Re: Should WebIDs denote people or accounts?

On 18 May 2014 22:41, Sandro Hawke <sandro@w3.org> wrote:

>  On 05/18/2014 01:54 PM, Melvin Carvalho wrote:
>
>
>
>
> On 18 May 2014 19:16, Sandro Hawke <sandro@w3.org> wrote:
>
>> On 05/18/2014 12:26 PM, Kingsley Idehen wrote:
>>
>>> On 5/18/14 11:13 AM, Sandro Hawke wrote:
>>>
>>>> On May 18, 2014 11:01:38 AM EDT, Kingsley Idehen <
>>>> kidehen@openlinksw.com> wrote:
>>>>
>>>>> On 5/17/14 8:05 PM, Sandro Hawke wrote:
>>>>>
>>>>>> Oh, very interesting.   I haven't found an opportunity to talk to
>>>>>>
>>>>> TimBL about this specifically, but it sounds like he's thinking in the
>>>>> same direction.   In that email he's very clearly showing a WebID
>>>>> denoting a persona, not a person.
>>>>> Sandro,
>>>>>
>>>>> A WebID denoting an Agent isn't disjoint with the notion of personae.
>>>>>
>>>> I'm fairly sure it is, Kingsley.
>>>>
>>>> If my WebIDs all denote me, then you can't grant access to one without
>>>> granting it to all, by RDF semantics.
>>>>
>>>
>>> Why are you assuming that any of my profile documents have an owl:sameAs
>>> relation, connection the identities denoted by the HTTP URI based
>>> Identifiers? Likewise, if there's no relation facilitated by an IFP how do
>>> you arrive at such, via semantics expressed in RDF based relations?
>>>
>>>
>>  That assumption is not required.
>>
>> By the RDF Semantics, if two RDF IRIs denote the same thing, then all RDF
>> triples that are true using one are also true using the other.
>>
>> What you're talking about is whether a machine might be able to figure
>> out that truth.
>>
>> If I have two different WebIDs that denote me, and you grant access to
>> one of them, it's true a machine might not immediately figure out that that
>> other one also denotes me and should be granted equal access.  But if it
>> ever did, it would be correct in doing so.  And I'm betting, with machines
>> getting access to more and more data all the time, and doing more and more
>> reasoning with it, it would figure that out pretty soon.
>>
>> It sounds like you're proposing building an authorization infrastructure
>> that relies on machines not doing exactly what we're trying to get them to
>> do everywhere else.  Sounds a bit like trying to hold back a river with
>> your hands.
>
>
>  Consider 3 scenarios:
>
>  1. If Sandro arrives, please let him in
>
>  2. If Sandro arrives, please let him in, he will be carrying his driving
> license
>
>  3. If someone arrives with Sandro's driving license, please let them in
>
>
> Can we change that from "driving license" to "house key"?   The license,
> bearing my name and photo is less transferable.   Maybe it doesn't matter.
>

Sure.


>
>
>   If I've understood correctly
>
> (1) is how WebID commonly works today with authorization.
>
>    Yes.
>
>
>   (2) is a restriction that could be added (eg let sando login with
> twitter) but something we dont do right now
>
>    Right.
>
>
>   (3) is a what is being proposed, as being more common, online
>
>    Right.
>
>
>   I think we do all three of these already today
>
>    I'm not sure what you mean -- on number 2, you said we don't do that
> right now.   Maybe it's different "we"?
>

Apologies: we *can* do all 3 of these today.  We just dont have the
vocabulary in the access control rule to add this restriction.  Perhaps
it's more complex than a simple restrict concept (probably!) ... but it's
conceivable we could add this, I think.


>
>
>   Why would (3) be preferred over (1)?
>
>
>
> (3) is preferable to (1) because humans are complex creatures with complex
> lives and don't always want to be locked into tight boxes in their
> relationships with computers.
>
> I think Google probably came to this realization fairly slowly, and
> Facebook hasn't come to it yet.
>

Right, I've seen these flows on both facebook with a single identity, and
google plus with multiple.  Both have merits, imho.


>
> (1) is more intrusive/controlling in people's live than (3), and goes
> against current Best Practice in computer security.
>

OK, got it.  Thanks for explaining, will think it over.


>
>       -- Sandro
>
>
>
>
>>
>>
>>>> To avoid that undesired fate, I think you need WebIDs to denote
>>>> personas.
>>>>
>>>
>>> No, a persona is derived from the claims that coalesce around an
>>> identifier. A persona is a form of identification. A collection of RDF
>>> claims give you a persona.
>>>
>>>     As I mentioned, those personas might be software agents, but they
>>>> are clearly not people.
>>>>
>>>
>>> WebIDs denote Agents. An Agent could be a Person, Organization, or
>>> Machine (soft or hard). You can make identification oriented claims in a
>>> Profile Document using RDF based on a WebID.
>>>
>>>
>>  The question is, what kind of triples are being written with WebIDs, and
>> what happens when machines figure out all my WebIDs denote me? Are you
>> really being careful with every triple you write using WebIDs to make sure
>> it will still be exactly what you want to say when a reasoner adds more
>> triples just like it using my other WebIDs?
>>
>> It sounds to me like you are not.   It sounds to me like you're just
>> assuming that certain valid inferences will never be made.
>>
>>
>>
>>  We don't have a problem have a problem here at all.
>>>
>>>
>>  I'm suggesting that perhaps you haven't yet noticed the oncoming train,
>> Inference.
>>
>>      -- Sandro
>>
>>
>>
>>> Kingsley
>>>
>>>>
>>>>      - Sandro
>>>>
>>>>  When I demonstrate WebIDs across Facebook, LinkedIn Twitter, G+, and
>>>>> many other social media spaces [2][3], I actually refer to the whole
>>>>> things as being about a given persona.  None of that negates the fact
>>>>> that a WebID denotes an Agent.
>>>>>
>>>>> We have to loosely couple:
>>>>>
>>>>> 1. identity
>>>>> 2. identifiers
>>>>> 3. identification
>>>>> 4. identity verification (e.g., when authenticating identification)
>>>>> 5. trust.
>>>>>
>>>>> Claims represented as RDF statements handle 1-5, naturally. We don't
>>>>> have a problem here, really.
>>>>>
>>>>>
>>>>> [1] http://www.merriam-webster.com/dictionary/persona
>>>>> [2] https://twitter.com/kidehen/status/419578364551499776
>>>>> [3] https://plus.google.com/+KingsleyIdehen/posts/1pmt4gWWae2
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>