Re: Should WebIDs denote people or accounts?

On 19 May 2014 03:21, Andrei Sambra <andrei.sambra@gmail.com> wrote:

> Hi,
>
> On Sun, May 18, 2014 at 8:40 PM, Sandro Hawke <sandro@w3.org> wrote:
>
>> On 05/18/2014 08:17 PM, Kingsley Idehen wrote:
>>
>>> On 5/18/14 4:31 PM, Sandro Hawke wrote:
>>>
>>>> On 05/18/2014 01:59 PM, Nathan Rixham wrote:
>>>>
>>>>> I'd suggest that this is not a technical problem and cannot be
>>>>> addressed this way.
>>>>>
>>>>> When you add reasoners in to the mix they can quickly determine that
>>>>> typographically different (personas/agents/uris) refer to the same thing,
>>>>> whatever approach is used.
>>>>>
>>>>
>>>> Not true.   They might quickly determine that two personas are managed
>>>> by the same person, but that is not the same as determining that the two
>>>> personas are the same thing.
>>>>
>>> Only if you provide the information that makes that feasible.
>>>
>>>
>>>> Computers are perfectly capable of keeping track of my having multiple
>>>> distinct mailing addresses, multiple distinct phone computers, multiple
>>>> distinct phone numbers, etc.   They know they belong to the same person,
>>>> without getting confused and thinking actually each of my mailing addresses
>>>> is the same or each of my android devices is the same.   If they did, I
>>>> couldn't exactly label one as being home and one as being office, or
>>>> install some apps on one android device and not on another.
>>>>
>>>> This is not hard to solve - we just have to be clear that what's being
>>>> authenticated and authorized is a persona/account, not a human.
>>>>
>>>
>>> And why do you believe that:
>>>
>>> 1. WebID isn't clear about being an Identifier that denotes an Agent?
>>>
>>> 2. That WebID-Profile Documents aren't RDF documents that describe the
>>> referents of WebIDs (i.e, they are Identity Cards) ?
>>>
>>> 3. That WebID-TLS isn't about authenticating the claims in the
>>> WebID-Profile document ?
>>>
>>>
>>>> Unfortunately, this doesn't match WebID's self-conception, so far.
>>>>
>>> Only if you are conflating WebID [1], WebID-Profile [2], and WebID-TLS
>>> [3], which is still a general problem we have with the term: WebID.
>>>
>>>
>> I'm fairly confident I know what those terms mean.  I talked to folks
>> coming out of the meeting where WebID-TLS was split from WebID, in Lyon,
>> and got the story at the time.
>>
>>
>>  WebID is simply an identifier that denotes an Agent. WebID-Profile is a
>>> profile document that describes what a WebID denotes.
>>> WebID-TLS is an authentication protocol that verifies the claims made in
>>> a WebID-Profile document or Identity Card.
>>>
>>> Could it be that you are indicating to the spec editors that some
>>> organizational issues exists re., layout and overall presentation? if
>>> that's your concern, then I can certainly see where you might be coming
>>> from etc..
>>>
>>>
>> That was my hope when I started this threat, but that hope has died.
>>
>>  Links:
>>>
>>> [1] http://www.w3.org/2005/Incubator/webid/spec/identity/
>>> #the-webid-http-uri
>>>
>>
>> The diagram is very clear that the WebID denotes the person.
>>
>> You have also been very clear about that in your emails.
>>
>> Since the WebID is also what the user authenticates as, and what
>> authorization is granted to, in the systems I've seen, that means the unit
>> of authentication and authorization is the person.
>>
>> That's not acceptable to me as a user, and I think many other users will
>> also find it unacceptable.
>>
>> I don't see how we can expect to build mass-market systems using WebID
>> until this is changed.
>
>
> I've been thinking about the examples you and Kingsley gave and I'm not
> really seeing a problem anymore. Here are my thoughts:
>
> 1. Current situation: we have WebID, WebID-Profiles and WebID-TLS. WebACLs
> uses WebIDs as identifiers for people (personae), not for accounts.
>
> 2. Sandro fears that if a user has two or more WebIDs and if he/she adds
> an owl:sameAs or reuse the same email address, then an authentication
> service may consider those identities to belong to the same person, leading
> to unpredictable results. The issue started from the fact that FOAF defines
> "mbox" as Inverse Functional Property (Sandro, please correct me if I was
> wrong). The definition given by W3C is: "If the predicate has the
> "InverseFunctionalProperty", than that means that wherever you see the
> (subject) linked to an (object) by this particular (predicate), then the
> (subject) is the one and only (subject) with that (object) connected by the
> (predicate.) If you ever saw some other subject linked to the object by the
> predicate, you'd know that the "other" subject was actually the same
> subject."
>

Sandro's point is not about OWL.  It's that machines can determine
equivalence either through sameAs, IFP, or *out of band*.  And that this
last one is a practical reality that will become more pronounced, going
forward.

It is a valid concern, imho, because it may lead to unexpected or
inconsistent behaviour, a poor UX, or attack vectors.  Welcome to the open
world assumption!

The mbox IFP is an issue.  Just as in WebID+TLS the key as IFP is also a
problem, because it doesnt cater for edge cases of account sharing.


>
> In other words, if a system will follow OWL logic, then it may infer that
> WebID #1 is the same as WebID #2. If you want to separate two identities,
> you don't link them in the first place, but then you can't really stop
> people from reusing email addresses in different WebID-Profile documents.
>
> I have two suggestions at this point:
>
> 1. The first is to specify that WebID-* authentication services should not
> conflate identities unless profiles are linked through owl:sameAs, which is
> a clear indication that identities should be linked.
>
> 2. I personally don't think that using inverse functional properties in
> FOAF was a good idea, so maybe we can also consider defining our own
> WebID-profile vocabulary, though it will limit current interop. On the
> other hand, it would help us clearly define what entities the WebID refers
> to.
>

So, this isnt a technical discussion, but rather, a branding discussion.

We could easily mint a relation which relates an account to other
properties.  Kingsley created YouID as a similar brand that is slightly
less restrictive from WebID.

The question is what the *default* should be.  In fact, the two are not
mutually exclusive.

We're almost going into philosophy.  Are you sure that sandro@home is the
same person as sandro@work?  I wonder what Henry thinks ...


>
> -- Andrei
>
>
>>
>>        -- Sandro
>>
>>
>>  [2] http://www.w3.org/2005/Incubator/webid/spec/identity/
>>> #publishing-the-webid-profile-document
>>> [3] http://www.w3.org/2005/Incubator/webid/spec/tls/
>>>
>>>
>>>>       -- Sandro
>>>>
>>>
>>>
>>>
>>
>>
>

Received on Monday, 19 May 2014 06:22:34 UTC