W3C home > Mailing lists > Public > public-webpayments@w3.org > June 2014

Re: Proof of Concept: Identity Credentials Login

From: Pindar Wong <pindar.wong@gmail.com>
Date: Wed, 11 Jun 2014 10:00:30 +0800
Message-ID: <CAM7BtUqE66YbgNZ0M-O6KUGtAXf7E_nE4PiGOqi5iYiyn9kBQg@mail.gmail.com>
To: Tim Holborn <timothy.holborn@gmail.com>
Cc: Dave Longley <dlongley@digitalbazaar.com>, Web Payments CG <public-webpayments@w3.org>
FWIW, I see potential to reimagine the 'BY' (attribution) in the Creative
Commons Context.

p.



On Wed, Jun 11, 2014 at 9:12 AM, Tim Holborn <timothy.holborn@gmail.com>
wrote:

> So Much Excitement!!!!
>
> Difficult to follow it all up and provide input accordingly.  I’d like to
> see a WebID-TLS styled implementation that does not point at a URI defining
> the ‘person’ but rather one that notates the machine.
>
> Perhaps; shows whether the workstation your on; has an ‘authorised’ TLS
> (URI enabled) Certificate FOR YOUR IDENTITY…
>
> Perhaps also; a basic example presenting the capacity to attach it to some
> sort of Geolocation[1] mechanism, to that device also.    Personally; i
> think that sort of method needs to be connected to an RDF service that
> lowers the resolution in a user-definable manner (i.e. Australia, VIC,
> Suburb, Street, Point data)… RDF GIS data can be found
> http://www.freebase.com/
>
> Personal data needs to be stored in personal-dataspaces.  This means
> (IMHO) RWW compatibility.
>
> data.fm / rww.io or alternative. (i like the RWW.io / data.fm format -
> understanding, it needs to be further developed..)
>
> [1] http://www.neustar.biz/services/ip-intelligence
>
>
> On 11 Jun 2014, at 9:21 am, Dave Longley <dlongley@digitalbazaar.com>
> wrote:
>
> On 06/10/2014 02:30 PM, Kingsley Idehen wrote:
>
> On 6/10/14 12:21 PM, Manu Sporny wrote:
>
> On 06/10/2014 08:00 AM, Kingsley Idehen wrote:
>
> Issues with your assertions:
>
> [1] They are too generic -- dependency of Client Certification
> Authentication (CCA) isn't a bad thing bearing in mind only a
> minority of Browser (circa. 2004) have this problem.
>
>
> The problem is subjective, true. That said, I continue to assert that
> it's a big problem and is the biggest reason WebID+TLS has gone nowhere.
>
>
> Okay, but I am also demonstrating to you that competitive pressures and
> "opportunity costs" are the keys to getting browser vendors to respond.
> Right now we have IE, Firefox, and Safari working fine, which leaves
> Opera and Chrome.
>
> The top browsers across desktop, notebooks, tablets, palmtops, and
> phones don't have a TLS CCA problem.
>
>
> "Working fine" is subjective. I disagree that there isn't a TLS CCA
> problem, but, like Manu, won't argue the point and will wait to see if
> WebID+TLS gains any traction.
>
>
>
> I postulate that it's
> because it's obvious to most UX folks that client-side certificates are
> a dead end wrt. security scalability for the general public.
>
>
> The folks that take that position, as far as I am concerned, suffer from
> the same misconception i.e., that developers know best, that all
> problems are approached from the perspective of the programming code as
> opposed to the underlying logic that enables us express data in reusable
> form via entity relations.
>
>
> I don't think it has anything to do with programming code or expressing
> data via entity relations. It has to do with the experience of watching
> people use terrible UIs. They don't like them. They aren't likely to use
> them again.
>
> I think that how well a system works underneath a terrible UI is largely
> irrelevant to most people.
>
>
>
>
> I
> understand that you and a number of other WebID+TLS hold the opposite
> position and think things are getting better. Maybe they are.
>
>
> For me, WebID-TLS is an option for authenticating identity claims based on:
>
> 1. HTTP URIs for entity denotation (naming) and connotation (perception)
> 2. RDF statements for structured data representation
> 3. Entity Relation Semantics for understanding how entities are related.
>
>
> I'm just not willing to wait on the browser vendors anymore, and even if
> the usability problem is improved, I still don't think it'll result in a
> solution that's as easy to use as the Identity Credentials stuff.
>
>
> You don't have to wait. All I am saying is that WebID-TLS and whatever
> you choose can and will co-exist. Mutual inclusion works, its natural to
> the Web i.e., baked into its design.
>
>
> That's certainly true (these techs can coexist).
>
>
>
>
> The Client Certificate Authentication (CCA) Problem Status:
>
> As of the time of writing this reply, the only browsers with this
> problem i.e, an inability to disconnect and start new TLS sessions
> are as follows: Chrome and Opera.
>
>
> That's not the problem. The problem is that a majority of
> non-technologists find the client-side certificate solution to be
> confusing.
>
>
> No they don't, that's a misconception.
>
> YouID was developed to refute that very line of thinking.
>
> Additionally, how do you use client-side certificates from a
> device that you don't own?
>
>
> Excellent question, here's what happens if you are a YouID user:
>
> 1. You open a browser on your borrowed device
> 2. Goto your folder (Google Drive, OneDrive, Dropbox, Box.,
> ODS-Briefcase, WebDAV etc.) and open up the pkc#12 file it created
> 3. Authenticate when challenged by the host in regards to opening the
> secure pkcs#12 file
> 4. Install your credentials.
>
> 1-4 happen using the native UX of any modern OS since they all have
> inbuilt handlers for pkcs#12.
>
>
> I think most people won't want to do what you just described. There's
