RE: Position Paper for W3C Workshop on Identity

Webid doesn’t solve the trust problem. It just binds a key to a
name/identifier, and specifies a validation procedure (for SSL). 

Nicely, the same validation procedure works for other secure channel
protocols (e.g. websso). If the browser posting an openid assertion to the
consumer also release the SSL client cert to the relying party site, the
site can augment its relying party control set with the webid validation
procedure, for example. This resulting foaf card might "qualify" the openid
OP, leading to the super-position of a foaf (not webid) trust model on
openid.

We have to decide:

Is the term webid the URI in cert idea?

Is it the use of a client cert (with...) in SSL (only)?

Is it the validation procedure , working with http/s URIs (only)?

Is it the validation procedure, with any scheme of URI?

Is it the tie in to federation social networks, which impose webbiness on
each and every step (users may NOT generate certs on their PC, they MUST use
a web provider)?

Is webid the use of particular foaf or other ontologies relationship specs,
when computing trust chains?

For me, webid is the first 4 (above). It stops as federated social networks.
For all i care, one can use webid in nntps, creating groupware concept based
on threaded conversations. This can use PKI trust or social feedback in an
nntps context, that never ever uses a foaf-card borne relationship
statement.

If one seeks mass adoption in a crypto-political sphere full of well-manned
roadblocks, one has to decouple the security protocol from the (motivating)
application. That is: you have to let HTTP be used for the evil SOAP, if you
are to get buyin to HTTP for the web architecture you really believe in. You
have to give, to get. If you get 30% of what you set out for at the outset
of a social plan in crypto-politics, you are usually doing pretty well! What
I want is massive number of foaf cards as homepages, with SOME set of
triples being consumed thereby, to create the beachhead from which one
expands further.





-----Original Message-----
From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of Stéphane Corlosquet
Sent: Saturday, April 23, 2011 6:52 AM
To: Henry Story
Cc: WebID XG
Subject: Re: Position Paper for W3C Workshop on Identity

[[[
The user can create and control his own, self sign his certificates, and if
needed use short lived, throwaway ones.
]]]
control his own what? "The user can create and control his own, self signed
certificates" maybe?

[[[
The selected X509 certificate is sent back ]]] be more precise than "sent
back": i.e. the browser sends the selected certificate to the server. The
following shows an excerpt of the certificate:...

The indentation of the last 2 lines looks odd, they should be indented
further right than the line above them:
X509v3 extensions:
 X509v3 Subject Alternative Name:
             URI:https://bob.net/id/bob

Do you mean to have a yellow background? a box around it would probably look
better.

Make sure you're using the same WebID for Bob, the certificate specifies
https://bob.net/id/bob and further in 6. you use https://bob.net/id/bob#me

The point 7. is beyond the WebID authentication realm but that's good to
give an idea of the type of things you can do once you have a WebID. I
wonder if this could be made optional though, as otherwise it might make the
reader think that WebID requires to have a whole FOAF network - quite the
opposite, you can start using WebID with just one WebID URI and a public key
in your profile document (as simple as that).

[[[
Passwords are difficult to remember or they are bad ]]] what do you mean by
passwords being bad? because they are made too weak to be easier to
remember? or are you criticizing the whole concept of using passwords?

[[[
as shipped in current browser
]]]
s/browser/browsers

[[[
solving the trust problem - the biggest issue of WebID ]]] The biggest issue
of WebID is the trust problem? you probably mean that the biggest issue
WebID solves is the trust problem?

Make sure to spell OpenID with uppercase ID: s/OpenId/OpenID

[[[
OpenId is especially important for a number of devices (cell phones
often) that have not implemented client side certificates properly.
]]]
I would add 'yet' so it reads "that have not yet implemented client side
certificates properly", giving hope that they will in the future, and
emphasizing that it is something that can be fixed by the browser vendors.

[[[
The browser could then make use of the information found in the WebID
profile ....
This WebID anchor can then be used by browsers ]]] Firefox Weave does not
use WebID yet, right? so be consistent with could/can, I believe you want to
use could here, otherwise 'can'
implies it is already available...

[[[
With the rollout of critical infrastructure element such as DNSsec and
IPV6 WebID should rise
]]]
add comma after IPV6
s/IPV6/IPv6
s/DNSsec/DNSSEC

[[[
 that encompass everything from to personally controlled identities ]]]
s/from to/from

[[[
role playing and employee identities
]]]
what's a role playing identity???

The HTML is not very clean and several spaces break the read flow at
times....

Steph.

On Fri, Apr 22, 2011 at 6:42 AM, Henry Story <henry.story@bblfish.net>
wrote:
> From yesterdays comments I have now tweaked the paper to the following
>
>  http://bblfish.net/tmp/2011/04/22/
>
> I think we really are there, it reads very well now, is clear, open to 
> new protocols (ldap included), makes friends in the TLS, dane, openid 
> and freedom box community, whilst also showing the government how they 
> can get some of what they want for little cost (important in the
government cut back season, when Democratic presidents have to work with
Republicans).
>
> I'll  start passing this to members of this group who are not 
> participating here so actively, probably due to combined reason of 
> volume of mail  and holiday season, to see if we can get some other 
> feedback, some other points of views.
>
> We can review some of this on Monday.
>
> Henry
>
>
>
>

Received on Saturday, 23 April 2011 15:05:34 UTC