Re: Proof of Concept: Identity Credentials Login from Tim Holborn on 2014-06-11 (public-webpayments@w3.org from June 2014)

From: Tim Holborn <timothy.holborn@gmail.com>
Date: Wed, 11 Jun 2014 11:12:49 +1000
To: Dave Longley <dlongley@digitalbazaar.com>
Cc: Web Payments CG <public-webpayments@w3.org>
Message-Id: <B5E7A601-7864-4BAD-AA7C-6ABC62B0492A@gmail.com>
So Much Excitement!!!! 

Difficult to follow it all up and provide input accordingly.  I’d like to see a WebID-TLS styled implementation that does not point at a URI defining the ‘person’ but rather one that notates the machine.

Perhaps; shows whether the workstation your on; has an ‘authorised’ TLS (URI enabled) Certificate FOR YOUR IDENTITY… 

Perhaps also; a basic example presenting the capacity to attach it to some sort of Geolocation[1] mechanism, to that device also.    Personally; i think that sort of method needs to be connected to an RDF service that lowers the resolution in a user-definable manner (i.e. Australia, VIC, Suburb, Street, Point data)… RDF GIS data can be found http://www.freebase.com/ 

Personal data needs to be stored in personal-dataspaces.  This means (IMHO) RWW compatibility.  

data.fm / rww.io or alternative. (i like the RWW.io / data.fm format - understanding, it needs to be further developed..)

[1] http://www.neustar.biz/services/ip-intelligence

On 11 Jun 2014, at 9:21 am, Dave Longley <dlongley@digitalbazaar.com> wrote:

