W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: Should WebIDs denote people or accounts?

From: Sandro Hawke <sandro@w3.org>
Date: Sun, 18 May 2014 20:31:52 -0400
Message-ID: <537950F8.40202@w3.org>
To: Kingsley Idehen <kidehen@openlinksw.com>, public-webid@w3.org
On 05/18/2014 07:47 PM, Kingsley Idehen wrote:
> On 5/18/14 1:16 PM, Sandro Hawke wrote:
>> On 05/18/2014 12:26 PM, Kingsley Idehen wrote:
>>> On 5/18/14 11:13 AM, Sandro Hawke wrote:
>>>> On May 18, 2014 11:01:38 AM EDT, Kingsley Idehen 
>>>> <kidehen@openlinksw.com> wrote:
>>>>> On 5/17/14 8:05 PM, Sandro Hawke wrote:
>>>>>> Oh, very interesting.   I haven't found an opportunity to talk to
>>>>> TimBL about this specifically, but it sounds like he's thinking in 
>>>>> the
>>>>> same direction.   In that email he's very clearly showing a WebID
>>>>> denoting a persona, not a person.
>>>>> Sandro,
>>>>> A WebID denoting an Agent isn't disjoint with the notion of personae.
>>>> I'm fairly sure it is, Kingsley.
>>>> If my WebIDs all denote me, then you can't grant access to one 
>>>> without granting it to all, by RDF semantics.
>>> Why are you assuming that any of my profile documents have an 
>>> owl:sameAs relation, connection the identities denoted by the HTTP 
>>> URI based Identifiers? Likewise, if there's no relation facilitated 
>>> by an IFP how do you arrive at such, via semantics expressed in RDF 
>>> based relations?
>> That assumption is not required.
>> By the RDF Semantics, if two RDF IRIs denote the same thing, then all 
>> RDF triples that are true using one are also true using the other.
> How do you know that two IRIs denote the same thing without an 
> owl:sameAs relation? Or without participation in an IFP based 
> relation? How do you arrive a such conclusions?
> If a WebID doesn't resolve to an Identity Card (or Profile Document) 
> comprised of owl:sameAs or IFP based relations, how can you claim 
> coreference? You only know that two or more IRIs denote the same thing 
> by way of discernible and comprehensible relations.

You're putting the burden of proof in the wrong place.

You (and the rest of of the WebID community, including me until about 5 
days ago) model the world in such a way that if your access-control 
reasoner ever got hold of some forbidden knowledge (the perfectly 
correct fact that two my WebIDs co-refer) it would do the wrong thing.

That sounds to me like a fundamentally flawed design for an access 
control system.   I don't have to show exactly how it's going to get 
hold of that data.  Rather, to show the system is reasonably secure, you 
have to show it's vanishingly unlikely that the reasoner ever could come 
across that data.

>> What you're talking about is whether a machine might be able to 
>> figure out that truth.
> No, I am saying that you determine the truth from the relations that 
> represent the claim.
>> If I have two different WebIDs that denote me, and you grant access 
>> to one of them, it's true a machine might not immediately figure out 
>> that that other one also denotes me and should be granted equal 
>> access.  But if it ever did, it would be correct in doing so. 
> Only if it applied inference and reasoning to specific kinds of 
> relations. It can't just jump to such conclusions. You don't do that 
> in the real-world so what does it somehow have to be the case in the 
> digital realm?

It's not out of the question someone might state the same foaf:homepage 
for both their WebIDs, or any of a variety of other true facts.

If they did that, and it resulted in an access violation, I'd point the 
finger of blame at the design of the system (using WebIDs to denote 
people), not the user who provided that true data.

>> And I'm betting, with machines getting access to more and more data 
>> all the time, and doing more and more reasoning with it, it would 
>> figure that out pretty soon.
> Email Address are ample for reconciling coreferences. Thus, if an 
> email address in the object of an appropriate relation, then 
> coreference can be discerned and applied where relevant etc..
>> It sounds like you're proposing building an authorization 
>> infrastructure that relies on machines not doing exactly what we're 
>> trying to get them to do everywhere else.  Sounds a bit like trying 
>> to hold back a river with your hands.
> Quite the contrary, I am saying there is a method to all of this, in 
> the context of WebID, WebID-Profile, WebID-TLS, and ACLs etc.. This 
> items are loosely coupled and nothing we've discussed so far makes a 
> defensible case for now catapulting a WebID from an HTTP URI that 
> denotes an Agent to one that denotes an Account. We don't have this 
> kind of problem at all.

