>from having multiple accounts.  But I think in response we see humans
>get their additional accounts by using other providers.)
>>> >
>>> > The conclusion I'm tentatively coming to is that WebIDs should be
>1-1 associated with accounts, not people.  As such, they'll be
>associated with authentication, authorization, and profiles, as they
>are now.   But the RDF modelling will have to be different, with things
>like { <webid1> foaf:knows <webid2> } being disallowed.
>>> >
>>> > If we're going to make a change like that, making the WebID one
>hop away from Person, I'd suggest actually making it denote the
>account's profile page, so that it can be a normal URL, denoting an
>Information Resource.
>>> >
>>> >       -- Sandro
>>> >
>>> > [1] http://en.wikipedia.org/wiki/Role-based_access_control
>>> >
>>> 
>> 

Received on Sunday, 18 May 2014 00:05:58 UTC