> On 06/10/2014 02:30 PM, Kingsley Idehen wrote:
>> On 6/10/14 12:21 PM, Manu Sporny wrote:
>>> On 06/10/2014 08:00 AM, Kingsley Idehen wrote:
>>>> Issues with your assertions:
>>>> 
>>>> [1] They are too generic -- dependency of Client Certification
>>>> Authentication (CCA) isn't a bad thing bearing in mind only a
>>>> minority of Browser (circa. 2004) have this problem.
>>> 
>>> The problem is subjective, true. That said, I continue to assert that
>>> it's a big problem and is the biggest reason WebID+TLS has gone nowhere.
>> 
>> Okay, but I am also demonstrating to you that competitive pressures and
>> "opportunity costs" are the keys to getting browser vendors to respond.
>> Right now we have IE, Firefox, and Safari working fine, which leaves
>> Opera and Chrome.
>> 
>> The top browsers across desktop, notebooks, tablets, palmtops, and
>> phones don't have a TLS CCA problem.
> 
> "Working fine" is subjective. I disagree that there isn't a TLS CCA
> problem, but, like Manu, won't argue the point and will wait to see if
> WebID+TLS gains any traction.
> 
> 
>> 
>>> I postulate that it's
>>> because it's obvious to most UX folks that client-side certificates are
>>> a dead end wrt. security scalability for the general public. 
>> 
>> The folks that take that position, as far as I am concerned, suffer from
>> the same misconception i.e., that developers know best, that all
>> problems are approached from the perspective of the programming code as
>> opposed to the underlying logic that enables us express data in reusable
>> form via entity relations.
> 
> I don't think it has anything to do with programming code or expressing
> data via entity relations. It has to do with the experience of watching
> people use terrible UIs. They don't like them. They aren't likely to use
> them again.
> 
> I think that how well a system works underneath a terrible UI is largely
> irrelevant to most people.
> 
> 
>> 
>> 
>>> I
>>> understand that you and a number of other WebID+TLS hold the opposite
>>> position and think things are getting better. Maybe they are.
>> 
>> For me, WebID-TLS is an option for authenticating identity claims based on:
>> 
>> 1. HTTP URIs for entity denotation (naming) and connotation (perception)
>> 2. RDF statements for structured data representation
>> 3. Entity Relation Semantics for understanding how entities are related.
>> 
>>> 
>>> I'm just not willing to wait on the browser vendors anymore, and even if
>>> the usability problem is improved, I still don't think it'll result in a
>>> solution that's as easy to use as the Identity Credentials stuff.
>> 
>> You don't have to wait. All I am saying is that WebID-TLS and whatever
>> you choose can and will co-exist. Mutual inclusion works, its natural to
>> the Web i.e., baked into its design.
> 
> That's certainly true (these techs can coexist).
> 
> 
>> 
>>> 
>>>> The Client Certificate Authentication (CCA) Problem Status:
>>>> 
>>>> As of the time of writing this reply, the only browsers with this
>>>> problem i.e, an inability to disconnect and start new TLS sessions
>>>> are as follows: Chrome and Opera.
>>> 
>>> That's not the problem. The problem is that a majority of
>>> non-technologists find the client-side certificate solution to be
>>> confusing.
>> 
>> No they don't, that's a misconception.
>> 
>> YouID was developed to refute that very line of thinking.
>> 
>>> Additionally, how do you use client-side certificates from a
>>> device that you don't own?
>> 
>> Excellent question, here's what happens if you are a YouID user:
>> 
>> 1. You open a browser on your borrowed device
>> 2. Goto your folder (Google Drive, OneDrive, Dropbox, Box.,
>> ODS-Briefcase, WebDAV etc.) and open up the pkc#12 file it created
>> 3. Authenticate when challenged by the host in regards to opening the
>> secure pkcs#12 file
>> 4. Install your credentials.
>> 
>> 1-4 happen using the native UX of any modern OS since they all have
>> inbuilt handlers for pkcs#12.
> 
> I think most people won't want to do what you just described. There's
> nothing for you to argue against here, it's just my totally subjective
> opinion, based entirely on my own intuition. I think going to a folder
> to find a file to install, when you want to login to a website, will be
> too foreign an experience for most people to embrace.
> 
> I think there will be a simpler, better alternative and people will
> choose that (eg: "enter a password and click a button to register your
> new/borrowed device"). That alternative will arise because it won't
> depend on browser manufacturers to implement it from the start.
> 
> 
>> 
>>> 
>>>> I don't see how Opera and Chrome can continue to be deficient re. CCA
>>>> bearing in mind the current state of implementations from IE,
>>>> Safari, and Firefox.
> 
> How much longer do you think they will remain deficient (per your own
> definition of that word)? What's your estimate?
> 
> 
>> 
>> Opera and Chrome are laggards. The problem is identity and privacy,
>> Safari, Firefox, and IE are already better. Safari is the default
>> browser for Mac OS X and iOS. IE is the default browser for Windows and
>> Windows Mobile. What's left re., market share?
> 
> I thought Android's market share was ~80% (for mobile). That may have
> changed, but I doubt by much. My understanding was also that Chrome had
> the largest browser market share. I haven't checked very thoroughly, but
> some quick googling seemed to suggest that both of these things are
> still true.
> 
> 
>>> 
>>>> That's broken. What end-users need is the ability to control their
>>>> identity and privacy online via solutions that leverage Web &
>>>> Internet architecture such that the following are loosely coupled (no
>>>> 3rd party .com, .org, .cc etc.. in the way):
>>> 
>>> Sure, agreed. Why do  you think the Identity Credentials stuff places a
>>> 3rd party in the way?
>> 
>> I don't see how my credentials end up in a place of my choosing e.g., I
>> might want to save those credentials to storage provided by Google
>> Drive, Dropbox, OneDrive etc..
> 
> You can do that. Can you point to the specific parts of the technology
> that you think prohibit you from doing so? I think there's some
> misunderstanding.
> 
> 
>> 
>> 
>>> You can run your own IdP if you'd like, the code
>>> is on Github right now and we do plan to release a completely open
>>> source, public domain implementation of it in time. You don't have to
>>> use any 3rd party if you don't want to.
>> 
>> That something I (or anyone else) needs to code at a time when we should
>> be simply working with puzzle-pieces as you would any jigsaw puzzle.
>> Again, HTTP URIs, RDF statements, and Relation Semantics == all you need
>> in regards to constructing and using the puzzle-pieces and piecing that
>> AWWW facilitates.
>> 
>>> under the control of a non-profit like the Electronic Frontier
>>> Foundation, Creative Commons, or GNU Foundation.
>> 
>> That can never be an accepted assurance. Never.
> 
> What are your specific objections with this approach? I guess what I
> don't understand is that you appear to be quite passionately ("Never.")
> rejecting having a well-known, well-respected non-profit host what
> amounts to a temporary open source shim. Unless I'm mistaken, you
> already use various other more fully-featured identity-related
> technologies (eg: Google+) that you view as less than ideal for one
> reason or another. I'm just saying "Never" should perhaps be "Not for
> too long" or "That isn't much better than what we have now"?
> 
> 
>> 
>> 
>>> That site will go away
>>> in time if this stuff is implemented in the browser. 
>> 
>> How will that be implemented in the browser? On who's timetable, under
>> what market (or "opportunity costs") driven duress? Companies ultimately
>> only respond to "opportunity costs".
> 
> In what way would the answers you have for those same questions for
> WebID+TLS be different from the Identity Credentials tech? IMO, people
> would give preference to a browser that shortens and makes more secure
> the login process they use with every website they log into. So long as
> the UX is acceptable.
> 
> If the Identity Credentials tech becomes the predominant way you log
> into sites on the Web and it has been standardized by W3C, I would
> expect browser manufacturers to adopt it and build new innovative
> features on top of it. IMO, the (near) ubiquity of any login tech
> strongly influences browser manufacturers to integrate some aspects of
> it into their browsers.
> 
> The difference I see between the Identity Credentials tech and WebID+TLS
> is that the former has no clear catch-22. People can adopt it without
> browser support which can lead to adoption by browser manufacturers.
> 
> If peoples' adoption of a tech depends on a browser UX that browser
> manufacturers won't implement because people aren't adopting the tech,
> then that tech is not likely to go far. Again, I know that you don't
> think WebID+TLS has this catch-22. We'll see.
> 
> 
>> 
>>> If not, then an
>>> independent, trusted organization will be put in charge of it.
>> 
>> "Independent trusted orgranization" is just a phrase comprised of three
>> words.
> 
> Not unlike any other phrase that is also three words long. :)
> 
> 
>> What it actually denotes and connotes is quite nebulous. Trust
>> never works that way, it has to be the outcome of some kind of "proof of
>> work". That's why crypto is crucial to Trust.
> 
> The "proof of work" is the past behavior of said organization.
> 
> 
>> 
>>> 
>>> As for the rest of your list, we're aligned. There is very little that
>>> we're not aligned on. :)
> 
> Excellent!
> 
> 
> -- 
> Dave Longley
> CTO
> Digital Bazaar, Inc.
>
Received on Wednesday, 11 June 2014 01:15:18 UTC