Re: The WebID W3C activity. Re: Domains, Subdomains, Etc.

On 1/7/15 3:20 PM, Anders Rundgren wrote:
> Showdown is quickly approaching :-)
>
> http://lists.w3.org/Archives/Public/public-web-security/2015Jan/0004.html

No showdown, I think point of singularity [1].

[1] https://mikewest.github.io/credentialmanagement/spec/


Kingsley
>
> On 2015-01-07 16:23, Melvin Carvalho wrote:
>>
>>
>> On 6 January 2015 at 21:42, Anders Rundgren 
>> <anders.rundgren.net@gmail.com 
>> <mailto:anders.rundgren.net@gmail.com>> wrote:
>>
>>     Melvin,
>>     I'm 100% into authentication and I have never encountered 
>> WebID-TLS in the wild.
>>     That WebID has a value of its own is possible but to me WebID 
>> without TLS appears like a car without motor.
>>
>>
>> Yes I understand.  Good analogy with car and motor.  In fact most of 
>> us in the WebID group had the same opinion for the first few years.
>>
>> It was only when we met at TPAC, and timbl helped us, we understood 
>> that identity could stand alone and even that it was useful.
>>
>> If you read the axioms I posed, you may have noticed that the design 
>> of the web was based on modularity.  So as I pointed out there a team 
>> working on 140+ authentication systems for webid.
>>
>> Why not make it 141?
>>
>> Very often you'll see closed or proprietary systems making the pitch 
>> "you can take our identity system, but only if you use our 
>> authentication system".  It's one way to do it, but it's not how 
>> webid works.  Webid is universal identity, in fact, the only 
>> universal identity system I know of.
>>
>> You may view that you can choose an auth method as a weakness, but 
>> it's allowed facebook to adopt without forcing TLS on them, google 
>> may join too, and those of us that like to run decentralized 
>> identities can use PKI.
>>
>> As Henry said, if you're looking to tightly couple identity and 
>> authentication, this probably isnt the list for you.
>>
>>
>>     Anyway, as Henry said this community and activity has no 
>> browser-vendor-support.
>>
>>     Does the W3C really have anything to offer in fields like 
>> identity, payments and such?
>>     Currently it seems more like a bunch of disparate, semi-religious 
>> "cults" run by people with fairly limited bandwidth.
>>     VISA and all the other biggies fled to FIDO.  There's no chance 
>> getting them back using the current strategy.
>>
>>     Anders
>>     On 2015-01-06 19:16, Melvin Carvalho wrote:
>>
>>
>>
>>         On 5 January 2015 at 17:29, Anders Rundgren 
>> <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com> 
>> <mailto:anders.rundgren.net@__gmail.com 
>> <mailto:anders.rundgren.net@gmail.com>>> wrote:
>>
>>              Kingsley,
>>
>>              This discussion isn't going anywhere since You, Henry 
>> and a bunch
>>              of other people hangout out in this list insist that TLS 
>> CCA works
>>              just fine while Google and hundreds of other big 
>> companies are betting
>>              on an entirely different authentication technology 
>> (which BTW seems
>>              awfully difficult to merge with WebID).
>>
>>              Dirk Balfanz (inventor of named scheme) on TLS CCA:
>>         http://www.browserauth.net/____tls-client-authentication 
>> <http://www.browserauth.net/__tls-client-authentication> 
>> <http://www.browserauth.net/__tls-client-authentication 
>> <http://www.browserauth.net/tls-client-authentication>>
>>
>>
>>         I must admit I'm a huge fan of WebID + TLS and use it 
>> constantly.  However, I understand the TLS part is not for 
>> everything.  I think the WebID part is strong enough to stand alone.  
>> Facebook already implement it with their own auth system, (Google 
>> have said in the past they wanted to serve FOAF, but havent yet done 
>> it fully) and I know of a team hoping to add 140+ new auth systems to 
>> WebID using passport.js
>>
>>         http://passportjs.org/
>>
>>         So while I would encourage you to use webid + tls and make it 
>> better, if it's not for you, I dont think anyone will force it upon you.
>>
>>         I'd encourage you to look at the web axioms, in particular, 
>> "tolerance", which tries to make the web a platform offering freedom 
>> of choice.
>>
>>         http://www.w3.org/__DesignIssues/Principles.html 
>> <http://www.w3.org/DesignIssues/Principles.html>
>>
>>
>>              Anders
>>
>>
>>              On 2015-01-05 16:42, Kingsley Idehen wrote:
>>
>>                  On 1/4/15 2:34 PM, Anders Rundgren wrote:
>>
>>                      On 2015-01-04 19:49, Kingsley Idehen wrote:
>>
>>                          On 1/4/15 10:27 AM, Anders Rundgren wrote:
>>
>>                              On 2015-01-04 16:21, Timothy Holborn wrote:
>>
>>                                  Interesting. I found more info [1]
>>
>>                                  Does it support WebID-TLS?
