W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

RE: Position Paper for W3C Workshop on Identity

From: peter williams <home_pw@msn.com>
Date: Fri, 22 Apr 2011 12:41:49 -0700
Message-ID: <SNT143-ds1505D7984ACD99392E490A92950@phx.gbl>
To: "'WebID XG'" <public-xg-webid@w3.org>

If you read the X.509 standard (it may be time...folks!) you will learn that
there is a parallel structure called the attribute certificate. It has a
different set of issuing dynamics and control system interplays to the cert
you play with in SSL (known as an X.509 identity certificate). It's
hertitage is the Kerberos PAC, which was a refinement of the ECMA PAC from
1984. Arguably, the websso assertion trumps all PACs blog formats, being
little more than a PAC in signed XML - dynamically minted. The SAML
attributeQuery delivering a signed AttributeResponse was intended by SUN
originally to be an endpoint, that fronted a directory call (abstracting the
ldap/OSI stuff behind a web method)

So, yes, today millions/billions of times a day (in windows), client certs
called the COMPUTER$ cert are consumed in DEC/RPC sessions, and the local
directories whose endpoints are learned using Ethernet broadcast discovery
supply attributes (about the workstation PC, itself). With SOAP, one does
the same thing on the web for users (rant alert, mentioned SOAP/RPC), where
the SOAP interceptor makes the directory calls, using some fast protocol
(not ldap!). Or, it pings a foaf card, instead , to the same effect - since
the foaf card is little more than a serialized directory record - an ldif
entry in a new syntax, stuffed on a URI endpoint. To be fair, the foaf card
has more advanced logic than the X.500 information model (but not THAT much,
note, since 1992).

So, It's not right to say there is any "improvement" over X.509 yet, That's
a false claim to make (in an academic conference, anyways). There is an
alternative embodiment (in patent speak, license still required). You don't
get to claim (validly) any originality, though, or improvement over previous
disclosed art. In fact, failure to properly discuss the prior art in webid
land is showing a certain lack of "proper" teaching ability (which is what
patent examiners are really looking for, in non US patents). Folks are not
generally showing the path of innovation - implicitly denying all that went
before, often.

Now, this is good, as it means it's harder for folks to patent
"re-inventions". But, its hard on the ego, as all we are doing is
re-packaging and re-tuning. There is not much science, its mostly
engineering - which is not to say that there should not be Engineering

-----Original Message-----
From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of Henry Story
Sent: Friday, April 22, 2011 11:00 AM
To: WebID XG
Cc: Jeff Sayre; Alexandre Passant
Subject: Re: Position Paper for W3C Workshop on Identity

So one feedback I have had shows that we need to tune a little bit the
understanding of how 
the user can control not just his name but the attributes about him. 

This is in fact another improvement of WebID to X509, and an important one
that explains 
why we can go so much further. In usual usage of X509 certs all the
passed around was in the cert. True it was designed to be a pointer to an
X500 DB, which would
contain the further information (and which could still work that way of

Instead we use Web Based Access control and Hypermedia as the Engine of
Application State [1]. Perhaps that 
is something we can get in there. We can have the profile link to or return
more or less depending on the 
identity of the requestor.

I think that can be tied into the assurance story too.

I'll try to work that story in.


[1] I found this article on the subject but have not yet read it carefully

On 22 Apr 2011, at 12:42, Henry Story wrote:

> From yesterdays comments I have now tweaked the paper to the following
>  http://bblfish.net/tmp/2011/04/22/
> I think we really are there, it reads very well now, is clear, open to new
protocols (ldap included),
> makes friends in the TLS, dane, openid and freedom box community, whilst
also showing
> the government how they can get some of what they want for little cost
> in the government cut back season, when Democratic presidents have to work
with Republicans).
> I'll  start passing this to members of this group who are not
> here so actively, probably due to combined reason of volume of mail  and
> holiday season, to see if we can get some other feedback, some other
points of
> views. 
> We can review some of this on Monday.
> Henry

Social Web Architect
Received on Friday, 22 April 2011 19:42:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:44 UTC