W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: Should WebIDs denote people or accounts?

From: Sandro Hawke <sandro@w3.org>
Date: Sun, 18 May 2014 16:41:20 -0400
Message-ID: <53791AF0.6050805@w3.org>
To: Melvin Carvalho <melvincarvalho@gmail.com>
CC: public-webid <public-webid@w3.org>
On 05/18/2014 01:54 PM, Melvin Carvalho wrote:
>
>
>
> On 18 May 2014 19:16, Sandro Hawke <sandro@w3.org 
> <mailto:sandro@w3.org>> wrote:
>
>     On 05/18/2014 12:26 PM, Kingsley Idehen wrote:
>
>         On 5/18/14 11:13 AM, Sandro Hawke wrote:
>
>             On May 18, 2014 11:01:38 AM EDT, Kingsley Idehen
>             <kidehen@openlinksw.com <mailto:kidehen@openlinksw.com>>
>             wrote:
>
>                 On 5/17/14 8:05 PM, Sandro Hawke wrote:
>
>                     Oh, very interesting.   I haven't found an
>                     opportunity to talk to
>
>                 TimBL about this specifically, but it sounds like he's
>                 thinking in the
>                 same direction.   In that email he's very clearly
>                 showing a WebID
>                 denoting a persona, not a person.
>                 Sandro,
>
>                 A WebID denoting an Agent isn't disjoint with the
>                 notion of personae.
>
>             I'm fairly sure it is, Kingsley.
>
>             If my WebIDs all denote me, then you can't grant access to
>             one without granting it to all, by RDF semantics.
>
>
>         Why are you assuming that any of my profile documents have an
>         owl:sameAs relation, connection the identities denoted by the
>         HTTP URI based Identifiers? Likewise, if there's no relation
>         facilitated by an IFP how do you arrive at such, via semantics
>         expressed in RDF based relations?
>
>
>     That assumption is not required.
>
>     By the RDF Semantics, if two RDF IRIs denote the same thing, then
>     all RDF triples that are true using one are also true using the other.
>
>     What you're talking about is whether a machine might be able to
>     figure out that truth.
>
>     If I have two different WebIDs that denote me, and you grant
>     access to one of them, it's true a machine might not immediately
>     figure out that that other one also denotes me and should be
>     granted equal access.  But if it ever did, it would be correct in
>     doing so.  And I'm betting, with machines getting access to more
>     and more data all the time, and doing more and more reasoning with
>     it, it would figure that out pretty soon.
>
>     It sounds like you're proposing building an authorization
>     infrastructure that relies on machines not doing exactly what
>     we're trying to get them to do everywhere else.  Sounds a bit like
>     trying to hold back a river with your hands.
>
>
> Consider 3 scenarios:
>
> 1. If Sandro arrives, please let him in
>
> 2. If Sandro arrives, please let him in, he will be carrying his 
> driving license
>
> 3. If someone arrives with Sandro's driving license, please let them in
>

Can we change that from "driving license" to "house key"?   The license, 
bearing my name and photo is less transferable.   Maybe it doesn't matter.

> If I've understood correctly
>
> (1) is how WebID commonly works today with authorization.
>
Yes.

> (2) is a restriction that could be added (eg let sando login with 
> twitter) but something we dont do right now
>
Right.

> (3) is a what is being proposed, as being more common, online
>
Right.

> I think we do all three of these already today
>
I'm not sure what you mean -- on number 2, you said we don't do that 
right now.   Maybe it's different "we"?

> Why would (3) be preferred over (1)?

(3) is preferable to (1) because humans are complex creatures with 
complex lives and don't always want to be locked into tight boxes in 
their relationships with computers.

I think Google probably came to this realization fairly slowly, and 
Facebook hasn't come to it yet.

(1) is more intrusive/controlling in people's live than (3), and goes 
against current Best Practice in computer security.

       -- Sandro


>
>
>
>             To avoid that undesired fate, I think you need WebIDs to
>             denote personas.
>
>
>         No, a persona is derived from the claims that coalesce around
>         an identifier. A persona is a form of identification. A
>         collection of RDF claims give you a persona.
>
>                As I mentioned, those personas might be software
>             agents, but they are clearly not people.
>
>
>         WebIDs denote Agents. An Agent could be a Person,
>         Organization, or Machine (soft or hard). You can make
>         identification oriented claims in a Profile Document using RDF
>         based on a WebID.
>
>
>     The question is, what kind of triples are being written with
>     WebIDs, and what happens when machines figure out all my WebIDs
>     denote me? Are you really being careful with every triple you
>     write using WebIDs to make sure it will still be exactly what you
>     want to say when a reasoner adds more triples just like it using
>     my other WebIDs?
>
>     It sounds to me like you are not.   It sounds to me like you're
>     just assuming that certain valid inferences will never be made.
>
>
>
>         We don't have a problem have a problem here at all.
>
>
>     I'm suggesting that perhaps you haven't yet noticed the oncoming
>     train, Inference.
>
>          -- Sandro
>
>
>
>         Kingsley
>
>
>                  - Sandro
>
>                 When I demonstrate WebIDs across Facebook, LinkedIn
>                 Twitter, G+, and
>                 many other social media spaces [2][3], I actually
>                 refer to the whole
>                 things as being about a given persona.  None of that
>                 negates the fact
>                 that a WebID denotes an Agent.
>
>                 We have to loosely couple:
>
>                 1. identity
>                 2. identifiers
>                 3. identification
>                 4. identity verification (e.g., when authenticating
>                 identification)
>                 5. trust.
>
>                 Claims represented as RDF statements handle 1-5,
>                 naturally. We don't
>                 have a problem here, really.
>
>
>                 [1] http://www.merriam-webster.com/dictionary/persona
>                 [2] https://twitter.com/kidehen/status/419578364551499776
>                 [3]
>                 https://plus.google.com/+KingsleyIdehen/posts/1pmt4gWWae2
>
>
>
>
>
>
>
>
>
Received on Sunday, 18 May 2014 20:41:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC