W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: Should WebIDs denote people or accounts?

From: Sandro Hawke <sandro@w3.org>
Date: Mon, 19 May 2014 08:14:34 -0400
Message-ID: <5379F5AA.6020403@w3.org>
To: Melvin Carvalho <melvincarvalho@gmail.com>, Andrei Sambra <andrei.sambra@gmail.com>
CC: Kingsley Idehen <kidehen@openlinksw.com>, public-webid <public-webid@w3.org>
(replying to messages from myself, Andrei, and Melvin)

On 05/19/2014 02:22 AM, Melvin Carvalho wrote:
>
>
>
> On 19 May 2014 03:21, Andrei Sambra <andrei.sambra@gmail.com 
> <mailto:andrei.sambra@gmail.com>> wrote:
>
>     Hi,
>
>     On Sun, May 18, 2014 at 8:40 PM, Sandro Hawke <sandro@w3.org
>     <mailto:sandro@w3.org>> wrote:
>
>         On 05/18/2014 08:17 PM, Kingsley Idehen wrote:
>
>             On 5/18/14 4:31 PM, Sandro Hawke wrote:
>
>                 On 05/18/2014 01:59 PM, Nathan Rixham wrote:
>
>                     I'd suggest that this is not a technical problem
>                     and cannot be addressed this way.
>
>                     When you add reasoners in to the mix they can
>                     quickly determine that typographically different
>                     (personas/agents/uris) refer to the same thing,
>                     whatever approach is used.
>
>
>                 Not true.   They might quickly determine that two
>                 personas are managed by the same person, but that is
>                 not the same as determining that the two personas are
>                 the same thing.
>
>             Only if you provide the information that makes that feasible.
>
>
>                 Computers are perfectly capable of keeping track of my
>                 having multiple distinct mailing addresses, multiple
>                 distinct phone computers, multiple distinct phone
>                 numbers, etc.   They know they belong to the same
>                 person, without getting confused and thinking actually
>                 each of my mailing addresses is the same or each of my
>                 android devices is the same.   If they did, I couldn't
>                 exactly label one as being home and one as being
>                 office, or install some apps on one android device and
>                 not on another.
>
>                 This is not hard to solve - we just have to be clear
>                 that what's being authenticated and authorized is a
>                 persona/account, not a human.
>
>
>             And why do you believe that:
>
>             1. WebID isn't clear about being an Identifier that
>             denotes an Agent?
>
>             2. That WebID-Profile Documents aren't RDF documents that
>             describe the referents of WebIDs (i.e, they are Identity
>             Cards) ?
>
>             3. That WebID-TLS isn't about authenticating the claims in
>             the WebID-Profile document ?
>
>
>                 Unfortunately, this doesn't match WebID's
>                 self-conception, so far.
>
>             Only if you are conflating WebID [1], WebID-Profile [2],
>             and WebID-TLS [3], which is still a general problem we
>             have with the term: WebID.
>
>
>         I'm fairly confident I know what those terms mean.  I talked
>         to folks coming out of the meeting where WebID-TLS was split
>         from WebID, in Lyon, and got the story at the time.
>
>
>             WebID is simply an identifier that denotes an Agent.
>             WebID-Profile is a profile document that describes what a
>             WebID denotes.
>             WebID-TLS is an authentication protocol that verifies the
>             claims made in a WebID-Profile document or Identity Card.
>
>             Could it be that you are indicating to the spec editors
>             that some organizational issues exists re., layout and
>             overall presentation? if that's your concern, then I can
>             certainly see where you might be coming from etc..
>
>
>         That was my hope when I started this threat, but that hope has
>         died.
>

Heh.  I meant "started this thread", not "started this threat". Of 
course it turned out the thread was something of a threat, alas.

>             Links:
>
>             [1]
>             http://www.w3.org/2005/Incubator/webid/spec/identity/#the-webid-http-uri
>
>
>         The diagram is very clear that the WebID denotes the person.
>
>         You have also been very clear about that in your emails.
>
>         Since the WebID is also what the user authenticates as, and
>         what authorization is granted to, in the systems I've seen,
>         that means the unit of authentication and authorization is the
>         person.
>
>         That's not acceptable to me as a user, and I think many other
>         users will also find it unacceptable.
>
>         I don't see how we can expect to build mass-market systems
>         using WebID until this is changed.
>
>
>     I've been thinking about the examples you and Kingsley gave and
>     I'm not really seeing a problem anymore. Here are my thoughts:
>
>     1. Current situation: we have WebID, WebID-Profiles and WebID-TLS.
>     WebACLs uses WebIDs as identifiers for people (personae), not for
>     accounts.
>

Andrei, you're making me see I jumped to a conclusion about personas.

