Re: The WebID W3C activity. Re: Domains, Subdomains, Etc. from Melvin Carvalho on 2015-01-07 (public-webid@w3.org from January 2015)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Wed, 7 Jan 2015 16:23:14 +0100
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: Kingsley Idehen <kidehen@openlinksw.com>, public-webid <public-webid@w3.org>
Message-ID: <CAKaEYhLm1GE-4QjcxGbPdsBYMvrta0Yavm4BnnQx71CXNum-sQ@mail.gmail.com>
On 6 January 2015 at 21:42, Anders Rundgren <anders.rundgren.net@gmail.com>
wrote:

> Melvin,
> I'm 100% into authentication and I have never encountered WebID-TLS in the
> wild.
> That WebID has a value of its own is possible but to me WebID without TLS
> appears like a car without motor.
>

Yes I understand.  Good analogy with car and motor.  In fact most of us in
the WebID group had the same opinion for the first few years.

It was only when we met at TPAC, and timbl helped us, we understood that
identity could stand alone and even that it was useful.

If you read the axioms I posed, you may have noticed that the design of the
web was based on modularity.  So as I pointed out there a team working on
140+ authentication systems for webid.

Why not make it 141?

Very often you'll see closed or proprietary systems making the pitch "you
can take our identity system, but only if you use our authentication
system".  It's one way to do it, but it's not how webid works.  Webid is
universal identity, in fact, the only universal identity system I know of.

You may view that you can choose an auth method as a weakness, but it's
allowed facebook to adopt without forcing TLS on them, google may join too,
and those of us that like to run decentralized identities can use PKI.

As Henry said, if you're looking to tightly couple identity and
authentication, this probably isnt the list for you.


>
> Anyway, as Henry said this community and activity has no
> browser-vendor-support.
>
> Does the W3C really have anything to offer in fields like identity,
> payments and such?
> Currently it seems more like a bunch of disparate, semi-religious "cults"
> run by people with fairly limited bandwidth.
> VISA and all the other biggies fled to FIDO.  There's no chance getting
> them back using the current strategy.
>
> Anders
> On 2015-01-06 19:16, Melvin Carvalho wrote:
>
>>
>>
>> On 5 January 2015 at 17:29, Anders Rundgren <
>> anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>
>> wrote:
>>
>>     Kingsley,
>>
>>     This discussion isn't going anywhere since You, Henry and a bunch
>>     of other people hangout out in this list insist that TLS CCA works
>>     just fine while Google and hundreds of other big companies are betting
>>     on an entirely different authentication technology (which BTW seems
>>     awfully difficult to merge with WebID).
>>
>>     Dirk Balfanz (inventor of named scheme) on TLS CCA:
>>     http://www.browserauth.net/__tls-client-authentication <
>> http://www.browserauth.net/tls-client-authentication>
>>
>>
>> I must admit I'm a huge fan of WebID + TLS and use it constantly.
>> However, I understand the TLS part is not for everything.  I think the
>> WebID part is strong enough to stand alone.  Facebook already implement it
>> with their own auth system, (Google have said in the past they wanted to
>> serve FOAF, but havent yet done it fully) and I know of a team hoping to
>> add 140+ new auth systems to WebID using passport.js
>>
>> http://passportjs.org/
>>
>> So while I would encourage you to use webid + tls and make it better, if
>> it's not for you, I dont think anyone will force it upon you.
>>
>> I'd encourage you to look at the web axioms, in particular, "tolerance",
>> which tries to make the web a platform offering freedom of choice.
>>
>> http://www.w3.org/DesignIssues/Principles.html
>>
>>
>>     Anders
>>
>>
>>     On 2015-01-05 16:42, Kingsley Idehen wrote:
>>
>>         On 1/4/15 2:34 PM, Anders Rundgren wrote:
>>
>>             On 2015-01-04 19:49, Kingsley Idehen wrote:
>>
>>                 On 1/4/15 10:27 AM, Anders Rundgren wrote:
>>
>>                     On 2015-01-04 16:21, Timothy Holborn wrote:
>>
>>                         Interesting. I found more info [1]
>>
>>                         Does it support WebID-TLS?
>>
>>
>>                     It is primarily intended to lower the cost (maybe to
>> zero) for getting
>>                     a TLS server-certificate.
>>
>>                     For WebID-TLS there's no hope.  The industry have
>> take another route.
>>
>>                     Anders
>>
>>
>>                 Happy New Year!
>>
>>                 Again, WebID-TLS and TLS are loosely coupled items. The
>> industry hasn't
>>                 gone anywhere, it is mired in an identity and trust
>> crisis.
>>
>>                 I strongly encourage you to put your personal biases
>> aside. Doing that
>>                 will enable you understand where WebID-TLS and similar
>> approached re.
>>                 Blogic (webby logic) fit into the mix re., addressing the
>> identity and
>>                 trust problem that's putting every Web and Internet users
>> privacy at
>>                 risk etc..
>>
>>
>>             There are 25M Korean users of X.509 certificates on the web.
>> How many
>>             users
>>             have WebID-TLS?  100? 1000? 10000?
>>
>>
>>         What is WebID-TLS to you?
>>         X.509 != TLS let alone WebID-TLS. X.509  its a standard for
>> creating a
>>         digital representation of an Identity Card (Certificate).
>>
>>         There isn't an such notion as "having WebID-TLS" it is simply a
>> protocol
>>         for verifying claims in a WebID-Profile document that you lookup
>> via a
>>         WebID placed in an X.509 Certificate.
>>
>>
>>             What's worse is that the 25M users are being *pushed off the
>> web* since
>>             plugins are about to be "outlawed".
>>
>>
>>         X.509 and Browser Plugins two distinct things. I don't understand
>> why
>>         you continue to conflate all the puzzle-pieces.
>>
>>             Sweden, another big user of X.509+Web has
>>             already left the web (browser) for Android and iPhone
>> app-based
>>             solutions.
>>
>>
>>         This isn't about Web Browsers. It is about verifying identity
>> claims
>>         over HTTP using trust Webs crafted using logic.
>>
>>
>>             Do you have any solution to this?
>>
>>
>>         What is the problem?
>>
>>             Do I?  YES!  W3C must perform market
>>             research and not only rely on a handful of big-tech
>> technologists who
>>             mainly run their own agenda.
>>
>>
>>         The W3C's job is to formalize aspects of Web usage that aren't
>>         formalized. For instance, RDF is a retrospective formalization of
>> what's
>>         always been a nascent part of the Web, since inception.
>>
>>         Kingsley
>>
>>             Anders
>>
>>
>>                 Let's try to be more constructive in 2015, complaining
>> about everything
>>                 without offering any practical alternatives, gets us
>> nowhere!
>>
>>                 Kingsley
>>
>>
>>
>>                         [1] https://letsencrypt.org/__howitworks/ <
>> https://letsencrypt.org/howitworks/>
>>
>>                         On 4 January 2015 at 22:01, cdr <
>> mail@whats-your.name <mailto:mail@whats-your.name>
>>                         <mailto:mail@whats-your.name <mailto:
>> mail@whats-your.name>>> wrote:
>>
>>                                > a financial issue, being the cost of a
>>                                > domain and wildcard SSL certificate.
>>
>>                                Let's Encrypt is attempting to address this
>>
>>                                seth@EFF giving a talk on how it works:
>>                         https://www.youtube.com/watch?
>> __v=OZyXx8Ie4pA&t=17m <https://www.youtube.com/watch?v=OZyXx8Ie4pA&t=17m>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
Received on Wednesday, 7 January 2015 15:31:36 UTC