W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: accounts, personas and agents - Re: Should WebIDs denote people or accounts?

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Tue, 20 May 2014 11:30:32 +1000
Message-ID: <CAM1Sok0i-wj_8LxfHTFawfJrWVG=N=JwiSCfdZvfxyyesAOu2w@mail.gmail.com>
To: "henry.story@bblfish.net" <henry.story@bblfish.net>
Cc: Sandro Hawke <sandro@w3.org>, "public-webid@w3.org" <public-webid@w3.org>
I suggest the use of a new ontological document / URI; 'WebID ontology'. Or
perhaps development of the existing 'cert ontology spec' [1], given that
any-such WebID ontology would be designed to be associated to a cert.

Agent [2] has a legal definition. When i read the FOAF spec; i see the
benefit of the term; i just worry about the use of it, in this context.

Notoriety often have staff members managing public accounts on their
behalf.  In these instances, they're acting as an agent.  Advisors (legal,
accounting, etc.) and sales people also act as agents.  Perhaps arguably,
people working within the scope of an employment contract are also acting
as an agent; i'm not sure how that works if they're sponsored, rather than
'contracted' (diff. being the concept around restrictions put upon a person
through a contractual legal instrument)

[1] http://www.w3.org/ns/auth/cert#
[2] http://en.wikipedia.org/wiki/Law_of_agency


On 20 May 2014 07:03, henry.story@bblfish.net <henry.story@bblfish.net>wrote:

> Hi Sandro,
>
>    thanks for starting this very interesting debate, and also thanks to
> all for
> the very high level of discussion.  Here are some of my comments after
> reading the thread this morning.
>
> As mentioned a few times in this thread, the definition of a WebID is a
> URI that denotes an Agent, which is very general class of things that can
> act.
>
> Note that
>
>  a- there is nothing to say that an account is not an agent. In the foaf
> ontology
>    foaf:OnlineAccount is not specified as being disjoint from foaf:Agent .
>    What made me think of this is that I have just moved to Paris over the
> weekend, and have had
>    to set up a monthly automatic transfer from my bank account to my
> landlord. So my bank
>    account can do things it seems.
>
> The Term 'Agent' has a legal definition [2], which worries me.


>  b- as mentioned the notion of Persona seems like a subclass of agent (
> persona's can do things ) and
>    yet it is not because the same person has 2 personas that the two
> persona's refer to the same thing.
>    If you allow this there seems to be room for distinctions of the same
> types you want to make without
>    changing the definition of WebID.
>
>    The story of Kal El, who is known on earth as Superman or as Clark
> Kent, is well known, and can be
>    modelled as:
>
>    :kalEl persona fict:superman, fict:clarcKent .
>
>    So if you have your WebIDs identify not foaf:Person's but a Persona
> then it would not follow that
>    because two persona's are embodied by the same person that they are the
> same persona.
>
> I was asked once; are you who you think you are, or who others think you
are.  The sociological point around that is the concept of internal and
external views, or public/private.

IMO, the architecture of the Client TLS identifier may end-up (for some
cases) being a specific machine identifier, that's paired with FOAF,
through a (secured) online account.


>  c- Accounts and Identifiers
>
>    At my French Bank, Credit Agricole, I have a few accounts. A savings
> account, a current account, etc.
>    but I only log in with one identifier. Each of these accounts has
> different properties. One allows me to
>    have money transfered at regular intervals ( the current account ), the
> other does not but has higher
>    returns. So it seems here that the concept of identifier and account
> are distinct. I log in with one identifier,
>    but have many different accounts.
>
>
I think accurately; legally, the accounts do link to the common-concept of
'person'; however rightly, the accounts themselves become instruments; and
a debitor generally can't automatically harvest funds from another account
if they are dissatisfied with the result obtained from the linked account.

NB> Problem about banking concepts is of course KYC / AML related
requirements, of which x509 has a place in the lifecycle, but it does get
complex. WebPayments has an array of requirements around identity: it would
be great if there was a way for the two spec's to become compatible...
Identity is difficult, so having a specialised group to effectively and
specifically cater for these structural needs is beneficial for all..


>  d- capabilities
>
>      Some capabilities at my bank can only be accessed at the cost of an
> extra authentication step. Say I want to
>    add some new person to the list of people I can send money to. There
> the bank requires me to enter
>    a number sent to my cell phone. That is an extra verification step to
> test that I am the owner of the
>    account.
>
> in theory - two x509 certs...?  one labelled 'phone' the other 'i5
machine' (or whatever)?

>
> So having said that if we can agree that a role such as a Persona can help
> solve the problem you mention below,
> then we can think of some of the interesting consequences of it. Perhaps
> we can even add some examples to the spec
> to make this more clear when we have thought up some clear examples of it.
>
>   We do start initially with the WebID refering to a human being. But that
> is because it is the type of
> agent most people understand. Btw. one may want to refer to actors rather
> than agents, but that is yet another
> question....
>
> The term 'actor' seems to be more consistent with other documentation
surrounding similar concepts.

