- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Mon, 19 May 2014 08:22:04 +0200
- To: Andrei Sambra <andrei.sambra@gmail.com>
- Cc: Sandro Hawke <sandro@w3.org>, Kingsley Idehen <kidehen@openlinksw.com>, public-webid <public-webid@w3.org>
- Message-ID: <CAKaEYh+hyk_ya53-266XZvu=BC176MFAHwQiKLaqYNTTYPyuTA@mail.gmail.com>
On 19 May 2014 03:21, Andrei Sambra <andrei.sambra@gmail.com> wrote: > Hi, > > On Sun, May 18, 2014 at 8:40 PM, Sandro Hawke <sandro@w3.org> wrote: > >> On 05/18/2014 08:17 PM, Kingsley Idehen wrote: >> >>> On 5/18/14 4:31 PM, Sandro Hawke wrote: >>> >>>> On 05/18/2014 01:59 PM, Nathan Rixham wrote: >>>> >>>>> I'd suggest that this is not a technical problem and cannot be >>>>> addressed this way. >>>>> >>>>> When you add reasoners in to the mix they can quickly determine that >>>>> typographically different (personas/agents/uris) refer to the same thing, >>>>> whatever approach is used. >>>>> >>>> >>>> Not true. They might quickly determine that two personas are managed >>>> by the same person, but that is not the same as determining that the two >>>> personas are the same thing. >>>> >>> Only if you provide the information that makes that feasible. >>> >>> >>>> Computers are perfectly capable of keeping track of my having multiple >>>> distinct mailing addresses, multiple distinct phone computers, multiple >>>> distinct phone numbers, etc. They know they belong to the same person, >>>> without getting confused and thinking actually each of my mailing addresses >>>> is the same or each of my android devices is the same. If they did, I >>>> couldn't exactly label one as being home and one as being office, or >>>> install some apps on one android device and not on another. >>>> >>>> This is not hard to solve - we just have to be clear that what's being >>>> authenticated and authorized is a persona/account, not a human. >>>> >>> >>> And why do you believe that: >>> >>> 1. WebID isn't clear about being an Identifier that denotes an Agent? >>> >>> 2. That WebID-Profile Documents aren't RDF documents that describe the >>> referents of WebIDs (i.e, they are Identity Cards) ? >>> >>> 3. That WebID-TLS isn't about authenticating the claims in the >>> WebID-Profile document ? >>> >>> >>>> Unfortunately, this doesn't match WebID's self-conception, so far. >>>> >>> Only if you are conflating WebID [1], WebID-Profile [2], and WebID-TLS >>> [3], which is still a general problem we have with the term: WebID. >>> >>> >> I'm fairly confident I know what those terms mean. I talked to folks >> coming out of the meeting where WebID-TLS was split from WebID, in Lyon, >> and got the story at the time. >> >> >> WebID is simply an identifier that denotes an Agent. WebID-Profile is a >>> profile document that describes what a WebID denotes. >>> WebID-TLS is an authentication protocol that verifies the claims made in >>> a WebID-Profile document or Identity Card. >>> >>> Could it be that you are indicating to the spec editors that some >>> organizational issues exists re., layout and overall presentation? if >>> that's your concern, then I can certainly see where you might be coming >>> from etc.. >>> >>> >> That was my hope when I started this threat, but that hope has died. >> >> Links: >>> >>> [1] http://www.w3.org/2005/Incubator/webid/spec/identity/ >>> #the-webid-http-uri >>> >> >> The diagram is very clear that the WebID denotes the person. >> >> You have also been very clear about that in your emails. >> >> Since the WebID is also what the user authenticates as, and what >> authorization is granted to, in the systems I've seen, that means the unit >> of authentication and authorization is the person. >> >> That's not acceptable to me as a user, and I think many other users will >> also find it unacceptable. >> >> I don't see how we can expect to build mass-market systems using WebID >> until this is changed. > > > I've been thinking about the examples you and Kingsley gave and I'm not > really seeing a problem anymore. Here are my thoughts: > > 1. Current situation: we have WebID, WebID-Profiles and WebID-TLS. WebACLs > uses WebIDs as identifiers for people (personae), not for accounts. > > 2. Sandro fears that if a user has two or more WebIDs and if he/she adds > an owl:sameAs or reuse the same email address, then an authentication > service may consider those identities to belong to the same person, leading > to unpredictable results. The issue started from the fact that FOAF defines > "mbox" as Inverse Functional Property (Sandro, please correct me if I was > wrong). The definition given by W3C is: "If the predicate has the > "InverseFunctionalProperty", than that means that wherever you see the > (subject) linked to an (object) by this particular (predicate), then the > (subject) is the one and only (subject) with that (object) connected by the > (predicate.) If you ever saw some other subject linked to the object by the > predicate, you'd know that the "other" subject was actually the same > subject." > Sandro's point is not about OWL. It's that machines can determine equivalence either through sameAs, IFP, or *out of band*. And that this last one is a practical reality that will become more pronounced, going forward. It is a valid concern, imho, because it may lead to unexpected or inconsistent behaviour, a poor UX, or attack vectors. Welcome to the open world assumption! The mbox IFP is an issue. Just as in WebID+TLS the key as IFP is also a problem, because it doesnt cater for edge cases of account sharing. > > In other words, if a system will follow OWL logic, then it may infer that > WebID #1 is the same as WebID #2. If you want to separate two identities, > you don't link them in the first place, but then you can't really stop > people from reusing email addresses in different WebID-Profile documents. > > I have two suggestions at this point: > > 1. The first is to specify that WebID-* authentication services should not > conflate identities unless profiles are linked through owl:sameAs, which is > a clear indication that identities should be linked. > > 2. I personally don't think that using inverse functional properties in > FOAF was a good idea, so maybe we can also consider defining our own > WebID-profile vocabulary, though it will limit current interop. On the > other hand, it would help us clearly define what entities the WebID refers > to. > So, this isnt a technical discussion, but rather, a branding discussion. We could easily mint a relation which relates an account to other properties. Kingsley created YouID as a similar brand that is slightly less restrictive from WebID. The question is what the *default* should be. In fact, the two are not mutually exclusive. We're almost going into philosophy. Are you sure that sandro@home is the same person as sandro@work? I wonder what Henry thinks ... > > -- Andrei > > >> >> -- Sandro >> >> >> [2] http://www.w3.org/2005/Incubator/webid/spec/identity/ >>> #publishing-the-webid-profile-document >>> [3] http://www.w3.org/2005/Incubator/webid/spec/tls/ >>> >>> >>>> -- Sandro >>>> >>> >>> >>> >> >> >
Received on Monday, 19 May 2014 06:22:34 UTC