W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: Should WebIDs denote people or accounts?

From: Sandro Hawke <sandro@w3.org>
Date: Sun, 18 May 2014 10:13:01 -0400
Message-ID: <5378BFED.4090908@w3.org>
To: Anders Rundgren <anders.rundgren.net@gmail.com>, public-webid@w3.org
On 05/18/2014 01:00 AM, Anders Rundgren wrote:
> On 2014-05-18 06:02, Sandro Hawke wrote:
>> On May 17, 2014 2:38:00 PM EDT, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>> ...
>>> In addition, the banks I talk about have at least FOUR MAGNITUDES
>>> more users than WebID-TLS.  That they don't participate in W3C is
>>> strange but OTOH, I don't see much (if any...) browser vendor
>>> interest in WebID or WebPayments so it would be pointless for
>>> banks to join at this stage.  It would be interesting to hear
>>> what the W3C think about this.
>> I'm not quite sure which "this" you mean.
>> In general, W3C tries hard to operate where there is broad industry
>> consensus.  Doing things not endorsed by the major players in some
>> market rarely turns out well.
> W3C supports HTTPS CCA (Client Certificate Authentication) as featured in

Just to correct this small point: W3C has not endorsed WebID-TLS (or 
WebID) in any way.  It has merely provided a forum for the ongoing 
discussion.  This forum is provided to all such efforts, without any 
judgement of the quality or viability of the technology.

(see http://www.w3.org/community/ )

In contrast, there are many technologies that the W3C judges promising 
enough to create a Working Group around, and some of those where the 
output of the WG is judged to be sufficient that W3C actually recommends 
it.    WebID and WebID-TLS are some distance from either of those.

>   but [almost] all big users (almost none being a W3C member...) of
> strong consumer authentication have given up on HTTPS CCA for various reasons
> including those listed on the first page of:
> http://webpki.org/papers/PKI/webauth.pdf
> The analysis performed in this list suggest that these problems ca be fixed by
> adjusting the UI in browsers.  As the document shows, this is a "simplification"
> which thwarts progress as well as being ignored by the browser vendors
> (which BTW are entirely *invisible* in the this list).
>> At the moment the W3C doesn't see anything like consensus around WebID,
> One problem is that WebID *nowadays* only represent a way to represent
> user information, i.e. WebID is NOT an authentication solution.
> How for example banks represent their clients is of no importance to us
> since they rarely (ever?) publish such information on the web for
> consumption by *other* parties.

Personally, I'd very much like to be able to access records of my 
financial transactions online, in standard formats, preferably as Linked 

>> or, I'm thinking, any other technology in that space.
> Well, Google and their followers Microsoft, PayPal, RSA, ARM actually
> launched a *ground-breaking* web-based authentication technology earlier this
> year known as U2F (Universal Two Factor authentication).  For some reason
> they chose to do that in the FIDO Alliance rather than in W3C.

Yeah, I'm not involved in that, but we do have other staff members who 
are closer to that story.   W3C certainly isn't the right place for 
every standards effort.

>> But clearly there are important use cases in this neighborhood,
>> so hopefully there will be some convergence one of these days soon.
> IMO, we are as far from this goal as is technically possible.
> Authentication on the web is at the same state as secure and convenient
> credit-card transactions on the web; i.e. this work haven't actually started!
> Bear in mind that Microsoft over the years have tried a number of things
> and they have all failed miserably like Passport, Information Cards,
> U-Prove and last but not least VSC (Virtual Smart Cards) featured in W8.

My personal theory is they continually underestimate the user's needs 
for personal freedom.   But I don't follow their efforts closely.

It's ironic that my observation about WebID (people vs personas) 
involves the same kind of problem.

>> There are several ways such convergence can be recognized, BTW.
> My 15Y+ experience of such efforts indicates that it requires a VERY INFLUENTIAL
> vendor to get anywhere.  Today this is almost equivalent to Google given their
> 70% market-share in technology for mobile devices.
> The other day I was in a meeting with a vendor who are considering
> doing something in this space in http://www.linaro.org/
> I think this may be a better way of doing things than a traditional
> standardization effort and rather let the market decide what they
> consider "the standard".
> This forum clearly lacks the competence, funding and bandwidth needed
> for creating a standards proposal like U2F.

Indeed, this is just a Community Group, trying to lay the groundwork and 
test the waters for an eventual Working Group, if the stars line up 

>> If the staff didn't pick up on it (and we can't be experts in everything),
> The problem is really how to deal with issues that the big vendors DO NOT
> want to discuss in open forums like authentication on the web.  Web Crypto
> is fine but it has no ties to WebID or banks AFAICT.
>> the representatives from the member organizations can suggest things, preferably getting enthusiastic support from other representatives, etc.
> WebID and WebPayments are in desperate need of support but I don't see it happen.
>> Not sure if I answered your question at all, sorry.
> Thanx


         -- Sandro

> Anders
>>      - Sandro
>>> Anders
Received on Sunday, 18 May 2014 14:13:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC