W3C home > Mailing lists > Public > public-webpayments@w3.org > March 2014

Re: "Web Identity" -> "Web Credentials"

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Thu, 13 Mar 2014 00:25:32 +1100
Message-ID: <CAM1Sok2M9U2qSFLuky09X6op2fAmS2rTDMtRbe13mBECRnCjXw@mail.gmail.com>
To: Kingsley Idehen <kidehen@openlinksw.com>
Cc: "public-webpayments@w3.org" <public-webpayments@w3.org>
Cheers...  :)

Yes.  Good day for it...

 Will review again after sleep...

On Thursday, March 13, 2014, Kingsley Idehen <kidehen@openlinksw.com> wrote:

>  On 3/11/14 11:54 PM, Tim Holborn wrote:
>
> Morning / Afternoon All,
>
>  from a lay-persons point of view; it appears there's about 3
> constituents to WebIDl
>
>  1. An RDF Ontology (currently pointed at a current version of FOAF).
> 2. the use of URI's in the Subject Alternative Name Field (which then
> describes something in some "linked data" compliant manner)
> 3. the x.509 Certificate, and the manner in how it's been deployed.
>
>
> A WebID is just an HTTP scheme based URI that denotes an Agent. That's it.
>
> By using an HTTP URI, this kind of identifier is implicitly endowed with
> the ability to denote a referent and reference a description of the
> aforementioned referent. That's basically the Linked Data aspect.
>
> If an IRI (rather than an HTTP URI) is used to denote an Agent, you end up
> with denotation as the only guaranteed feature. Basically, you have a
> natural language word (only denotes) rather than a term (denotation and
> connotation).
>
>
>  Herein; i share a few frustrations.
>
>  My frustration with the ontological preference and vocab; is that when
> applying identity and use-cases to people and their activities; on Web
> functional concepts,
>
>  1. Describing a Person
> a. I doubt it's secure to describe myself (akin to a passport) in full in
> one FOAF document.
> b. The foaf method doesn't appear to understand 'things' very well; and
> the language of 'agent' is mixed between 'things' and 'legal entities'
> (whether person or incorporated legal entity).
>
>  I have me;  I'm happily doing my thing in an array of different groups.
> Friends, Family, UNI, projects, etc.  I have two Facebook accounts, one
> does activism for social issues; the other is more personal.  I have a
> linkedin account with people i don't want on my Facebook accounts; and i've
> got an array of other web2 accounts (some i use, some - old IM accounts,
> forced upon me in new evolutions or left behind in history, without the
> logs / content).  Most people have probably lost data at some point,
> photos, documents; whether it be due to lightening or lost credentials; the
> issues are similar to those needed for commerce.
>
>
> A WebID enables you (via subject, predicate, object based statements)
> express the fact that its referent is related to:
>
> 1. a LinkedIn account
> 2. a Facebook account
> 3. any other account.
>
> If you want to use terms from the FOAF vocabulary there are specific
> relations for making the associations above. In addition, you are not
> required to have a single profile document, you will ultimately have many,
> so that your personae remain intact. For example, assertions about two
> WebIDs being equivalent (i.e., a co-reference relation that implies they
> have a common referent) can be placed in a document that's protected using
> an ACL which itself takes the form or relations that enable determination
> of what identities have access to this content etc..
>
>
>  Whilst the identity issue has been around for a longtime; it seems it's
> still knot solved.  the most difficult thing about crypto-currency (for
> example) is the wallet.  It's not like i want to participate in supporting
> another company to act on my behalf (because i'm not able to do it, or not
> entitled to do so); i rather like the ideas of democracy; and the
> socio-philosphical view that things invented by humans are there to support
> humanity, society, environment and the world around us.  So, internet
> identity at some stage needs to be extraordinarily accessible; as as much
> of a right for a person, as their ability to participate in civics /
> democracy, even if it's simply walking into a room, declaring their name
> and being afforded the right to vote.
>
>
> If we separate the concerns the problem is solved, in a big way. If we
> continue to conflate concerns, we will continue to hop in and out of silos.
>
>  when things start to get more complicated; I'd like to lower the
> resolution of some results to some groups.
>
>
> Yes, exactly! That's the point I am explaining above in regards to ACL
> which are driven by relation semantics e.g., only members of a specific
> group can access the document where cross reference my WebID and my various
> online accounts, for instance.
>
>   If i subscribe to junk mail, or share GPS tagged photos; i might not
> want to tell them my address, just the state or suburb (district?) i live
> in.  I can understand why it's good to have that data available; but not to
> everyone for every situation.
>
>
> Exactly!
>
>   Therein; there's an array of implications surrounding the description
> of a person ("FOAF:PERSON") and my view has been that ideally; there's a
> way to author multiple FOAF files that link via subjects.
>
>
> Yep! And its call an equivalence relation that's transitive in nature.
> Example that exists today is the <http://www.w3.org/2002/07/owl#sameAs><http://www.w3.org/2002/07/owl#sameAs>relation.
