Re: Authentication Proposal -- Solid Cookies from Kingsley Idehen on 2016-02-05 (public-webid@w3.org from February 2016)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Fri, 5 Feb 2016 09:39:11 -0500
To: public-webid@w3.org
Message-ID: <56B4B40F.7030401@openlinksw.com>

On 2/5/16 6:53 AM, Melvin Carvalho wrote:
>
>
> On 5 February 2016 at 12:49, Kingsley Idehen <kidehen@openlinksw.com
> <mailto:kidehen@openlinksw.com>> wrote:
>
>     On 2/5/16 6:07 AM, Melvin Carvalho wrote:
>>
>>     Alice wishes to authenticate on Bobs server.
>>
>>      1. Alice sends her User: identity, and (optionally) a path to a
>>         "cookie". The cookie is a resource that only Bobs server and
>>         Alice have access to. The contents of the resource are a
>>         typical cookie with unguessable string and expiry.
>>      2. Bob's server compares the string sent from the browser and
>>         the string in the file. If they match access is granted.
>>
>>
>>     Any comments on this idea?
>>
>
>     How do Alice and Bob create this cookie?
>
>
> Alice creates it.  Using HTTP PUT of a random string in JavaScript.
>  
>
>     How do that control access to said cookie?
>
>
> Same way as usual using WebAccessControl.
>  
>
>     How many cookies come into existence as the contact network
>     membership of both individuals grows?
>
>
> One per origin, but they can be deleted.  Just like your cookies
> folder in the browser.
>  
>

How does any of this handle delegated identity where you have Alice,
Bob, and others delegating identity of Bot X while retain resource acl
granularity?

How do Alice and Bob comprehend the notion of a Cookie? At least when
dealing with an X.509 Cert there is an "Identity Card" mental cue etc..

For an Identity solution to work users need to be the ultimate
controllers, not some piece of code. Put differently, a discussion about
an Identity Protocol shouldn't even have Javascript or Cookies surface
at all.  One should be able to say:

1. Get an Identity Card
2. Present said Identity Card when challenged at resource access time
3. Create Attribute-based Access Controls to protect your resources
4. Use relationship type semantics to make your Identity Claims and
Access Controls comprehensible to both humans and machines.

I am struggling to the see what problem any of this solves bearing in
mind what's possible via:

[1] WebID+TLS
[2] WebID+TLS+Delegation

Individuals don't have a single Identity, they more than likely have
different identities for different scenarios e.g., club membership etc..

-- 
Regards,

Kingsley Idehen       
Founder & CEO 
OpenLink Software     
Company Web: http://www.openlinksw.com
Personal Weblog 1: http://kidehen.blogspot.com
Personal Weblog 2: http://www.openlinksw.com/blog/~kidehen
Twitter Profile: https://twitter.com/kidehen
Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen
Personal WebID: http://kingsley.idehen.net/dataspace/person/kidehen#this

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Friday, 5 February 2016 14:39:40 UTC