>>
>>
>>                              It is primarily intended to lower the 
>> cost (maybe to zero) for getting
>>                              a TLS server-certificate.
>>
>>                              For WebID-TLS there's no hope.  The 
>> industry have take another route.
>>
>>                              Anders
>>
>>
>>                          Happy New Year!
>>
>>                          Again, WebID-TLS and TLS are loosely coupled 
>> items. The industry hasn't
>>                          gone anywhere, it is mired in an identity 
>> and trust crisis.
>>
>>                          I strongly encourage you to put your 
>> personal biases aside. Doing that
>>                          will enable you understand where WebID-TLS 
>> and similar approached re.
>>                          Blogic (webby logic) fit into the mix re., 
>> addressing the identity and
>>                          trust problem that's putting every Web and 
>> Internet users privacy at
>>                          risk etc..
>>
>>
>>                      There are 25M Korean users of X.509 certificates 
>> on the web.  How many
>>                      users
>>                      have WebID-TLS?  100? 1000? 10000?
>>
>>
>>                  What is WebID-TLS to you?
>>                  X.509 != TLS let alone WebID-TLS. X.509  its a 
>> standard for creating a
>>                  digital representation of an Identity Card 
>> (Certificate).
>>
>>                  There isn't an such notion as "having WebID-TLS" it 
>> is simply a protocol
>>                  for verifying claims in a WebID-Profile document 
>> that you lookup via a
>>                  WebID placed in an X.509 Certificate.
>>
>>
>>                      What's worse is that the 25M users are being 
>> *pushed off the web* since
>>                      plugins are about to be "outlawed".
>>
>>
>>                  X.509 and Browser Plugins two distinct things. I 
>> don't understand why
>>                  you continue to conflate all the puzzle-pieces.
>>
>>                      Sweden, another big user of X.509+Web has
>>                      already left the web (browser) for Android and 
>> iPhone app-based
>>                      solutions.
>>
>>
>>                  This isn't about Web Browsers. It is about verifying 
>> identity claims
>>                  over HTTP using trust Webs crafted using logic.
>>
>>
>>                      Do you have any solution to this?
>>
>>
>>                  What is the problem?
>>
>>                      Do I?  YES!  W3C must perform market
>>                      research and not only rely on a handful of 
>> big-tech technologists who
>>                      mainly run their own agenda.
>>
>>
>>                  The W3C's job is to formalize aspects of Web usage 
>> that aren't
>>                  formalized. For instance, RDF is a retrospective 
>> formalization of what's
>>                  always been a nascent part of the Web, since inception.
>>
>>                  Kingsley
>>
>>                      Anders
>>
>>
>>                          Let's try to be more constructive in 2015, 
>> complaining about everything
>>                          without offering any practical alternatives, 
>> gets us nowhere!
>>
>>                          Kingsley
>>
>>
>>
>>                                  [1] 
>> https://letsencrypt.org/____howitworks/ 
>> <https://letsencrypt.org/__howitworks/> 
>> <https://letsencrypt.org/__howitworks/ 
>> <https://letsencrypt.org/howitworks/>>
>>
>>                                  On 4 January 2015 at 22:01, cdr 
>> <mail@whats-your.name <mailto:mail@whats-your.name> 
>> <mailto:mail@whats-your.name <mailto:mail@whats-your.name>>
>>                                  <mailto:mail@whats-your.name 
>> <mailto:mail@whats-your.name> <mailto:mail@whats-your.name 
>> <mailto:mail@whats-your.name>>>__> wrote:
>>
>>                                         > a financial issue, being 
>> the cost of a
>>                                         > domain and wildcard SSL 
>> certificate.
>>
>>                                         Let's Encrypt is attempting 
>> to address this
>>
>>                                         seth@EFF giving a talk on how 
>> it works:
>> https://www.youtube.com/watch?____v=OZyXx8Ie4pA&t=17m 
>> <https://www.youtube.com/watch?__v=OZyXx8Ie4pA&t=17m> 
>> <https://www.youtube.com/__watch?v=OZyXx8Ie4pA&t=17m 
>> <https://www.youtube.com/watch?v=OZyXx8Ie4pA&t=17m>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>


-- 
Regards,

Kingsley Idehen 
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog 1: http://kidehen.blogspot.com
Personal Weblog 2: http://www.openlinksw.com/blog/~kidehen
Twitter Profile: https://twitter.com/kidehen
Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen
Personal WebID: http://kingsley.idehen.net/dataspace/person/kidehen#this