Re: The Payment Identity Problem from Melvin Carvalho on 2014-07-17 (public-webpayments@w3.org from July 2014)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Thu, 17 Jul 2014 14:20:20 +0200
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: Web Payments <public-webpayments@w3.org>
Message-ID: <CAKaEYhLWUYA4eCruqtf_VsVcr4ZmgQWaDdJgOwJmJkjSyqXWzA@mail.gmail.com>
On 17 July 2014 05:48, Manu Sporny <msporny@digitalbazaar.com> wrote:

> On 06/26/2014 11:55 PM, Melvin Carvalho wrote:
> > Regarding Identity (as opposed to authentication, and user
> > experience)
> >
> > Could you sum up your objections to the WebID spec (and I dont mean
> > WebID+TLS)
> >
> > As far as I can see there are 2 sticking points:
>
> My responses here are with my chair hat off. They're general
> observations over the past 7 years of Linked Data use and adoption
> failures.
>
> > 1. You object to the use of the Term Agent, which is the parent class
> > of Person
>
> The terminology, while important, is of little concern to me. I'm sure
> we can come up with the right terminology once we scope the problem
> correctly.
>
> > 2. You object to mandatory serialization of turtle
>
> Yes, I'd rather mandate a single serialization that has strong adoption
> and that supports graph names. JSON-LD is the only one that fits the
> bill, imho. Alternative serializations like NQuads, TURTLE, etc. are
> just fine. To be clear, my objection to TURTLE has to do with technical
> issues as well as adoption issues. It's not that I don't like TURTLE,
> it's that it isn't technically capable of doing certain things that
> we'll need to do (namely, cleanly signing provenance information).
>
> > Fragmentation will be an influence on whether both efforts succeed or
> > fail.
>
> I have the same concerns.
>
> > Is there anything else that you view as a show stopper.  Is there
> > any room for compromise?
>
> There is certainly always room for compromise. Here's a quick review of
> the spec and my concerns:
>
> http://www.w3.org/2005/Incubator/webid/spec/identity/
>
> * The WebID group's leadership and lack of progress over 7+ years. I
>   personally feel that the groups leadership is out of touch with
>   business requirements for this technology and is not capable of
>   bringing big players to the table. To provide a counter example,
>   we've only been at the Identity Credentials stuff for a little under
>   a year and we already have strong interest and deep contacts in the
>   US Federal Reserve, World Bank, large education companies, the
>   United Nations' Internet Governance area, and a number of other
>   large players in the identity and education ecosystem.
>
> * Dependence on TURTLE and RDFa. I suggest removal of both as
>   requirements, allowing developers to optionally encode information
>   using those technologies. The only MUST should be JSON-LD.
>
> * Reliance on FOAF. Let it die, use schema.org.
>
> * Dependence on hash URIs and 303 redirects. Most developers won't care
>   to understand why 303s exist. Hash URIs, while useful, shouldn't be
>   used in the spec because you have to then get into why you "should"
>   use them in the first place. Applications can reason on whether
>   something is a document or a referral to a concept via other means.
>   Stay away from the HTTP Range stuff, it complicates the solution.
>
> * TimBL fandom. Please take all references to Tim Berners-Lee out of
>   the specification, they're distracting. Use a generic example.
>

I did smile to myself when I went and checked the 'generic example' used in
JSON LD:

Example 1: Sample JSON document
{
  "name": "Manu Sporny",
  "homepage": "http://manu.sporny.org/",
  "image": "http://manu.sporny.org/images/manu.png"
}

:)


>
> * There is no mechanism described that provides a way to express
>   information that has been digitally signed by 3rd parties. This is
>   vital to the Web Payments and High-stakes Credentials use cases.
>   I'm fine if a spec, like Identity Credentials, is layered on top
>   to provide the functionality.
>
> * re: Privacy. The only privacy that the mechanism provides via
>   WebACL is protection from who can read/write the information. There is
>   no pervasive monitoring protection against identity providers.
>   Identity providers can track your every move. To provide real
>   privacy and tracking protection, you need more than just WebACL.
>
> If you strip/change much of the stuff above, you're left with a 1-2 page
> document that doesn't do much other than set the groundwork for the
> really important stuff (setting and getting high-stakes credentials in a
> privacy-protecting / anti-tracking manner). Personally, I'd rather fold
> those 1-2 pages into a more comprehensive specification than require the
> reader to bounce between a 1-2 page document and the spec (Identity
> Credentials) that actually does something useful.
>
> -- manu
>
> --
> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: The Marathonic Dawn of Web Payments
> http://manu.sporny.org/2014/dawn-of-web-payments/
>
>
Received on Thursday, 17 July 2014 12:20:51 UTC