W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

Re: Position Paper for W3C Workshop on Identity

From: Henry Story <henry.story@bblfish.net>
Date: Sat, 23 Apr 2011 16:39:52 +0200
Cc: WebID XG <public-xg-webid@w3.org>
Message-Id: <109E72B9-E8BC-46B6-8FF7-423C410A9F73@bblfish.net>
To: Stéphane Corlosquet <scorlosquet@gmail.com>

On 23 Apr 2011, at 15:51, Stéphane Corlosquet wrote:

> http://bblfish.net/tmp/2011/04/22/
> [[[
> The user can create and control his own, self sign his certificates,
> and if needed use short lived, throwaway ones.
> ]]]
> control his own what? "The user can create and control his own, self
> signed certificates" maybe?


> [[[
> The selected X509 certificate is sent back
> ]]]
> be more precise than "sent back": i.e. the browser sends the selected
> certificate to the server. The following shows an excerpt of the
> certificate:...


> The indentation of the last 2 lines looks odd, they should be indented
> further right than the line above them:
> X509v3 extensions:
> X509v3 Subject Alternative Name:
>             URI:https://bob.net/id/bob

that's a problem when saving to html. We need to rectify that on the last published 

> Do you mean to have a yellow background? a box around it would
> probably look better.

That's difficult to do in Google Docs. It's perhaps time to move away from that.

> Make sure you're using the same WebID for Bob, the certificate
> specifies https://bob.net/id/bob and further in 6. you use
> https://bob.net/id/bob#me

well spotted.

> The point 7. is beyond the WebID authentication realm but that's good
> to give an idea of the type of things you can do once you have a
> WebID. I wonder if this could be made optional though, as otherwise it
> might make the reader think that WebID requires to have a whole FOAF
> network - quite the opposite, you can start using WebID with just one
> WebID URI and a public key in your profile document (as simple as
> that).

I think we need to develop this somehow in a recursive manner. People are
always stumped by this, usually because they have not deployed their own 
foaf file. It seems like magic.

> [[[
> Passwords are difficult to remember or they are bad
> ]]]
> what do you mean by passwords being bad? because they are made too
> weak to be easier to remember? or are you criticizing the whole
> concept of using passwords?

I mean they are difficult to remember or they are bad passwords because they 
will be weak.

> [[[
> as shipped in current browser
> ]]]
> s/browser/browsers

> [[[
> solving the trust problem - the biggest issue of WebID
> ]]]
> The biggest issue of WebID is the trust problem? you probably mean
> that the biggest issue WebID solves is the trust problem?

Probably what I want to say is too difficult to say, and not worth it.
But in short: When people think of OpenId trust they put all the weight 
on the IDP. Big IDPs somehow feel more trustworthy (the advertising effect)
small ones sound suspicious.  OpenID could use the the web of trust the same
way WebID can by using links to the OpenID home page, but that is apparently
what people have been moving away from.

> Make sure to spell OpenID with uppercase ID: s/OpenId/OpenID


> [[[
> OpenId is especially important for a number of devices (cell phones
> often) that have not implemented client side certificates properly.
> ]]]
> I would add 'yet' so it reads "that have not yet implemented client
> side certificates properly", giving hope that they will in the future,
> and emphasizing that it is something that can be fixed by the browser
> vendors.


> [[[
> The browser could then make use of the information found in the WebID profile
> ...
> This WebID anchor can then be used by browsers
> ]]]
> Firefox Weave does not use WebID yet, right? so be consistent with
> could/can, I believe you want to use could here, otherwise 'can'
> implies it is already available...


> [[[
> With the rollout of critical infrastructure element such as DNSsec and
> IPV6 WebID should rise
> ]]]
> add comma after IPV6
> s/IPV6/IPv6
> [[[
> that encompass everything from to personally controlled identities
> ]]]
> s/from to/from
> [[[
> role playing and employee identities
> ]]]
> what's a role playing identity???
> The HTML is not very clean and several spaces break the read flow at times...

yes. That's google docs I think.

The copy I am workin on is here.


> Steph.
> On Fri, Apr 22, 2011 at 6:42 AM, Henry Story <henry.story@bblfish.net> wrote:
>> From yesterdays comments I have now tweaked the paper to the following
>>  http://bblfish.net/tmp/2011/04/22/
>> I think we really are there, it reads very well now, is clear, open to new protocols (ldap included),
>> makes friends in the TLS, dane, openid and freedom box community, whilst also showing
>> the government how they can get some of what they want for little cost (important
>> in the government cut back season, when Democratic presidents have to work with Republicans).
>> I'll  start passing this to members of this group who are not participating
>> here so actively, probably due to combined reason of volume of mail  and
>> holiday season, to see if we can get some other feedback, some other points of
>> views.
>> We can review some of this on Monday.
>> Henry

Social Web Architect
Received on Saturday, 23 April 2011 14:40:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:44 UTC