        Henry
>
>
> On 17 May 2014, at 17:57, Sandro Hawke <sandro@w3.org> wrote:
>
> > Summary: Most people will be unwilling to give up the idea of having
> multiple separate accounts.  This calls into question the whole idea of
> WebID.
> >
> > First off, as an aside, hello everyone.   I was in the CG for its first
> few weeks to help get things started, but then left when it looked like
> things were well in hand, and I had many other W3C duties.   Since then,
> nearly all of my Working Groups (SPARQL, RDF, GLD, etc) have wrapped up,
> and I'm mostly doing R&D, working with TimBL and Andrei Sambra.   The work
> we're doing needs something like WebID.
> >
> > That said, I have to raise a difficult issue.   Maybe there's a simple
> solution I'm just missing, but I fear there is not.
> >
> > The examples in the spec, and what I saw from Henry when he first
> presented foaf+ssl, show the WebID denoting a person.   In the examples,
> it's often an instance of foaf:Person, and occurs in triples as the subject
> where the predicate is foaf:name, foaf:knows, etc.  Also in triples as the
> object of foaf:knows.
> >
> > So that means that in RDF, my WebID denotes me.   And if I have three
> different WebIDs, they all denote me.    Anything that's said in RDF using
> one of my WebIDs is equally true to say using any of my other WebIDs, and a
> reasoner might well infer it.   That's how it looks like WebIDs are
> supposed to work.
> >
> > This is in stark contrast to how most online identity systems work. The
> usually model is that a person has an account with a particular service
> provider.   In the old days that might have been a bank, while these days
> it might be some kind of "identity provider" like Google or Facebook.
> There is important flexibility in this model.    I have two Google
> accounts, and my kids have many among themselves, so on the computers
> around the house, there are many possible Google accounts saved as possible
> logins.    Behind the scenes, Google may or may not be correctly inferring
> which humans are attached to each of these accounts, but as long it doesn't
> get wrong which accounts can see adult content, or use my credit card, or
> see/edit particular documents, that's okay. Those important features are
> attached to accounts, not people, in systems today.
> >
> > FOAF makes this distinction quite clear, with classes foaf:Person and
> foaf:OnlineAccount.   FOAF, quite reasonably, puts relationships like
> foaf:name and foaf:knows on foaf:Person.   It's interesting to know my name
> and who I know.   It might also be interesting to see which of my accounts
> are linked with other accounts, I suppose, although that's more complicated.
> >
> > I'm not sure exactly why people might have multiple accounts. Sometimes
> an account is provided by an employer or school and goes along with lots of
> resources, but also includes restrictions on use or limitations on privacy.
>  Sometimes an account is obtained with a particular service provider, and
> then one no longer wants to do business with them. Sometimes security on an
> account is compromised and a backup is needed.   Sometimes one just wants
> to separate parts of life, like work-vs-nonwork.   I've asked a few friends
> if they'd be willing to have exactly one computer account, and gotten an
> emphatic "No!".
> >
> > So the my question might be, can WebID allow that separation?   If
> access control is granted by WebID (as I've always seen it done), and WebID
> denotes a person (as I've always seen it), and the computer figures out
> that multiple WebIDs denote the same person (as it's likely to do
> eventually), then isn't it likely to grant the same access to me no matter
> which of my WebIDs I'm using?   Wouldn't that be the technically correct
> thing for it to do?
> >
> > In summary: WebID is doing something quite radical in the identity space
> by identifying humans instead of accounts.   Are we sure that's a good
> thing?    It seems like in practice, humans interacting with service
> providers want to have multiple distinguishable identities with separate
> authentication.  One might try to clean this up with some kind of
> role-based access control [1], but that might not solve the issue that by
> having WebIDs denote people, they prevent people from authenticating
> differently to get different access/behavior.
> >
> > (It's true some identity providers, like Facebook, forbid a human from
> having multiple accounts.  But I think in response we see humans get their
> additional accounts by using other providers.)
> >
> > The conclusion I'm tentatively coming to is that WebIDs should be 1-1
> associated with accounts, not people.  As such, they'll be associated with
> authentication, authorization, and profiles, as they are now.   But the RDF
> modelling will have to be different, with things like { <webid1> foaf:knows
> <webid2> } being disallowed.
> >
> > If we're going to make a change like that, making the WebID one hop away
> from Person, I'd suggest actually making it denote the account's profile
> page, so that it can be a normal URL, denoting an Information Resource.
> >
> >       -- Sandro
> >
> > [1] http://en.wikipedia.org/wiki/Role-based_access_control
> >
>
> Social Web Architect
> http://bblfish.net/
>
>
>
Received on Tuesday, 20 May 2014 01:31:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC