- From: Sandro Hawke <sandro@w3.org>
- Date: Sat, 17 May 2014 20:05:43 -0400
- To: Timothy Holborn <timothy.holborn@gmail.com>,Melvin Carvalho <melvincarvalho@gmail.com>
- CC: "public-webid@w3.org" <public-webid@w3.org>
On May 17, 2014 5:36:12 PM EDT, Timothy Holborn <timothy.holborn@gmail.com> wrote:
>
>
>Sent from my iPad
>
>> On 18 May 2014, at 7:18 am, Melvin Carvalho
><melvincarvalho@gmail.com> wrote:
>>
>>
>>
>>
>>> On 17 May 2014 22:30, Timothy Holborn <timothy.holborn@gmail.com>
>wrote:
>>> Timbl has referred to persona in past.
>>
>> Do you have a pointer to this?
>http://lists.w3.org/Archives/Public/public-rww/2014May/0022.html
>>
Oh, very interesting. I haven't found an opportunity to talk to TimBL about this specifically, but it sounds like he's thinking in the same direction. In that email he's very clearly showing a WebID denoting a persona, not a person.
So far this discussion has strengthened my sense that:
- WebIDs to date have been used to denote people and independent software agents
- Users need to authenticate and authorize a different kind of entity, such as an account or persona.
It seems possible to use a WebID to identify a persona/account by saying that persona/account is a software agent of mine. But that certainly conflicts with what Kinsley is saying and may be too confusing.
- Sandro
>>>
>>> The notion of multiple accounts is highly important, for security
>reasons if nothing else. webID has been interpreted as an identity
>aggregation strategy IMHO by some. The spec itself does not mandate
>that use-case.
>>>
>>> (Mind, I've debated the need for other ontological options before)
>>>
>>> Sent from my iPad
>>>
>>> > On 18 May 2014, at 1:57 am, Sandro Hawke <sandro@w3.org> wrote:
>>> >
>>> > Summary: Most people will be unwilling to give up the idea of
>having multiple separate accounts. This calls into question the whole
>idea of WebID.
>>> >
>>> > First off, as an aside, hello everyone. I was in the CG for its
>first few weeks to help get things started, but then left when it
>looked like things were well in hand, and I had many other W3C duties.
>Since then, nearly all of my Working Groups (SPARQL, RDF, GLD, etc)
>have wrapped up, and I'm mostly doing R&D, working with TimBL and
>Andrei Sambra. The work we're doing needs something like WebID.
>>> >
>>> > That said, I have to raise a difficult issue. Maybe there's a
>simple solution I'm just missing, but I fear there is not.
>>> >
>>> > The examples in the spec, and what I saw from Henry when he first
>presented foaf+ssl, show the WebID denoting a person. In the
>examples, it's often an instance of foaf:Person, and occurs in triples
>as the subject where the predicate is foaf:name, foaf:knows, etc. Also
>in triples as the object of foaf:knows.
>>> >
>>> > So that means that in RDF, my WebID denotes me. And if I have
>three different WebIDs, they all denote me. Anything that's said in
>RDF using one of my WebIDs is equally true to say using any of my other
>WebIDs, and a reasoner might well infer it. That's how it looks like
>WebIDs are supposed to work.
>>> >
>>> > This is in stark contrast to how most online identity systems
>work. The usually model is that a person has an account with a
>particular service provider. In the old days that might have been a
>bank, while these days it might be some kind of "identity provider"
>like Google or Facebook. There is important flexibility in this
>model. I have two Google accounts, and my kids have many among
>themselves, so on the computers around the house, there are many
>possible Google accounts saved as possible logins. Behind the
>scenes, Google may or may not be correctly inferring which humans are
>attached to each of these accounts, but as long it doesn't get wrong
>which accounts can see adult content, or use my credit card, or
>see/edit particular documents, that's okay. Those important features
>are attached to accounts, not people, in systems today.
>>> >
>>> > FOAF makes this distinction quite clear, with classes foaf:Person
>and foaf:OnlineAccount. FOAF, quite reasonably, puts relationships
>like foaf:name and foaf:knows on foaf:Person. It's interesting to
>know my name and who I know. It might also be interesting to see
>which of my accounts are linked with other accounts, I suppose,
>although that's more complicated.
>>> >
>>> > I'm not sure exactly why people might have multiple accounts.
>Sometimes an account is provided by an employer or school and goes
>along with lots of resources, but also includes restrictions on use or
>limitations on privacy. Sometimes an account is obtained with a
>particular service provider, and then one no longer wants to do
>business with them. Sometimes security on an account is compromised and
>a backup is needed. Sometimes one just wants to separate parts of
>life, like work-vs-nonwork. I've asked a few friends if they'd be
>willing to have exactly one computer account, and gotten an emphatic
>"No!".
>>> >
>>> > So the my question might be, can WebID allow that separation? If
>access control is granted by WebID (as I've always seen it done), and
>WebID denotes a person (as I've always seen it), and the computer
>figures out that multiple WebIDs denote the same person (as it's likely
>to do eventually), then isn't it likely to grant the same access to me
>no matter which of my WebIDs I'm using? Wouldn't that be the
>technically correct thing for it to do?
>>> >
>>> > In summary: WebID is doing something quite radical in the identity
>space by identifying humans instead of accounts. Are we sure that's a
>good thing? It seems like in practice, humans interacting with
>service providers want to have multiple distinguishable identities with
>separate authentication. One might try to clean this up with some kind
>of role-based access control [1], but that might not solve the issue
>that by having WebIDs denote people, they prevent people from
>authenticating differently to get different access/behavior.
>>> >
>>> > (It's true some identity providers, like Facebook, forbid a human
>from having multiple accounts. But I think in response we see humans
>get their additional accounts by using other providers.)
>>> >
>>> > The conclusion I'm tentatively coming to is that WebIDs should be
>1-1 associated with accounts, not people. As such, they'll be
>associated with authentication, authorization, and profiles, as they
>are now. But the RDF modelling will have to be different, with things
>like { <webid1> foaf:knows <webid2> } being disallowed.
>>> >
>>> > If we're going to make a change like that, making the WebID one
>hop away from Person, I'd suggest actually making it denote the
>account's profile page, so that it can be a normal URL, denoting an
>Information Resource.
>>> >
>>> > -- Sandro
>>> >
>>> > [1] http://en.wikipedia.org/wiki/Role-based_access_control
>>> >
>>>
>>
Received on Sunday, 18 May 2014 00:05:58 UTC