W3C home > Mailing lists > Public > public-webpayments@w3.org > June 2014

Re: Proof of Concept: Identity Credentials Login

From: Tim Holborn <timothy.holborn@gmail.com>
Date: Wed, 11 Jun 2014 12:14:54 +1000
Cc: Dave Longley <dlongley@digitalbazaar.com>, Web Payments CG <public-webpayments@w3.org>
Message-Id: <7B71E716-0476-4B2D-8894-8BD20976EC90@gmail.com>
To: Pindar Wong <pindar.wong@gmail.com>

On 11 Jun 2014, at 12:00 pm, Pindar Wong <pindar.wong@gmail.com> wrote:

> FWIW, I see potential to reimagine the 'BY' (attribution) in the Creative Commons Context. 
> 
> p.
> 
+1
Creative commons in RDF: http://creativecommons.org/ns

also; if a use-case for the content (that has a creative commons license attached) is outside of the creative commons license; then perhaps an ‘offer’ mechanism, might provide a means to reduce barriers…

> 
> 
> On Wed, Jun 11, 2014 at 9:12 AM, Tim Holborn <timothy.holborn@gmail.com> wrote:
> So Much Excitement!!!! 
> 
> Difficult to follow it all up and provide input accordingly.  I’d like to see a WebID-TLS styled implementation that does not point at a URI defining the ‘person’ but rather one that notates the machine.
> 
> Perhaps; shows whether the workstation your on; has an ‘authorised’ TLS (URI enabled) Certificate FOR YOUR IDENTITY… 
> 
> Perhaps also; a basic example presenting the capacity to attach it to some sort of Geolocation[1] mechanism, to that device also.    Personally; i think that sort of method needs to be connected to an RDF service that lowers the resolution in a user-definable manner (i.e. Australia, VIC, Suburb, Street, Point data)… RDF GIS data can be found http://www.freebase.com/ 
> 
> Personal data needs to be stored in personal-dataspaces.  This means (IMHO) RWW compatibility.  
> 
> data.fm / rww.io or alternative. (i like the RWW.io / data.fm format - understanding, it needs to be further developed..)
> 
> [1] http://www.neustar.biz/services/ip-intelligence
> 
> 
> On 11 Jun 2014, at 9:21 am, Dave Longley <dlongley@digitalbazaar.com> wrote:
> 
>> On 06/10/2014 02:30 PM, Kingsley Idehen wrote:
>>> On 6/10/14 12:21 PM, Manu Sporny wrote:
>>>> On 06/10/2014 08:00 AM, Kingsley Idehen wrote:
>>>>> Issues with your assertions:
>>>>> 
>>>>> [1] They are too generic -- dependency of Client Certification
>>>>> Authentication (CCA) isn't a bad thing bearing in mind only a
>>>>> minority of Browser (circa. 2004) have this problem.
>>>> 
>>>> The problem is subjective, true. That said, I continue to assert that
>>>> it's a big problem and is the biggest reason WebID+TLS has gone nowhere.
>>> 
>>> Okay, but I am also demonstrating to you that competitive pressures and
>>> "opportunity costs" are the keys to getting browser vendors to respond.
>>> Right now we have IE, Firefox, and Safari working fine, which leaves
>>> Opera and Chrome.
>>> 
>>> The top browsers across desktop, notebooks, tablets, palmtops, and
>>> phones don't have a TLS CCA problem.
>> 
>> "Working fine" is subjective. I disagree that there isn't a TLS CCA
>> problem, but, like Manu, won't argue the point and will wait to see if
>> WebID+TLS gains any traction.
>> 
>> 
>>> 
>>>> I postulate that it's
>>>> because it's obvious to most UX folks that client-side certificates are
>>>> a dead end wrt. security scalability for the general public. 
>>> 
>>> The folks that take that position, as far as I am concerned, suffer from
>>> the same misconception i.e., that developers know best, that all
>>> problems are approached from the perspective of the programming code as
>>> opposed to the underlying logic that enables us express data in reusable
>>> form via entity relations.
>> 
>> I don't think it has anything to do with programming code or expressing
>> data via entity relations. It has to do with the experience of watching
>> people use terrible UIs. They don't like them. They aren't likely to use
>> them again.
>> 
>> I think that how well a system works underneath a terrible UI is largely
>> irrelevant to most people.
>> 
>> 
>>> 
>>> 
>>>> I