We started this thread with the distinction between Person and Account, 
and then when TimBL's email about personas was brought in I just assumed 
personas and accounts were the same thing.   But of course they don't 
have to be, and computers treating them as the same thing is a little 
clumsy.   It might be nicer if computers had a separate notion of 
Persona....    Maybe that's that's too complicated, though.

I don't think it works to equate Person=Persona, as you've done above, 
though.  That would mean that a human being could only ever have one 
persona, and the whole point of the persona concept is to allow someone 
to have several of them.

I'll try to just stick with "account".


>     2. Sandro fears that if a user has two or more WebIDs and if
>     he/she adds an owl:sameAs or reuse the same email address, then an
>     authentication service may consider those identities to belong to
>     the same person, leading to unpredictable results. The issue
>     started from the fact that FOAF defines "mbox" as Inverse
>     Functional Property (Sandro, please correct me if I was wrong).
>     The definition given by W3C is: "If the predicate has the
>     "InverseFunctionalProperty", than that means that wherever you see
>     the (subject) linked to an (object) by this particular
>     (predicate), then the (subject) is the one and only (subject) with
>     that (object) connected by the (predicate.) If you ever saw some
>     other subject linked to the object by the predicate, you'd know
>     that the "other" subject was actually the same subject."
>
>
> Sandro's point is not about OWL.  It's that machines can determine 
> equivalence either through sameAs, IFP, or *out of band*.  And that 
> this last one is a practical reality that will become more pronounced, 
> going forward.
>
> It is a valid concern, imho, because it may lead to unexpected or 
> inconsistent behaviour, a poor UX, or attack vectors.  Welcome to the 
> open world assumption!
>

Thanks Melvin.   Yes, exactly.  It's not about OWL, it's about the basic 
semantics of RDF, where IRIs denote things.    If you use two IRIs to 
denote something (like version1-WebIDs [thanks, TimH] denoting a human 
being) then you shouldn't expect systems to separate facts that are 
stated with one from facts that are stated with the other.

> The mbox IFP is an issue.  Just as in WebID+TLS the key as IFP is also 
> a problem, because it doesnt cater for edge cases of account sharing.
>
>
>     In other words, if a system will follow OWL logic, then it may
>     infer that WebID #1 is the same as WebID #2. If you want to
>     separate two identities, you don't link them in the first place,
>     but then you can't really stop people from reusing email addresses
>     in different WebID-Profile documents.
>
>     I have two suggestions at this point:
>
>     1. The first is to specify that WebID-* authentication services
>     should not conflate identities unless profiles are linked through
>     owl:sameAs, which is a clear indication that identities should be
>     linked.
>

I'm afraid that's basically saying WebID authentication systems should 
not follow the RDF Semantics.   In that case, it's probably not a good 
idea to be using RDF syntax.   Also, the RDF Semantics could be pretty 
useful.   We just have to model things very very carefully...

>     2. I personally don't think that using inverse functional
>     properties in FOAF was a good idea, so maybe we can also consider
>     defining our own WebID-profile vocabulary, though it will limit
>     current interop. On the other hand, it would help us clearly
>     define what entities the WebID refers to.
>
>
> So, this isnt a technical discussion, but rather, a branding discussion.
>

I think the key bit is a lot more than branding: in version1 WebID-TLS, 
human users authenticate their web client as operating on behalf of the 
human denoted by a particular WebID.   If I have two WebIDs, since the 
WebIDs both denote me, they are synonyms.   As such, there is no logical 
distinction between them.

So the problem is really one of functionality: version1 WebID does not 
allow a human being to have two logically-distinct identities.

As Andrei and Kingsley have pointed out, they can still be distinct in 
practice, as long as we make sure the computers are prevented from doing 
too much logical reasoning.

I don't think that's a long-term viable approach, however.


> We could easily mint a relation which relates an account to other 
> properties.  Kingsley created YouID as a similar brand that is 
> slightly less restrictive from WebID.
>
> The question is what the *default* should be.  In fact, the two are 
> not mutually exclusive.
>
> We're almost going into philosophy.  Are you sure that sandro@home is 
> the same person as sandro@work?  I wonder what Henry thinks ...

I'm 100% sure it's the same person and 100% sure it's a different 
account.    In my case, I don't really keep the personas particularly 
distinct, although there are a few kinds of interactions I'm very 
careful to do from only one of the accounts, so I guess they are 
different personas.

        -- Sandro


>
>     -- Andrei
>
>
>
>                -- Sandro
>
>
>             [2]
>             http://www.w3.org/2005/Incubator/webid/spec/identity/#publishing-the-webid-profile-document
>
>             [3] http://www.w3.org/2005/Incubator/webid/spec/tls/
>
>
>                       -- Sandro
>
>
>
>
>
>
>
Received on Monday, 19 May 2014 12:14:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC