W3C home > Mailing lists > Public > public-webpayments@w3.org > June 2014

Re: Proof of Concept: Identity Credentials Login

From: Tim Holborn <timothy.holborn@gmail.com>
Date: Tue, 10 Jun 2014 22:05:20 +1000
Cc: Web Payments CG <public-webpayments@w3.org>
Message-Id: <F43C00F7-1EFC-46AD-B31F-9BAB8F2289E3@gmail.com>
To: Kingsley Idehen <kidehen@openlinksw.com>
I wouldn’t worry about it too much.  I assume you’ve tested the demo?

Looks like a great URI Structure.  Something that could support an x509v3 subjectAltName URI Structure - perhaps denoting the certificate itself, as a credential to a specified machine; with specified preferences, in relation to the root identity; which can likely then also; support FOAF based Persona/Agents…

I was super duper impressed with it.  V.Early days, but shows a great deal of promise IMO.

Timh.
On 10 Jun 2014, at 10:00 pm, Kingsley Idehen <kidehen@openlinksw.com> wrote:

> On 6/10/14 12:25 AM, Manu Sporny wrote:
>> TL;DR: There is now an open source demo of credential-based login
>> for the Web. We think it’s better than Persona, WebID+TLS, and
>> OpenID Connect. If we can build enough support for Identity
>> Credentials over the next year, we’d like to standardize it via
>> the W3C.
>> 
>> This is a text-only version of the original blog post, which can be found here:
>> 
>> http://manu.sporny.org/2014/identity-credentials/
>> 
>> Identity Credentials and Web Login
>> 
>>   In a [1]previous blog post, I outlined the need for a better login
>>   solution for the Web and why Mozilla Persona, WebID+TLS, and
>>   OpenID Connect currently don’t address important use cases that
>>   we’re considering in the Web Payments Community Group. The blog
>>   post contained a proposal for a new login mechanism for the Web
>>   that was simultaneously more decentralized, more extensible,
>>   enabled a level playing field, and was more privacy-aware than the
>>   previously mentioned solutions. 
> Manu,
> 
> I've provided a comment on your blog post. At the same time, my history with Wordpress blogs is that comments are 100% guaranteed to make it to the public, for a variety of reasons. Anyway, since I want to express my opinions on this matter in public, here's a copy of what I pasted to your blog, in regards to your assertions about WebID-TLS:
> 
> The World Wide Web is inherently architected to accommodate multiple ways of providing services driven by Linked Open Data (i.e., open standards based structured data) and HTTP URIs. I don't believe in OpenID vs Persona vs WebID-TLS vs OAuth etc. These authentication protocols can co-exist.
> 
> In regards to WebID-TLS, you make the following assertion that I disagree with:
> WebID+TLS also depends on the use of client-side certificates that are managed by the browser, which are difficult to use for most non-technologists.
> 
> Issues with your assertions:
> 
> [1] They are too generic -- dependency of Client Certification Authentication (CCA) isn't a bad thing bearing in mind only a minority of Browser (circa. 2104) have this problem.
> 
> [2] Too subjective -- "difficult to use for most non-technologists" isn't a defensible position.
> 
> The Client Certificate Authentication (CCA) Problem Status:
> 
> As of the time of writing this reply, the only browsers with this problem i.e, an inability to disconnect and start new TLS sessions are as follows: Chrome and Opera. The aforementioned problem is no longer an issue across Firefox, Safari, and IE.  I can prove this with a simple WebID-TLS authentication service [1].
> 
> I don't see how Opera and Chrome can continue to be deficient re. CCA bearing in mind the current state of implementations from IE, Safari, and Firefox. Thus, I wouldn't count on a fixable problem on the part of browser vendors as the basis for undermining a truly open solution for Identity Claims authentication such as WebID-TLS.
> 
> End-users do not need programmers thinking or speaking for them. That's broken. What end-users need is the ability to control their identity and privacy online via solutions that leverage Web & Internet architecture such that the following are loosely coupled (no 3rd party .com, .org, .cc etc.. in the way):
> 
> 1. Identity - perceived entity (actually nebulous since none of us can accurately claim full perception of the aspects of any entity)
> 
> 2. Identifiers - HTTP URIs that denote Agents (no different to the role of a Passport Number, SSN, Credit Card Number etc..)
> 
> 3. Identity Claims Documents -- Identity Cards or Profile Documents or Certificate (basically what your Passport, Driver's License, Credit Card, Club Membership Card etc.. provide)
> 
> 4. Identity Claims Authentication Protocols -- variety of protocols that verify claims made in Identity Claims Documents
> 
> 5. Protected Resource Access Authorization -- how verified Identities are tested against ACLs (Access Control Lists) or Data Access Policies (this may be Role Based [RBAC] or Attributed Based [ABAC]).
> 
> Links:
> 
> [1] http://id.myopenlink.net/ods/webid_demo.html -- WebID-TLS demo that proves TLS session login and logout can occur without restarting Safari (this is based on a timeout), Firefox (this uses crypto.logout), and IE (this uses the "new session" feature under the standard menu)
> 
> [2] http://csrc.nist.gov/groups/SNS/rbac/ -- Role Based Access Control (RBAC)
> 
> [3] http://csrc.nist.gov/projects/abac/ -- Attribute Based Access Control (ABAC).
> 
> -- 
> 
> Regards,
> 
> Kingsley Idehen	
> Founder & CEO
> OpenLink Software
> Company Web: http://www.openlinksw.com
> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
> Twitter Profile: https://twitter.com/kidehen
> Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
> LinkedIn Profile: http://www.linkedin.com/in/kidehen
> 
> 
> 
> 
> 


Received on Tuesday, 10 June 2014 12:07:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:31 UTC