Re: Should WebIDs denote people or accounts? from Timothy Holborn on 2014-05-18 (public-webid@w3.org from May 2014)

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Sun, 18 May 2014 13:25:15 +1000
To: Sandro Hawke <sandro@w3.org>
Cc: "public-webid@w3.org" <public-webid@w3.org>, Melvin Carvalho <melvincarvalho@gmail.com>
Message-ID: <CAM1Sok3t3ryFWj3tKMAzNRypcXGWaZoiBqXL3gcdB+heB3AG_w@mail.gmail.com>
On 18/05/2014 10:05 AM, "Sandro Hawke" <sandro@w3.org> wrote:
>
> On May 17, 2014 5:36:12 PM EDT, Timothy Holborn <timothy.holborn@gmail.com>
wrote:
> >
> >
> >Sent from my iPad
> >
> >> On 18 May 2014, at 7:18 am, Melvin Carvalho
> ><melvincarvalho@gmail.com> wrote:
> >>
> >>
> >>
> >>
> >>> On 17 May 2014 22:30, Timothy Holborn <timothy.holborn@gmail.com>
> >wrote:
> >>> Timbl has referred to persona in past.
> >>
> >> Do you have a pointer to this?
> >http://lists.w3.org/Archives/Public/public-rww/2014May/0022.html
> >>
>
> Oh, very interesting.   I haven't found an opportunity to talk to TimBL
about this specifically, but it sounds like he's thinking in the same
direction.   In that email he's very clearly showing a WebID denoting a
persona, not a person.

I think multiple persona could be linked to the same WebID-TLS cert, as the
cert clarifies a relationship between a person / agent, and a machine.
Use-case could be made to associate to a rww-storage location (for a
specified persona, linked to an approved person / agent) and perhaps also
support oauth, or similar. (Password + webid/webid-tls enabling different
persona / acls / rdf data structures)

>
> So far this discussion has strengthened my sense that:
>
> - WebIDs to date have been used to denote people and independent software
agents
>
> - Users need to authenticate and authorize a different kind of entity,
such as an account or persona.
>
> It seems possible to use a WebID to identify a persona/account by saying
that persona/account is a software agent of mine.   But that certainly
conflicts with what Kinsley is saying and may be too confusing.
>
>     - Sandro
>
>
> >>>
> >>> The notion of multiple accounts is highly important, for security
> >reasons if nothing else.  webID has been interpreted as an identity
> >aggregation strategy IMHO by some.  The spec itself does not mandate
> >that use-case.
> >>>
> >>> (Mind, I've debated the need for other ontological options before)
> >>>
> >>> Sent from my iPad
> >>>
> >>> > On 18 May 2014, at 1:57 am, Sandro Hawke <sandro@w3.org> wrote:
> >>> >
> >>> > Summary: Most people will be unwilling to give up the idea of
> >having multiple separate accounts.  This calls into question the whole
> >idea of WebID.
> >>> >
> >>> > First off, as an aside, hello everyone.   I was in the CG for its
> >first few weeks to help get things started, but then left when it
> >looked like things were well in hand, and I had many other W3C duties.
> >Since then, nearly all of my Working Groups (SPARQL, RDF, GLD, etc)
> >have wrapped up, and I'm mostly doing R&D, working with TimBL and
> >Andrei Sambra.   The work we're doing needs something like WebID.
> >>> >
> >>> > That said, I have to raise a difficult issue.   Maybe there's a
> >simple solution I'm just missing, but I fear there is not.
> >>> >
> >>> > The examples in the spec, and what I saw from Henry when he first
> >presented foaf+ssl, show the WebID denoting a person.   In the
> >examples, it's often an instance of foaf:Person, and occurs in triples
> >as the subject where the predicate is foaf:name, foaf:knows, etc.  Also
> >in triples as the object of foaf:knows.
> >>> >
> >>> > So that means that in RDF, my WebID denotes me.   And if I have
> >three different WebIDs, they all denote me.    Anything that's said in
> >RDF using one of my WebIDs is equally true to say using any of my other
> >WebIDs, and a reasoner might well infer it.   That's how it looks like
> >WebIDs are supposed to work.
> >>> >
> >>> > This is in stark contrast to how most online identity systems
> >work. The usually model is that a person has an account with a
> >particular service provider.   In the old days that might have been a
> >bank, while these days it might be some kind of "identity provider"
> >like Google or Facebook.   There is important flexibility in this
> >model.    I have two Google accounts, and my kids have many among
> >themselves, so on the computers around the house, there are many
> >possible Google accounts saved as possible logins.    Behind the
> >scenes, Google may or may not be correctly inferring which humans are
> >attached to each of these accounts, but as long it doesn't get wrong
> >which accounts can see adult content, or use my credit card, or
> >see/edit particular documents, that's okay. Those important features
> >are attached to accounts, not people, in systems today.
> >>> >
> >>> > FOAF makes this distinction quite clear, with classes foaf:Person
> >and foaf:OnlineAccount.   FOAF, quite reasonably, puts relationships
> >like foaf:name and foaf:knows on foaf:Person.   It's interesting to
> >know my name and who I know.   It might also be interesting to see
> >which of my accounts are linked with other accounts, I suppose,
> >although that's more complicated.
> >>> >
> >>> > I'm not sure exactly why people might have multiple accounts.
> >Sometimes an account is provided by an employer or school and goes
> >along with lots of resources, but also includes restrictions on use or
> >limitations on privacy.  Sometimes an account is obtained with a
> >particular service provider, and then one no longer wants to do
> >business with them. Sometimes security on an account is compromised and
> >a backup is needed.   Sometimes one just wants to separate parts of
> >life, like work-vs-nonwork.   I've asked a few friends if they'd be
> >willing to have exactly one computer account, and gotten an emphatic
> >"No!".
> >>> >
> >>> > So the my question might be, can WebID allow that separation?   If
> >access control is granted by WebID (as I've always seen it done), and
> >WebID denotes a person (as I've always seen it), and the computer
> >figures out that multiple WebIDs denote the same person (as it's likely
> >to do eventually), then isn't it likely to grant the same access to me
> >no matter which of my WebIDs I'm using?   Wouldn't that be the
> >technically correct thing for it to do?
> >>> >
> >>> > In summary: WebID is doing something quite radical in the identity
> >space by identifying humans instead of accounts.   Are we sure that's a
> >good thing?    It seems like in practice, humans interacting with
> >service providers want to have multiple distinguishable identities with
> >separate authentication.  One might try to clean this up with some kind
> >of role-based access control [1], but that might not solve the issue
> >that by having WebIDs denote people, they prevent people from
> >authenticating differently to get different access/behavior.
> >>> >
> >>> > (It's true some identity providers, like Facebook, forbid a human
> >from having multiple accounts.  But I think in response we see humans
> >get their additional accounts by using other providers.)
> >>> >
> >>> > The conclusion I'm tentatively coming to is that WebIDs should be
> >1-1 associated with accounts, not people.  As such, they'll be
> >associated with authentication, authorization, and profiles, as they
> >are now.   But the RDF modelling will have to be different, with things
> >like { <webid1> foaf:knows <webid2> } being disallowed.
> >>> >
> >>> > If we're going to make a change like that, making the WebID one
> >hop away from Person, I'd suggest actually making it denote the
> >account's profile page, so that it can be a normal URL, denoting an
> >Information Resource.
> >>> >
> >>> >       -- Sandro
> >>> >
> >>> > [1] http://en.wikipedia.org/wiki/Role-based_access_control
> >>> >
> >>>
> >>
>
>
Received on Sunday, 18 May 2014 03:25:44 UTC