- From: Mark Janssen <dreamingforward@gmail.com>
- Date: Fri, 7 Mar 2014 14:05:36 -0600
- To: Melvin Carvalho <melvincarvalho@gmail.com>
- Cc: Manu Sporny <msporny@digitalbazaar.com>, "public-fedsocweb@w3.org" <public-fedsocweb@w3.org>, Web Payments CG <public-webpayments@w3.org>, Henry Story <henry.story@gmail.com>
>> What we need to do is provide something that developers can sink their >> teeth into, and providing a large array of options from the beginning is >> a bad way to go. Choice is good, but it can also be crippling. This is >> one of the biggest problem w/ the Semantic Web, often new entrants are >> flattened by an ever increasing snowball of perfectly viable options. > > I think this approach could work in many instances. But, IMHO, finance is > just too large to have a definitive solution. You need building bricks > that fit together that can be switched in and out based on the use cases. > > By all means publish an *example* solution, for a developer audience, but I > think it needs to be modular. Perhaps I'm being too simplistic, but I'm going to brainstorm a moment. It seems that all you *should* need is something like "throwing" a 64-bit random number, kept on the users machine and matched or correlated to an identity image. 64-bits provides so many unique combinations that the probability of throwing a duplicate to a different user is very low and such an id is small and simple enough to be sent in a single packet (someone can do the math, but a 128 bit number could be used too). If a user wants to be "remembered" on a particular machine, that keyId can be stored on the local drive. As long as the user keeps their personal machine secure, it shouldn't be vulnerable to spoofing. Following Gravitar's lead, you can use an algorithmic image solution for correlating that id to to another piece of data that the user can confirm (if people don't want to use a specific, personal image). Gravitar was brilliant, in that it provides unique graphical images/ids that takes advantage of the human mind's ability to recognize color and patterns easily. Taking this further, when a user wants to log in from another, say public, machine, they wouldn't even have to remember their password, but just provide their name, and then be presented with a screen full of images (inserting the user's image at a random location), then the user merely clicks on the image that matches their own. No key logger vulnerability here. Building on that, an identity score can be built (see TrustCloud.com), that adds greater levels of information, depending on how much trust you've managed to earn (phone verification performed, etc). These can be hashed and appended to your 64-bit id, so that it all still fits in one TCP datagram. (Not that that's necessarily so important, but it's more secure the less packets that have to be sent, and it makes identity verification simple and easy.) MarkJ
Received on Friday, 7 March 2014 20:06:05 UTC