W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: Should WebIDs denote people or accounts?

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sun, 18 May 2014 07:00:33 +0200
Message-ID: <53783E71.8040003@gmail.com>
To: Sandro Hawke <sandro@w3.org>, public-webid@w3.org
On 2014-05-18 06:02, Sandro Hawke wrote:
> On May 17, 2014 2:38:00 PM EDT, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
> ...
>>
>> In addition, the banks I talk about have at least FOUR MAGNITUDES
>> more users than WebID-TLS.  That they don't participate in W3C is
>> strange but OTOH, I don't see much (if any...) browser vendor
>> interest in WebID or WebPayments so it would be pointless for
>> banks to join at this stage.  It would be interesting to hear
>> what the W3C think about this.
> 
> I'm not quite sure which "this" you mean.
> 
> In general, W3C tries hard to operate where there is broad industry
> consensus.  Doing things not endorsed by the major players in some
> market rarely turns out well.

W3C supports HTTPS CCA (Client Certificate Authentication) as featured in
WebID-TLS but [almost] all big users (almost none being a W3C member...) of
strong consumer authentication have given up on HTTPS CCA for various reasons
including those listed on the first page of:
http://webpki.org/papers/PKI/webauth.pdf

The analysis performed in this list suggest that these problems ca be fixed by
adjusting the UI in browsers.  As the document shows, this is a "simplification"
which thwarts progress as well as being ignored by the browser vendors
(which BTW are entirely *invisible* in the this list).


> At the moment the W3C doesn't see anything like consensus around WebID,

One problem is that WebID *nowadays* only represent a way to represent
user information, i.e. WebID is NOT an authentication solution.

How for example banks represent their clients is of no importance to us
since they rarely (ever?) publish such information on the web for
consumption by *other* parties.


> or, I'm thinking, any other technology in that space.

Well, Google and their followers Microsoft, PayPal, RSA, ARM actually
launched a *ground-breaking* web-based authentication technology earlier this
year known as U2F (Universal Two Factor authentication).  For some reason
they chose to do that in the FIDO Alliance rather than in W3C.


> But clearly there are important use cases in this neighborhood,
> so hopefully there will be some convergence one of these days soon.

IMO, we are as far from this goal as is technically possible.
Authentication on the web is at the same state as secure and convenient
credit-card transactions on the web; i.e. this work haven't actually started!

Bear in mind that Microsoft over the years have tried a number of things
and they have all failed miserably like Passport, Information Cards,
U-Prove and last but not least VSC (Virtual Smart Cards) featured in W8.


> There are several ways such convergence can be recognized, BTW.

My 15Y+ experience of such efforts indicates that it requires a VERY INFLUENTIAL
vendor to get anywhere.  Today this is almost equivalent to Google given their
70% market-share in technology for mobile devices.

The other day I was in a meeting with a vendor who are considering
doing something in this space in http://www.linaro.org/
I think this may be a better way of doing things than a traditional
standardization effort and rather let the market decide what they
consider "the standard".

This forum clearly lacks the competence, funding and bandwidth needed
for creating a standards proposal like U2F.


> If the staff didn't pick up on it (and we can't be experts in everything),

The problem is really how to deal with issues that the big vendors DO NOT
want to discuss in open forums like authentication on the web.  Web Crypto
is fine but it has no ties to WebID or banks AFAICT.



> the representatives from the member organizations can suggest things, preferably getting enthusiastic support from other representatives, etc.

WebID and WebPayments are in desperate need of support but I don't see it happen.

> 
> Not sure if I answered your question at all, sorry.

Thanx
Anders

> 
>     - Sandro
> 
>>
>> Anders
> 
> 
Received on Sunday, 18 May 2014 05:01:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC