ISSUE-44: beyond \'who\' (some day) (pubic comment) from Web Security Context Issue Tracker on 2007-04-15 (public-wsc-wg@w3.org from April 2007)

From: Web Security Context Issue Tracker <dean+cgi@w3.org>
Date: Sun, 15 Apr 2007 15:01:44 +0000 (GMT)
To: public-wsc-wg@w3.org
Message-Id: <20070415150144.12E7CBDA8@w3c4.w3.org>

ISSUE-44: beyond 'who' (some day) (pubic comment)

http://www.w3.org/2006/WSC/Group/track/issues/44

Raised by: Bill Doyle
On product: Note: use cases etc.

>From public comments
raised by: Al Gilman Alfred.S.Gilman@ieee.org

http://lists.w3.org/Archives/Public/public-usable-
authentication/2007Apr/0000.html


beyond 'who' (some day) 
where it says, in 4.3 Entity identification
Recommending a presentation for these
   designators that helps the user recognize which entity they are
   currently conversing with, and when they are switching to a
   different entity, is a primary concern of this Working Group.
please consider
The likely shape of a better world of trust includes the terms of the 
engagement beyond just 'who.'  Absolutely, the state of what works today is 
limited to "who" am I talking to.
And DNS domains are about as scientific a 'who' as users ever resolve in their 
fuzzy brains, by way of entities that are not human individuals.
On the other hand, there is still a lot of dissatisfaction from consumers 
about organizations taking information disclosed for a finite purpose and 
redistributing it beyond what the user understood as the purpose of that 
disclosure.  So the group should be aware of contemporary work to model trust 
decisions in terms of contextual integrity where the parameteters of a context 
desiring integrity are the defining characteristics of shared tasks as well as 
who is in or out of the circle of the conversation.

please consider
attribute certificates in the picture, eventually (bearer is known to me and 
assertion/attribute is true about said bearer).  User can provide a voucher 
for certified quality, not requiring disclosure of user's identity.
Why? 
The parking meter needs to know you are a qualifying individual to use 
disabled parking spots, but it does not need to know exactly who you are.  
There are, in the best of all possible worlds, many correlates for this in the 
world of B2C transactions.  So while a clear communication of "who is in the 
scene, and who am I conversing with?" is the name of the game for now, the 
total picture in the long term may use attribute certificates as well as 
identity certificates

Received on Sunday, 15 April 2007 15:02:07 UTC