> nothing for you to argue against here, it's just my totally subjective
> opinion, based entirely on my own intuition. I think going to a folder
> to find a file to install, when you want to login to a website, will be
> too foreign an experience for most people to embrace.
>
> I think there will be a simpler, better alternative and people will
> choose that (eg: "enter a password and click a button to register your
> new/borrowed device"). That alternative will arise because it won't
> depend on browser manufacturers to implement it from the start.
>
>
>
>
> I don't see how Opera and Chrome can continue to be deficient re. CCA
> bearing in mind the current state of implementations from IE,
> Safari, and Firefox.
>
>
> How much longer do you think they will remain deficient (per your own
> definition of that word)? What's your estimate?
>
>
>
> Opera and Chrome are laggards. The problem is identity and privacy,
> Safari, Firefox, and IE are already better. Safari is the default
> browser for Mac OS X and iOS. IE is the default browser for Windows and
> Windows Mobile. What's left re., market share?
>
>
> I thought Android's market share was ~80% (for mobile). That may have
> changed, but I doubt by much. My understanding was also that Chrome had
> the largest browser market share. I haven't checked very thoroughly, but
> some quick googling seemed to suggest that both of these things are
> still true.
>
>
>
> That's broken. What end-users need is the ability to control their
> identity and privacy online via solutions that leverage Web &
> Internet architecture such that the following are loosely coupled (no
> 3rd party .com, .org, .cc etc.. in the way):
>
>
> Sure, agreed. Why do  you think the Identity Credentials stuff places a
> 3rd party in the way?
>
>
> I don't see how my credentials end up in a place of my choosing e.g., I
> might want to save those credentials to storage provided by Google
> Drive, Dropbox, OneDrive etc..
>
>
> You can do that. Can you point to the specific parts of the technology
> that you think prohibit you from doing so? I think there's some
> misunderstanding.
>
>
>
>
> You can run your own IdP if you'd like, the code
> is on Github right now and we do plan to release a completely open
> source, public domain implementation of it in time. You don't have to
> use any 3rd party if you don't want to.
>
>
> That something I (or anyone else) needs to code at a time when we should
> be simply working with puzzle-pieces as you would any jigsaw puzzle.
> Again, HTTP URIs, RDF statements, and Relation Semantics == all you need
> in regards to constructing and using the puzzle-pieces and piecing that
> AWWW facilitates.
>
> under the control of a non-profit like the Electronic Frontier
> Foundation, Creative Commons, or GNU Foundation.
>
>
> That can never be an accepted assurance. Never.
>
>
> What are your specific objections with this approach? I guess what I
> don't understand is that you appear to be quite passionately ("Never.")
> rejecting having a well-known, well-respected non-profit host what
> amounts to a temporary open source shim. Unless I'm mistaken, you
> already use various other more fully-featured identity-related
> technologies (eg: Google+) that you view as less than ideal for one
> reason or another. I'm just saying "Never" should perhaps be "Not for
> too long" or "That isn't much better than what we have now"?
>
>
>
>
> That site will go away
> in time if this stuff is implemented in the browser.
>
>
> How will that be implemented in the browser? On who's timetable, under
> what market (or "opportunity costs") driven duress? Companies ultimately
> only respond to "opportunity costs".
>
>
> In what way would the answers you have for those same questions for
> WebID+TLS be different from the Identity Credentials tech? IMO, people
> would give preference to a browser that shortens and makes more secure
> the login process they use with every website they log into. So long as
> the UX is acceptable.
>
> If the Identity Credentials tech becomes the predominant way you log
> into sites on the Web and it has been standardized by W3C, I would
> expect browser manufacturers to adopt it and build new innovative
> features on top of it. IMO, the (near) ubiquity of any login tech
> strongly influences browser manufacturers to integrate some aspects of
> it into their browsers.
>
> The difference I see between the Identity Credentials tech and WebID+TLS
> is that the former has no clear catch-22. People can adopt it without
> browser support which can lead to adoption by browser manufacturers.
>
> If peoples' adoption of a tech depends on a browser UX that browser
> manufacturers won't implement because people aren't adopting the tech,
> then that tech is not likely to go far. Again, I know that you don't
> think WebID+TLS has this catch-22. We'll see.
>
>
>
> If not, then an
> independent, trusted organization will be put in charge of it.
>
>
> "Independent trusted orgranization" is just a phrase comprised of three
> words.
>
>
> Not unlike any other phrase that is also three words long. :)
>
>
> What it actually denotes and connotes is quite nebulous. Trust
> never works that way, it has to be the outcome of some kind of "proof of
> work". That's why crypto is crucial to Trust.
>
>
> The "proof of work" is the past behavior of said organization.
>
>
>
>
> As for the rest of your list, we're aligned. There is very little that
> we're not aligned on. :)
>
>
> Excellent!
>
>
> --
> Dave Longley
> CTO
> Digital Bazaar, Inc.
>
>
>
Received on Wednesday, 11 June 2014 02:00:59 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:31 UTC