>
>
>  an early (and very quick) mock-up
> http://mediaprophet.org/ux_KB/page4115292.html#0 attempted to explore
> this in a functional orientation.
>
>  FOAF from what i can understand was essentially first developed to
> describe a person; but it's branched to be a way to identify an agent, and
> more complex descriptions than what was first envisaged for the ontology,
> many, many years ago...
>
>
> FOAF is just a collection of entity types (classes) and relation types
> (properties) for describing a social network. You can use terms from this
> vocabulary to express entity relationships.
>
>   Other issues with describing people include describing deceased people,
> for heritage applications (for example) and the ontology doesn't appear to
> handle these forms of descriptions of people very well either.  If a foaf
> profile is created for a deceased person - who is authorised to contribute
> to it.  How is that profile enabled to exist; whilst protected from spam.
>
>
> That's no different to what happens to the Web site or specific Web page
> of a deceased person today. It all depends on where the document resides
> and who controls the document publishing infrastructure. None of that has
> anything to do with FOAF.
>
>
>  Then from the description of a person (RDF:function); the next
> constituent, starts to consider that everything on the Web should in theory
> have an identity; this is important for security, as if i loose my phone
> it's probably important to identify that a transaction was made by my phone
> and not by foaf:person.  Made by my phone on behalf of foaf:person makes
> more sense.
>
>
> If denotation is done right, you and your phone will have distinct
> identifiers that denote your distinct identities.
>
>
>  The same concept applies to companies; where directors of a company have
> fiduciary duties to that company, the company is not capable of making its
> own decisions; and workers for that company have an array of expectations
> put upon them at different stages of the day, the role, etc.
>
>
> Same as outlined above.
>
>
>  Tangentially; - linked to similar considerations; if a worker has a work
> laptop or device, and works on family stuff at home - is that foaf profile
> identified as an employee of a company and that profile is bound to a
> device; are they entitled to humanity, and identity independently if they
> use that device externally.  most people obtain mobile phones on
> telecommunications plans / contracts, as one potential example. the other
>  of course relates to the cloud storage hosting provider of the data / data
> service.
>
>
> Your computer, browser etc.. are all foaf:Agents with distinct identity.
> The only issue today is that their identifiers aren't WebIDs. That will
> change, in due course because failure to do so it eternally problematic.
>
>
>  2. Describing a legal entity
> legal entities are people and incorporated legal entities, in the eyes of
> most systems of law.   A person may execute a function on behalf of an
> incorporated legal entity or on behalf of themselves or someone for whom
> they are a carer.
>
>
> See my comments above. Legality is broken if identity is conflated.
>
>
>  In my consideration, linguistically, these "roles" are not = agent.
>
>
> Correct. Agents perform specific functions in relationships via roles.
> Basically, subject, predicate, and object are entity relationship roles.
> The combination of signs (for denotation), syntax (for statement
> construction), and roles (for relation semantics) are what make a language.
>
>  where agent may apply (in sociological / legal terms) are situations
> such as if i have a "role" as a real-estate agent; who has a contract
> (could be an e-contract) to sell that property (a thing) on behalf of
> someone else.  i believe there are implicit differences between the legal
> term 'agent' and the functional use of 'agent' in foaf.
>
>
> Of course. FOAF describes entity types and relation types that can be used
> to construction entity relationships that are represented by statements
> using a variety of RDF notations (or concrete syntaxes).
>
> BTW -- A class delivers the functionality of an adjective. Thus,
> real-estate agent in your example above would be a class.
>
>
>  3. describing things
>
>  We've all got a web of things.  many want to decentralise and improve
> our influence over our own data (whilst seeking to broadly support & abide
> by the rules of our democracies / sovereignty, etc.).  Given we're moving
> towards an world of "linked data", to not acknowledge devices seems
> foolish.
>
>
> Yep! As I said, legality is broken if identity is conflated.
>
>  Web of Trust, Web of Thing, Internet of Things = yes, very confusing for
> a layperson at present.
>
>
> Yes, because the AWWW continues to be misunderstood, misapplied, or simply
> overridden for not defensible reason.
>
>  At the end of the day, we'll be centralising info / data, not into a
> 'trustee' or "Social Network Silo" vendor situation (like web2); but rather
> to a place that we believe is safe for us to both retain ownership, privacy
> and other data related considerations; as well as enables us to share with
> more ease, accountably.
>
>
> You will end up with your own personal data space(s). Your presence on the
> Web will ultimately be more like a Halo than a Silo.
>
>
