W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: Should WebIDs denote people or accounts?

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sun, 18 May 2014 16:54:35 +0200
Message-ID: <5378C9AB.6010504@gmail.com>
To: Sandro Hawke <sandro@w3.org>, public-webid@w3.org
On 2014-05-18 16:13, Sandro Hawke wrote:
> On 05/18/2014 01:00 AM, Anders Rundgren wrote:
>> On 2014-05-18 06:02, Sandro Hawke wrote:
>>> On May 17, 2014 2:38:00 PM EDT, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>>> ...
>>>> In addition, the banks I talk about have at least FOUR MAGNITUDES
>>>> more users than WebID-TLS.  That they don't participate in W3C is
>>>> strange but OTOH, I don't see much (if any...) browser vendor
>>>> interest in WebID or WebPayments so it would be pointless for
>>>> banks to join at this stage.  It would be interesting to hear
>>>> what the W3C think about this.
>>> I'm not quite sure which "this" you mean.
>>>
>>> In general, W3C tries hard to operate where there is broad industry
>>> consensus.  Doing things not endorsed by the major players in some
>>> market rarely turns out well.
>> W3C supports HTTPS CCA (Client Certificate Authentication) as featured in
>> WebID-TLS
>
> Just to correct this small point: W3C has not endorsed WebID-TLS (or
> WebID) in any way.  It has merely provided a forum for the ongoing
> discussion.  This forum is provided to all such efforts, without any
> judgement of the quality or viability of the technology.
>
> (see http://www.w3.org/community/ )
>
> In contrast, there are many technologies that the W3C judges promising
> enough to create a Working Group around, and some of those where the
> output of the WG is judged to be sufficient that W3C actually recommends
> it.    WebID and WebID-TLS are some distance from either of those.
>
>>    but [almost] all big users (almost none being a W3C member...) of
>> strong consumer authentication have given up on HTTPS CCA for various reasons
>> including those listed on the first page of:
>> http://webpki.org/papers/PKI/webauth.pdf
>>
>> The analysis performed in this list suggest that these problems ca be fixed by
>> adjusting the UI in browsers.  As the document shows, this is a "simplification"
>> which thwarts progress as well as being ignored by the browser vendors
>> (which BTW are entirely *invisible* in the this list).
>>
>>
>>> At the moment the W3C doesn't see anything like consensus around WebID,
>> One problem is that WebID *nowadays* only represent a way to represent
>> user information, i.e. WebID is NOT an authentication solution.
>>
>> How for example banks represent their clients is of no importance to us
>> since they rarely (ever?) publish such information on the web for
>> consumption by *other* parties.
>
> Personally, I'd very much like to be able to access records of my
> financial transactions online, in standard formats, preferably as Linked
> Data.
>
>>
>>> or, I'm thinking, any other technology in that space.
>> Well, Google and their followers Microsoft, PayPal, RSA, ARM actually
>> launched a *ground-breaking* web-based authentication technology earlier this
>> year known as U2F (Universal Two Factor authentication).  For some reason
>> they chose to do that in the FIDO Alliance rather than in W3C.
>
> Yeah, I'm not involved in that, but we do have other staff members who
> are closer to that story.   W3C certainly isn't the right place for
> every standards effort.
>
>>
>>> But clearly there are important use cases in this neighborhood,
>>> so hopefully there will be some convergence one of these days soon.
>> IMO, we are as far from this goal as is technically possible.
>> Authentication on the web is at the same state as secure and convenient
>> credit-card transactions on the web; i.e. this work haven't actually started!
>>
>> Bear in mind that Microsoft over the years have tried a number of things
>> and they have all failed miserably like Passport, Information Cards,
>> U-Prove and last but not least VSC (Virtual Smart Cards) featured in W8.
>
> My personal theory is they continually underestimate the user's needs
> for personal freedom.   But I don't follow their efforts closely.

The core problem is that Microsoft never bothered about the parties
that already deployed strong authentication.  This is though quite
logical since nobody intends to pay a nickel for that either.


> It's ironic that my observation about WebID (people vs personas)
> involves the same kind of problem.

I don't think banks see this as a problem, *they* define whatever
they believe is a applicable.  Do Facebook have a problem with this?
I must admit that I don't see this as a problem except maybe in
the context of WebID.

Having multiple personas is fully established and performed through
different logins.  It would be pointless for WebID trying to change
this.  Looking for the exact border between account and person
seems awfully difficult, then you might as well consider "role"
also, right?

IMO you always login as a person and then the back-end (server)
provides you with the rest.


>>> There are several ways such convergence can be recognized, BTW.
>> My 15Y+ experience of such efforts indicates that it requires a VERY INFLUENTIAL
>> vendor to get anywhere.  Today this is almost equivalent to Google given their
>> 70% market-share in technology for mobile devices.
>>
>> The other day I was in a meeting with a vendor who are considering
>> doing something in this space in http://www.linaro.org/
>> I think this may be a better way of doing things than a traditional
>> standardization effort and rather let the market decide what they
>> consider "the standard".
>>
>> This forum clearly lacks the competence, funding and bandwidth needed
>> for creating a standards proposal like U2F.
>
> Indeed, this is just a Community Group, trying to lay the groundwork and
> test the waters for an eventual Working Group, if the stars line up
> properly.

Since this has been going on forever we can conclude that they won't
do that and rather gear up for something else, here mainly thinking
about WebID-TLS.


>>
>>> If the staff didn't pick up on it (and we can't be experts in everything),
>> The problem is really how to deal with issues that the big vendors DO NOT
>> want to discuss in open forums like authentication on the web.  Web Crypto
>> is fine but it has no ties to WebID or banks AFAICT.
>>
>>
>>
>>> the representatives from the member organizations can suggest things, preferably getting enthusiastic support from other representatives, etc.
>> WebID and WebPayments are in desperate need of support but I don't see it happen.
>>
>>> Not sure if I answered your question at all, sorry.
>> Thanx
>
> Sure!

Cheers,
Anders

>
>           -- Sandro
>
>> Anders
>>
>>>       - Sandro
>>>
>>>> Anders
>>>
>>
>
Received on Sunday, 18 May 2014 14:55:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC