- From: Timothy Holborn <timothy.holborn@gmail.com>
- Date: Mon, 19 May 2014 18:07:51 +1000
- To: Melvin Carvalho <melvincarvalho@gmail.com>
- Cc: Andrei Sambra <andrei.sambra@gmail.com>, Sandro Hawke <sandro@w3.org>, Kingsley Idehen <kidehen@openlinksw.com>, public-webid <public-webid@w3.org>
- Message-ID: <CAM1Sok1S0aGBFA6-67_jM9S-8igF9e66gdDwGMZb8qQ8Ldz6SQ@mail.gmail.com>
On 19 May 2014 16:22, Melvin Carvalho <melvincarvalho@gmail.com> wrote: > > > > On 19 May 2014 03:21, Andrei Sambra <andrei.sambra@gmail.com> wrote: > >> Hi, >> >> On Sun, May 18, 2014 at 8:40 PM, Sandro Hawke <sandro@w3.org> wrote: >> >>> On 05/18/2014 08:17 PM, Kingsley Idehen wrote: >>> >>>> On 5/18/14 4:31 PM, Sandro Hawke wrote: >>>> >>>>> On 05/18/2014 01:59 PM, Nathan Rixham wrote: >>>>> >>>>>> I'd suggest that this is not a technical problem and cannot be >>>>>> addressed this way. >>>>>> >>>>>> When you add reasoners in to the mix they can quickly determine that >>>>>> typographically different (personas/agents/uris) refer to the same thing, >>>>>> whatever approach is used. >>>>>> >>>>> >>>>> Not true. They might quickly determine that two personas are managed >>>>> by the same person, but that is not the same as determining that the two >>>>> personas are the same thing. >>>>> >>>> Only if you provide the information that makes that feasible. >>>> >>>> >>>>> Computers are perfectly capable of keeping track of my having multiple >>>>> distinct mailing addresses, multiple distinct phone computers, multiple >>>>> distinct phone numbers, etc. They know they belong to the same person, >>>>> without getting confused and thinking actually each of my mailing addresses >>>>> is the same or each of my android devices is the same. If they did, I >>>>> couldn't exactly label one as being home and one as being office, or >>>>> install some apps on one android device and not on another. >>>>> >>>>> This is not hard to solve - we just have to be clear that what's being >>>>> authenticated and authorized is a persona/account, not a human. >>>>> >>>> >>>> And why do you believe that: >>>> >>>> 1. WebID isn't clear about being an Identifier that denotes an Agent? >>>> >>>> 2. That WebID-Profile Documents aren't RDF documents that describe the >>>> referents of WebIDs (i.e, they are Identity Cards) ? >>>> >>>> 3. That WebID-TLS isn't about authenticating the claims in the >>>> WebID-Profile document ? >>>> >>>> >>>>> Unfortunately, this doesn't match WebID's self-conception, so far. >>>>> >>>> Only if you are conflating WebID [1], WebID-Profile [2], and WebID-TLS >>>> [3], which is still a general problem we have with the term: WebID. >>>> >>>> >>> I'm fairly confident I know what those terms mean. I talked to folks >>> coming out of the meeting where WebID-TLS was split from WebID, in Lyon, >>> and got the story at the time. >>> >>> >>> WebID is simply an identifier that denotes an Agent. WebID-Profile is a >>>> profile document that describes what a WebID denotes. >>>> WebID-TLS is an authentication protocol that verifies the claims made >>>> in a WebID-Profile document or Identity Card. >>>> >>>> Could it be that you are indicating to the spec editors that some >>>> organizational issues exists re., layout and overall presentation? if >>>> that's your concern, then I can certainly see where you might be coming >>>> from etc.. >>>> >>>> >>> That was my hope when I started this threat, but that hope has died. >>> >>> Links: >>>> >>>> [1] http://www.w3.org/2005/Incubator/webid/spec/identity/ >>>> #the-webid-http-uri >>>> >>> >>> The diagram is very clear that the WebID denotes the person. >>> >>> You have also been very clear about that in your emails. >>> >>> Since the WebID is also what the user authenticates as, and what >>> authorization is granted to, in the systems I've seen, that means the unit >>> of authentication and authorization is the person. >>> >>> That's not acceptable to me as a user, and I think many other users will >>> also find it unacceptable. >>> >>> I don't see how we can expect to build mass-market systems using WebID >>> until this is changed. >> >> >> I've been thinking about the examples you and Kingsley gave and I'm not >> really seeing a problem anymore. Here are my thoughts: >> >> 1. Current situation: we have WebID, WebID-Profiles and WebID-TLS. >> WebACLs uses WebIDs as identifiers for people (personae), not for accounts. >> >> 2. Sandro fears that if a user has two or more WebIDs and if he/she adds >> an owl:sameAs or reuse the same email address, then an authentication >> service may consider those identities to belong to the same person, leading >> to unpredictable results. The issue started from the fact that FOAF defines >> "mbox" as Inverse Functional Property (Sandro, please correct me if I was >> wrong). The definition given by W3C is: "If the predicate has the >> "InverseFunctionalProperty", than that means that wherever you see the >> (subject) linked to an (object) by this particular (predicate), then the >> (subject) is the one and only (subject) with that (object) connected by the >> (predicate.) If you ever saw some other subject linked to the object by the >> predicate, you'd know that the "other" subject was actually the same >> subject." >> > > Sandro's point is not about OWL. It's that machines can determine > equivalence either through sameAs, IFP, or *out of band*. And that this > last one is a practical reality that will become more pronounced, going > forward. > > As long as WAC (Web Access Control) is included in the record for related resources; linking records shouldn't really matter too much. I think i've got the different WebID's all linked-together with SameAs... So; i could have Tim_Home.foaf Tim_family.foaf Tim_Project_W3.FOAF Tim_Project_KB.foaf Tim_PastEmployment.FOAF Tim_Medical.FOAF (foaf used for explanations, obviously not extension used..) and then help manage my communities separately with these different 'root' records. The Medical one, might be provided to people who collaborate on Tim's Health. Home, might have access to the bills - perhaps with others who i share a home with. Project files, might be specified groups relating to the project - even better if there's executed agreements between organisations... > It is a valid concern, imho, because it may lead to unexpected or > inconsistent behaviour, a poor UX, or attack vectors. Welcome to the open > world assumption! > > The mbox IFP is an issue. Just as in WebID+TLS the key as IFP is also a > problem, because it doesnt cater for edge cases of account sharing. > > >> >> In other words, if a system will follow OWL logic, then it may infer that >> WebID #1 is the same as WebID #2. If you want to separate two identities, >> you don't link them in the first place, but then you can't really stop >> people from reusing email addresses in different WebID-Profile documents. >> >> I have two suggestions at this point: >> >> 1. The first is to specify that WebID-* authentication services should >> not conflate identities unless profiles are linked through owl:sameAs, >> which is a clear indication that identities should be linked. >> >> 2. I personally don't think that using inverse functional properties in >> FOAF was a good idea, so maybe we can also consider defining our own >> WebID-profile vocabulary, though it will limit current interop. On the >> other hand, it would help us clearly define what entities the WebID refers >> to. >> > > So, this isnt a technical discussion, but rather, a branding discussion. > > Email currently has SPAM issues (and other usability issues); If a user is managing their own domain name, Existing email systems could be evolved. A server might read a FOAF document, see ACL's relating to <knows> or contact settings and generate an email@address for purpose. Fall-back (backwards compatibility) might be an address that relates to the FOAF document. frontdoor@yougotnofoaf.timsdomain.tld : Equally, could be linkedin@web2gateway.timsdomain.tld which could be set-up with an oAuth trigger perhaps. (could also make some funky v.difficult to remember password) But the 'key', as it seems to me, is that the identity (and related services) are owned and controlled by the person (save exceptional circumstances - ie: lawful intercept). Therein, v.difficult to justify WebID without a LDP / RWW cloud-storage services. Yet; Github has alot of functionality already, as does google drive, but i haven't checked dropbox or owncloud recently... (side-note: anyone considered how to give sites like GitHub / Google Drive a sparql end-point functionality? perhaps some proxy method... with a WebID? dunno) > We could easily mint a relation which relates an account to other > properties. Kingsley created YouID as a similar brand that is slightly > less restrictive from WebID. > > The question is what the *default* should be. In fact, the two are not > mutually exclusive. > > We're almost going into philosophy. Are you sure that sandro@home is the > same person as sandro@work? I wonder what Henry thinks ... > > >> >> -- Andrei >> >> >>> >>> -- Sandro >>> >>> >>> [2] http://www.w3.org/2005/Incubator/webid/spec/identity/ >>>> #publishing-the-webid-profile-document >>>> [3] http://www.w3.org/2005/Incubator/webid/spec/tls/ >>>> >>>> >>>>> -- Sandro >>>>> >>>> >>>> >>>> >>> >>> >> >
Received on Monday, 19 May 2014 08:08:21 UTC