You keep saying that, but you haven't explained how we can be assured 
that facts stated with regard to one of my WebIDs will never end up 
correctly -- but harmfully -- applied to one of my other WebIDs.

>>>> To avoid that undesired fate, I think you need WebIDs to denote 
>>>> personas.
>>> No, a persona is derived from the claims that coalesce around an 
>>> identifier. A persona is a form of identification. A collection of 
>>> RDF claims give you a persona.
>>>>    As I mentioned, those personas might be software agents, but 
>>>> they are clearly not people.
>>> WebIDs denote Agents. An Agent could be a Person, Organization, or 
>>> Machine (soft or hard). You can make identification oriented claims 
>>> in a Profile Document using RDF based on a WebID.
>> The question is, what kind of triples are being written with WebIDs,
> None.
> A WebID is an HTTP URI that denotes an Agent.
> Basically,
> ## Turtle Start ##
> <#WebID>
> a <#HttpURI> ;
> <#denotes> [ a foaf:Agent ] .
> <#HttpURI>
> a <#Identifier> .
> ## Turtle End ##

Personally I don't find this kind of content useful.  I prefer to keep 
Turtle for showing the actual data that would be in a running system.  
Like the triples which use WebIDs to guide your access control 
system.      If I added the foaf:homepage triples I mentioned, and your 
system did OWL RL (for example) wouldn't it grant access to the wrong 
WebID (in addition to the right one)?

>> and what happens when machines figure out all my WebIDs denote me? 
> Now, we have a WebID-Profile document which describes what a WebID 
> denotes. That document is comprised of claims which may or may no 
> indicate co-reference via owl:sameAs and/or IFP based relations (e.g., 
> foaf:mbox). None of this means a WebID denotes an Account.

I'm not saying it DOES denote an account, just that it SHOULD, in order 
to get the persona-separation that people demand.

It seems clear to me that using WebIDs to denote people is an actively 
dangerous and harmful design.  Either it should be fixed or WebIDs 
should be scrapped.    Or, of course, you can show how I'm wrong.

> The fact that tools can figure out that an IFP based relation with a 
> mailto: scheme URI as it object is a way to triangulate coreference 
> still has no bearing on the case for a WebID denoting an Account.
>> Are you really being careful with every triple you write using WebIDs 
>> to make sure it will still be exactly what you want to say when a 
>> reasoner adds more triples just like it using my other WebIDs?
> Absolutely!!
> Even when dealing with owl:sameAs, we implement a verifier that won't 
> even invoke an reasoning and inference if those statements are signed 
> by the WebID-Profile document author. Or if those claims aren't part 
> of the certificate (e.g., multiple WebIDs in SAN or using the Data 
> extension to embed Turtle Notation based RDF claims in the certificate).
>> It sounds to me like you are not.   It sounds to me like you're just 
>> assuming that certain valid inferences will never be made.
> Of course not, as per comment above.

You're saying the inferences will never be made because the reasoners 
will never get hold of the data that would support the conclusion that 
both my WebIDs denote the same person?   I don't think system should 
ever be built on assumptions like that.  It's not just insecure, but it 
forces us to carefully limit the flow of information between systems 
which trust each other and operate on behalf of the same persona.

>>> We don't have a problem have a problem here at all.
>> I'm suggesting that perhaps you haven't yet noticed the oncoming 
>> train, Inference.
> Believe me, it was my first test :-)


         -- Sandro

> Kingsley
>>      -- Sandro
>>> Kingsley
>>>>      - Sandro
>>>>> When I demonstrate WebIDs across Facebook, LinkedIn Twitter, G+, and
>>>>> many other social media spaces [2][3], I actually refer to the whole
>>>>> things as being about a given persona.  None of that negates the fact
>>>>> that a WebID denotes an Agent.
>>>>> We have to loosely couple:
>>>>> 1. identity
>>>>> 2. identifiers
>>>>> 3. identification
>>>>> 4. identity verification (e.g., when authenticating identification)
>>>>> 5. trust.
>>>>> Claims represented as RDF statements handle 1-5, naturally. We don't
>>>>> have a problem here, really.
>>>>> [1] http://www.merriam-webster.com/dictionary/persona
>>>>> [2] https://twitter.com/kidehen/status/419578364551499776
>>>>> [3] https://plus.google.com/+KingsleyIdehen/posts/1pmt4gWWae2
Received on Monday, 19 May 2014 00:32:00 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC