Re: Should WebIDs denote people or accounts? from Timothy Holborn on 2014-05-18 (public-webid@w3.org from May 2014)

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Mon, 19 May 2014 07:30:00 +1000
To: Seth Russell <russell.seth@gmail.com>
Cc: "public-webid@w3.org" <public-webid@w3.org>, Sandro Hawke <sandro@w3.org>
Message-ID: <CAM1Sok1W2Cu+ae0ciGDqpuKKF+PtGobacepcjm_7NoVRiGwdPg@mail.gmail.com>
Imho.  Two issues it appears.

1. The use of foaf with webid-tls
2. The ontological lang. Used with the tls cert.

If someone wants to build their own identity aggregation service - why
preach.  I don't like the idea, but some might feel more worried about
potential for a split personality...

In other lands,

People might want to use the mechanism to identify their computers.  Assert
acls, and associate other rdf records - like foaf records - but currently,
the people who prefer the funnel style, don't provide sufficient bandwidth
for the latter potential method.

In an effort not to "build a better funnel" my view is that the webid-tls
provides a security relation between a persons cloud accounts, and their
workstation.   Really very useful, but a Web ID ontology would be great
thanks.
On 18/05/2014 2:35 AM, "Seth Russell" <russell.seth@gmail.com> wrote:

> Well i think most of us tell stories to ourselves and other about who we
> are.  Each story is about a different persona.   I think the WebID denotes
> a particular persona of a particular individual rather than the individual
> their selves.  That way, if a person is consistent among different accounts
> and profile pages, using always the same identification for who they are
> being at the time ... er for the same person ...  things should not get
> confused.  We are all probably doing that already, but we don't always want
> to admit it out loud.
>
> seth
>
> the #toothlessfoodie <https://plus.google.com/s/%23toothlessfoodie>
> Facebook: facebook.com/russell.seth
> Blog: fastblogit.com/seth/
> Talking products: www.speaktomecatalog.com
>
>
> On Sat, May 17, 2014 at 8:57 AM, Sandro Hawke <sandro@w3.org> wrote:
>
>> Summary: Most people will be unwilling to give up the idea of having
>> multiple separate accounts.  This calls into question the whole idea of
>> WebID.
>>
>> First off, as an aside, hello everyone.   I was in the CG for its first
>> few weeks to help get things started, but then left when it looked like
>> things were well in hand, and I had many other W3C duties.   Since then,
>> nearly all of my Working Groups (SPARQL, RDF, GLD, etc) have wrapped up,
>> and I'm mostly doing R&D, working with TimBL and Andrei Sambra.   The work
>> we're doing needs something like WebID.
>>
>> That said, I have to raise a difficult issue.   Maybe there's a simple
>> solution I'm just missing, but I fear there is not.
>>
>> The examples in the spec, and what I saw from Henry when he first
>> presented foaf+ssl, show the WebID denoting a person.   In the examples,
>> it's often an instance of foaf:Person, and occurs in triples as the subject
>> where the predicate is foaf:name, foaf:knows, etc.  Also in triples as the
>> object of foaf:knows.
>>
>> So that means that in RDF, my WebID denotes me.   And if I have three
>> different WebIDs, they all denote me.    Anything that's said in RDF using
>> one of my WebIDs is equally true to say using any of my other WebIDs, and a
>> reasoner might well infer it.   That's how it looks like WebIDs are
>> supposed to work.
>>
>> This is in stark contrast to how most online identity systems work. The
>> usually model is that a person has an account with a particular service
>> provider.   In the old days that might have been a bank, while these days
>> it might be some kind of "identity provider" like Google or Facebook.
>> There is important flexibility in this model.    I have two Google
>> accounts, and my kids have many among themselves, so on the computers
>> around the house, there are many possible Google accounts saved as possible
>> logins.    Behind the scenes, Google may or may not be correctly inferring
>> which humans are attached to each of these accounts, but as long it doesn't
>> get wrong which accounts can see adult content, or use my credit card, or
>> see/edit particular documents, that's okay. Those important features are
>> attached to accounts, not people, in systems today.
>>
>> FOAF makes this distinction quite clear, with classes foaf:Person and
>> foaf:OnlineAccount.   FOAF, quite reasonably, puts relationships like
>> foaf:name and foaf:knows on foaf:Person.   It's interesting to know my name
>> and who I know.   It might also be interesting to see which of my accounts
>> are linked with other accounts, I suppose, although that's more complicated.
>>
>> I'm not sure exactly why people might have multiple accounts. Sometimes
>> an account is provided by an employer or school and goes along with lots of
>> resources, but also includes restrictions on use or limitations on privacy.
>>  Sometimes an account is obtained with a particular service provider, and
>> then one no longer wants to do business with them. Sometimes security on an
>> account is compromised and a backup is needed.   Sometimes one just wants
>> to separate parts of life, like work-vs-nonwork.   I've asked a few friends
>> if they'd be willing to have exactly one computer account, and gotten an
>> emphatic "No!".
>>
>> So the my question might be, can WebID allow that separation?   If access
>> control is granted by WebID (as I've always seen it done), and WebID
>> denotes a person (as I've always seen it), and the computer figures out
>> that multiple WebIDs denote the same person (as it's likely to do
>> eventually), then isn't it likely to grant the same access to me no matter
>> which of my WebIDs I'm using?   Wouldn't that be the technically correct
>> thing for it to do?
>>
>> In summary: WebID is doing something quite radical in the identity space
>> by identifying humans instead of accounts.   Are we sure that's a good
>> thing?    It seems like in practice, humans interacting with service
>> providers want to have multiple distinguishable identities with separate
>> authentication.  One might try to clean this up with some kind of
>> role-based access control [1], but that might not solve the issue that by
>> having WebIDs denote people, they prevent people from authenticating
>> differently to get different access/behavior.
>>
>> (It's true some identity providers, like Facebook, forbid a human from
>> having multiple accounts.  But I think in response we see humans get their
>> additional accounts by using other providers.)
>>
>> The conclusion I'm tentatively coming to is that WebIDs should be 1-1
>> associated with accounts, not people.  As such, they'll be associated with
>> authentication, authorization, and profiles, as they are now.   But the RDF
>> modelling will have to be different, with things like { <webid1> foaf:knows
>> <webid2> } being disallowed.
>>
>> If we're going to make a change like that, making the WebID one hop away
>> from Person, I'd suggest actually making it denote the account's profile
>> page, so that it can be a normal URL, denoting an Information Resource.
>>
>>        -- Sandro
>>
>> [1] http://en.wikipedia.org/wiki/Role-based_access_control
>>
>>
>
Received on Sunday, 18 May 2014 21:30:31 UTC