>>>> understand that you and a number of other WebID+TLS hold the opposite
>>>> position and think things are getting better. Maybe they are.
>>> 
>>> For me, WebID-TLS is an option for authenticating identity claims based on:
>>> 
>>> 1. HTTP URIs for entity denotation (naming) and connotation (perception)
>>> 2. RDF statements for structured data representation
>>> 3. Entity Relation Semantics for understanding how entities are related.
>>> 
>>>> 
>>>> I'm just not willing to wait on the browser vendors anymore, and even if
>>>> the usability problem is improved, I still don't think it'll result in a
>>>> solution that's as easy to use as the Identity Credentials stuff.
>>> 
>>> You don't have to wait. All I am saying is that WebID-TLS and whatever
>>> you choose can and will co-exist. Mutual inclusion works, its natural to
>>> the Web i.e., baked into its design.
>> 
>> That's certainly true (these techs can coexist).
>> 
>> 
>>> 
>>>> 
>>>>> The Client Certificate Authentication (CCA) Problem Status:
>>>>> 
>>>>> As of the time of writing this reply, the only browsers with this
>>>>> problem i.e, an inability to disconnect and start new TLS sessions
>>>>> are as follows: Chrome and Opera.
>>>> 
>>>> That's not the problem. The problem is that a majority of
>>>> non-technologists find the client-side certificate solution to be
>>>> confusing.
>>> 
>>> No they don't, that's a misconception.
>>> 
>>> YouID was developed to refute that very line of thinking.
>>> 
>>>> Additionally, how do you use client-side certificates from a
>>>> device that you don't own?
>>> 
>>> Excellent question, here's what happens if you are a YouID user:
>>> 
>>> 1. You open a browser on your borrowed device
>>> 2. Goto your folder (Google Drive, OneDrive, Dropbox, Box.,
>>> ODS-Briefcase, WebDAV etc.) and open up the pkc#12 file it created
>>> 3. Authenticate when challenged by the host in regards to opening the
>>> secure pkcs#12 file
>>> 4. Install your credentials.
>>> 
>>> 1-4 happen using the native UX of any modern OS since they all have
>>> inbuilt handlers for pkcs#12.
>> 
>> I think most people won't want to do what you just described. There's
>> nothing for you to argue against here, it's just my totally subjective
>> opinion, based entirely on my own intuition. I think going to a folder
>> to find a file to install, when you want to login to a website, will be
>> too foreign an experience for most people to embrace.
>> 
>> I think there will be a simpler, better alternative and people will
>> choose that (eg: "enter a password and click a button to register your
>> new/borrowed device"). That alternative will arise because it won't
>> depend on browser manufacturers to implement it from the start.
>> 
>> 
>>> 
>>>> 
>>>>> I don't see how Opera and Chrome can continue to be deficient re. CCA
>>>>> bearing in mind the current state of implementations from IE,
>>>>> Safari, and Firefox.
>> 
>> How much longer do you think they will remain deficient (per your own
>> definition of that word)? What's your estimate?
>> 
>> 
>>> 
>>> Opera and Chrome are laggards. The problem is identity and privacy,
>>> Safari, Firefox, and IE are already better. Safari is the default
>>> browser for Mac OS X and iOS. IE is the default browser for Windows and
>>> Windows Mobile. What's left re., market share?
>> 
>> I thought Android's market share was ~80% (for mobile). That may have
>> changed, but I doubt by much. My understanding was also that Chrome had
>> the largest browser market share. I haven't checked very thoroughly, but
>> some quick googling seemed to suggest that both of these things are
>> still true.
>> 
>> 
>>>> 
>>>>> That's broken. What end-users need is the ability to control their
>>>>> identity and privacy online via solutions that leverage Web &
>>>>> Internet architecture such that the following are loosely coupled (no
>>>>> 3rd party .com, .org, .cc etc.. in the way):
>>>> 
>>>> Sure, agreed. Why do  you think the Identity Credentials stuff places a
>>>> 3rd party in the way?
>>> 