>  Therein; much like we do today; we'll set preferences - Yes, i'm happy
> for RDF:ontology:label to person / ACL Group / et.al - to access x data
> assets from my LinkedData Cloud Storage place somewhere, without my
> explicit human intervention on a request basis.
>
>
> Yep!
>
>
>  In my view; the permissions chain should acknowledge an array of devices
> (authentication chain?); and peoples association to those devices.
>
>
> Permission chain is just a collection of entity relationship statements
> where the relations enable reasoning and inference by machines.
>
>  If it's a box at home, it's reasonable to assume the owner of that box
> has more control, that a shared hosting space somewhere in the world. if
> the chain is poorly executed; perhaps the reliability of the profile goes
> down - they're not capable of doing functions that have a requirement of
> high-level LOI [1] / EoI (evidence of identity) requirement; Equally,
> authentication chains might be established involving a multitude of ID's
> (people, companies, things...); or be functional, so a user could set-up some
> puzzle system where they needed to move their head in front of a camera,
> tap their phone with a card, then enter a passcode into a specific machine,
> and say a few magic words, within a pre-defined time-limit on a specified
> IP or subnet; - for example...
>
>
> Yes, and nothing stops you have your master profile document on a device
> that inaccessible when its in sleep mode, because in fact, you are in sleep
> mode i.e., of the grid albeit temporarily. We don't need to be "always on"
> especially bearing in mind that really unnatural and unhealthy etc..
>
>
>  If i want to set-up some complex auth chain for supporting specific
> functions, i should be able to.
>
>
> Yes, that's just entity relationships and their underlying relation
> semantics, expressed via statements persisted to a document (re.,
> durability and reuse).
>
>  If i was executing an e-contract on something valuable, it would be
> important.  if i'm adding an acquaintance to an address book; well, i'd
> make it easy - press the button on my phone...
>
>
> That's all about the orchestration (control) and presentation (view)
> layers in regards to the MVC pattern, where M is the data (entity
> relationships).
>
>
>  This is not just important for my use specifically; but also in society;
> We'd likely want the trauma unit of a hospital to have access to the info
> they need to heal us; and, sharing digital receipt info to our accountant
> seems practical; but if we change accountants, we'd likely want to revoke
> access.  if a government employee is misappropriating actions that are
> harmful, perhaps we want a lawyer or our local political member of
> parliament to have a look at the data in full, and consider the claims, as
> groups / tagged using metadata perhaps.
>
>
> Yes.
>
>
>  In theory; the difference between a digital key and a house key - is
> that a house key is physically programmed and doesn't support reprogramming
> very well.  We'll still need different keys, but the methods relate to
> identity, which is now described ontologically; and so, underlying all of
> this is seemingly the ontological issues, not particularly about the
> method.  The method of issues certs bound to a ontology, is dependant upon
> the ontology.
>
>
> Yes!
>
>
>  I'd like to see the FOAF ontology improved, rather than replaced.
>  Perhaps this could be done with version control methods....
>
>
> You can make your own ontology, publish it to the Web (if you want it used
> by others), and your part is done. Trying to make a change to FOAF is the
> inertia ladden route. Just make new relations in your own ontology. It
> works!
>
>
>  THE CERT
> the x.509 constituent is only one part of an authentication chain / cycle.
>  To me it issues a certificate to a machine, which then identifies that
> machine as being "RDF Enabled" (or perhaps rather, the browser / IPv4/IPv6
> interfaces).
>
>
> It does more than that. It is an identity card that describes an entity.
> The SubjectAlternativeName (SAN) is a relation that enables one associate a
> certificate with a WebID (which denotes the certificate's subject).
>
> You can even pack RDF statements into an X.509 certificate which basically
> makes also makes those statements signed.
>
>
>  I've got several certs in my system; and honestly, it's annoying.
>
>
> That a problem delivered to you by browsers and TLS session negotiation.
> This problem will eventually go away.
>
>  I'm the only user on my machine; tried installing a cert at uni - active
> directory didn't really play well with the concept. i goto play with a RWW
> server and i've now got several certs to pick from, having to look at the
> URI's to figure out which one matches the location i'm trying to access.
>
>  If a person (user / actor) is known to a machine - that should be easier
> to perform AUTH than someone who is new to a machine.  Importantly, a
> server in effect has a client/server relationship with other servers /
> services / infrastructure of legal entities.
>
>  Whether the URI's listed in the x.509v3 certs are specifically FOAF or
> exclusively FOAF; is another issue again.
>
>
> The URIs in the SAN are not FOAF. They *might* resolve to document
> comprised of content constructed using terms from FOAF, if they are
>
Received on Wednesday, 12 March 2014 13:26:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:28 UTC