Re: Strong authentication for PayPal versus WebPayments

Sent from my iPad

> On 13 May 2014, at 3:44 pm, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
> 
>> On 2014-05-13 01:09, Timothy Holborn wrote:
>> 
>> 
>> Sent from my iPad
>> 
>>> On 13 May 2014, at 8:30 am, Melvin Carvalho <melvincarvalho@gmail.com <mailto:melvincarvalho@gmail.com>> wrote:
>>> 
>>> 
>>> 
>>> 
>>> On 13 May 2014 00:03, David Nicol <davidnicol@gmail.com <mailto:davidnicol@gmail.com>> wrote:
>>> 
>>> 
>>> 
>>> 
>>>    On Mon, May 12, 2014 at 12:11 PM, Kingsley Idehen <kidehen@openlinksw.com <mailto:kidehen@openlinksw.com>> wrote:
>>> 
>>>        NASCAR isn't necessarily a problem for end-users. This more of a problem for programmers that have to write code for different authentication protocols. We have to keep these concerns loosely coupled.
>>> 
>>> 
>>> 
>>>    it's easy to imagine an intermediary who vets identity providers and publishes a resource that identity consumers
>>>    reference to  easily throw up a block of logos of approved providers. Do such not already exist? Businesswise, there are marketing and business-model problems, but it's a low-hanging fruit. "We address the NASCAR problem so you don't have to" could be the slogan.
>>> 
>>> 
>>> I very much doubt it will go this way.  More likely you'll see certification for a price.  This was attempted to be rolled out with the original microsoft passport.  It used to cost (I think) $50,000 to be approved to passport, and there was a time when I thought that was just the way it was going to be, in fact I considered saving up the money.
>>> 
>> Very early days of web apps...
>> 
>> I imagine some of the "special Id check" systems providers, especially where it's useful to lower fraud related issues...
>> 
>>> Then OpenID came along, and promised more decentralized identity and it resonated with the community.  Tho I suspect the OpenID foundation are probably going to go down the IdP certification route again with tiered pricing, we will see.
>>> 
>>> Centralization in identity is perhaps an undesirable avenue for the web to go down, which is why I like WebID, it's totally decentralized.  I actually think one of the roles of government is to be an IdP, in fact they already offer passports.  They have been historically good in this role, and I hope it becomes a shared benefit of being a citizen, rather than a cost.
>> Hehe.  +1 ; well put.
> 
> 
> Personally (and with 15Y+ experience with government eID programs), I believe this group is widely
> exaggerating governments' interest in the open web as well as the other parties' acceptance of
> government IDs.  The latter may sound strange since we (generally) already do that but there's
> an important limitation: Government IDs have to date only been extensively used by the private
> sector for F2F identification.
> 
I'm not sure it's governments role.  I think civilians eID requirements needs to be governed by government, but supplied vai market based mechanisms.

Security has so many dimensions to it, when designing for resilience against exploitation.

I think memorably, recently, I was reminded the difference between the rule of law, the rule of man, and the concept of rule by law.

Most contributors live in states that have signed up to UN agreements, notably many human rights conventions, and are democratic states (or otherwise believe in some way, about an individuals merit as a living entity, etc.)

If we're lucky, in future gov. Can rely upon both upholding, and trusting ID instruments that have a much greater level of management and accountability by every natural legal entity, no matter what role they may play / be involved with incorporated legal entities.

After all, very difficult to hold a corporation accountable.  Someone did it...

> Regarding OpenID as the foundation for commercial IdPs, I haven't heard about any such program.
> Commercial IdPs currently only work in highly local markets and they all have unique technical
> solutions.  They usually depend on the RP (Relying Party) to pay so their scalability is zero.
> 
> It has BTW turned out to be very hard getting commercial RPs on board.  In the rare case they
> need vetted IDs, they rather issue such on their own (my project FWIW is very much based on
> making this realistic for any organization).
> 
> Going back to the subject line the fact remains:  Centralized services like Amazon, Google,
> Alibaba, Apple, Facebook, PayPal, etc. have [essentially] ALL THE MONEY.
> 

Terrible situation isn't it.  Well. Perhaps more to the point - the amount of barriers put up around potentially very positive innovators.  The bandwidth costs alone of new market entrants often needs to be funded by VC's, then. Arguably, their only found in California...

> Advocates for the distributed web have either [close to] NO MONEY and/or are HIGHLY DIVIDED and
> are therefore unable creating the technology which IMO is needed to compete with the former bunch.
> Not even Mozilla ("the peoples' browser") is really interested in challenging the centralized
> vision for the obvious reason that decentralized services are still mainly a pipe dream.
> 

I disagree.  Some of the most powerful organisations in the world use distributed web technologies.  Have done for years.  Just not very accessibly for the masses...

> I'm a true supporter of the distributed web but do not believe it can be successfully built
> on top of a platform which was originally designed to render HTML pages in a distributed
> fashion.  Distributed services needs more, in fact, MUCH MORE.
> 
I disagree.  
> I have yet to see a structured discussion on requirements. It is more like political statements,
> "minor UI issues that vendors will fix", "linked data addresses NASCAR", "we can use any auth method".
> 
> That standards are about openness and interoperability is a nice theory, IMO it is rather
> another way of screwing the competition (including extending the reach of your services).
> In the eyes of the market Windows is a standard.
> 
> Anders

Perhaps it's the specificity of auth (without consideration for content more broadly) that's unnecessarily narrowing your viewpoint.

Perhaps one of the first examples I can think of relating to this type of change to socio-structures, was the production of the Magna Carta.  The old model didn't work, so they made a new one.  

No point arguing further.  Just gotta find ways of helping with that Magna Carta.
> 

Received on Tuesday, 13 May 2014 07:24:48 UTC