>>> I don't see how my credentials end up in a place of my choosing e.g., I
>>> might want to save those credentials to storage provided by Google
>>> Drive, Dropbox, OneDrive etc..
>> 
>> You can do that. Can you point to the specific parts of the technology
>> that you think prohibit you from doing so? I think there's some
>> misunderstanding.
>> 
>> 
>>> 
>>> 
>>>> You can run your own IdP if you'd like, the code
>>>> is on Github right now and we do plan to release a completely open
>>>> source, public domain implementation of it in time. You don't have to
>>>> use any 3rd party if you don't want to.
>>> 
>>> That something I (or anyone else) needs to code at a time when we should
>>> be simply working with puzzle-pieces as you would any jigsaw puzzle.
>>> Again, HTTP URIs, RDF statements, and Relation Semantics == all you need
>>> in regards to constructing and using the puzzle-pieces and piecing that
>>> AWWW facilitates.
>>> 
>>>> under the control of a non-profit like the Electronic Frontier
>>>> Foundation, Creative Commons, or GNU Foundation.
>>> 
>>> That can never be an accepted assurance. Never.
>> 
>> What are your specific objections with this approach? I guess what I
>> don't understand is that you appear to be quite passionately ("Never.")
>> rejecting having a well-known, well-respected non-profit host what
>> amounts to a temporary open source shim. Unless I'm mistaken, you
>> already use various other more fully-featured identity-related
>> technologies (eg: Google+) that you view as less than ideal for one
>> reason or another. I'm just saying "Never" should perhaps be "Not for
>> too long" or "That isn't much better than what we have now"?
>> 
>> 
>>> 
>>> 
>>>> That site will go away
>>>> in time if this stuff is implemented in the browser. 
>>> 
>>> How will that be implemented in the browser? On who's timetable, under
>>> what market (or "opportunity costs") driven duress? Companies ultimately
>>> only respond to "opportunity costs".
>> 
>> In what way would the answers you have for those same questions for
>> WebID+TLS be different from the Identity Credentials tech? IMO, people
>> would give preference to a browser that shortens and makes more secure
>> the login process they use with every website they log into. So long as
>> the UX is acceptable.
>> 
>> If the Identity Credentials tech becomes the predominant way you log
>> into sites on the Web and it has been standardized by W3C, I would
>> expect browser manufacturers to adopt it and build new innovative
>> features on top of it. IMO, the (near) ubiquity of any login tech
>> strongly influences browser manufacturers to integrate some aspects of
>> it into their browsers.
>> 
>> The difference I see between the Identity Credentials tech and WebID+TLS
>> is that the former has no clear catch-22. People can adopt it without
>> browser support which can lead to adoption by browser manufacturers.
>> 
>> If peoples' adoption of a tech depends on a browser UX that browser
>> manufacturers won't implement because people aren't adopting the tech,
>> then that tech is not likely to go far. Again, I know that you don't
>> think WebID+TLS has this catch-22. We'll see.
>> 
>> 
>>> 
>>>> If not, then an
>>>> independent, trusted organization will be put in charge of it.
>>> 
>>> "Independent trusted orgranization" is just a phrase comprised of three
>>> words.
>> 
>> Not unlike any other phrase that is also three words long. :)
>> 
>> 
>>> What it actually denotes and connotes is quite nebulous. Trust
>>> never works that way, it has to be the outcome of some kind of "proof of
>>> work". That's why crypto is crucial to Trust.
>> 
>> The "proof of work" is the past behavior of said organization.
>> 
>> 
>>> 
>>>> 
>>>> As for the rest of your list, we're aligned. There is very little that
>>>> we're not aligned on. :)
>> 
>> Excellent!
>> 
>> 
>> -- 
>> Dave Longley
>> CTO
>> Digital Bazaar, Inc.
>> 
> 
> 


Received on Wednesday, 11 June 2014 02:17:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:31 UTC