W3C home > Mailing lists > Public > public-webpayments@w3.org > March 2014

Re: Web Identity specification and Social Web

From: Mark Janssen <dreamingforward@gmail.com>
Date: Fri, 7 Mar 2014 14:05:36 -0600
Message-ID: <CAMjeLr8dJvPF5DpaB=6Qu3m9wixoTc+pPDjWBedtuocOBxBN_w@mail.gmail.com>
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: Manu Sporny <msporny@digitalbazaar.com>, "public-fedsocweb@w3.org" <public-fedsocweb@w3.org>, Web Payments CG <public-webpayments@w3.org>, Henry Story <henry.story@gmail.com>
>> What we need to do is provide something that developers can sink their
>> teeth into, and providing a large array of options from the beginning is
>> a bad way to go. Choice is good, but it can also be crippling. This is
>> one of the biggest problem w/ the Semantic Web, often new entrants are
>> flattened by an ever increasing snowball of perfectly viable options.
>
> I think this approach could work in many instances.  But, IMHO, finance is
> just too large to have a definitive solution.  You need building bricks
> that fit together that can be switched in and out based on the use cases.
>
> By all means publish an *example* solution, for a developer audience, but I
> think it needs to be modular.

Perhaps I'm being too simplistic, but I'm going to brainstorm a moment.

It seems that all you *should* need is something like "throwing" a
64-bit random number, kept on the users machine and matched or
correlated to an identity image.  64-bits provides so many  unique
combinations that the probability of throwing a duplicate to a
different user is very low and such an id is small and simple enough
to be sent in a single packet (someone can do the math, but a 128 bit
number could be used too).  If a user wants to be "remembered" on a
particular machine, that keyId can be stored on the local drive.  As
long as the user keeps their personal machine secure, it shouldn't be
vulnerable to spoofing.

Following Gravitar's lead, you can use an algorithmic image solution
for correlating that id to to another piece of data that the user can
confirm (if people don't want to use a specific, personal image).
Gravitar was brilliant, in that it provides unique graphical
images/ids that takes advantage of the human mind's ability to
recognize color and patterns easily.

Taking this further, when a user wants to log in from another, say
public, machine, they wouldn't even have to remember their password,
but just provide their name, and then be presented with a screen full
of images (inserting the user's image at a random location), then the
user merely clicks on the image that matches their own.  No key logger
vulnerability here.

Building on that, an identity score can be built (see TrustCloud.com),
that adds greater levels of information, depending on how much trust
you've managed to earn (phone verification performed, etc).  These can
be hashed and appended to your 64-bit id, so that it all still fits in
one TCP datagram.  (Not that that's necessarily so important, but it's
more secure the less packets that have to be sent, and it makes
identity verification simple and easy.)

MarkJ
Received on Friday, 7 March 2014 20:06:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:28 UTC