- From: peter williams <home_pw@msn.com>
- Date: Sat, 23 Apr 2011 09:54:39 -0700
- To: "'Henry Story'" <henry.story@bblfish.net>
- CC: <public-xg-webid@w3.org>
Good (ignoring the quips). Even worked Quadaffi in (but no Assad!?) If one wants to reach out to the traditionalists (still tied to certs), one takes a foaf card and one relates the id to a URI pointing at a .crt file of a CA (just like the wot vocab points to a .sig file, minted using the PGP tool). Then, like wot, one uses a trust metric (PGP in wot's case) to compute a confidence value on a chain of relations (relating webids to .crt URIs). If this all falls within bounds, designed probably using formal risk analysis, one deems the authentication valid. This model scales, and is solid (being used for years). The point is ... the above metric and system is neither better nor worse than any other. We are agnostic. What matters is that a common logic framework is doing the relating, and a thousand trust models exist (like thousands of ISPs existed for a few years, in 1995 era). Over time, this will reduce to 10 and lots of resellers (changing the font, and adding an insurance policy and some nominal governance regime), as usual. In realty, there is large fanout of the governance space (down to each city, and often areas within cities if they have different population migration characteristics). In the world of the commodity social web, of course, its small fanout - live/hotmail, google, yahoo (and their many resellers) and then paypal - though paypal seems to be losing its nerve after the wikileaks exposure (from what a little birdy tells me). A good model for us is VISA and PCI, where a thousand+ resellers of 10 main banks now divvy up the trust space, forcing different security criteria on the merchants under their governance control. In reality, its little more than a market for selling insurance (as satisfying the technical criteria udner audit costs way more than the insurance premium). But, this is all part of the game; which verges on social extortion. Webid will eventually become an insurance selling space, just like [server] certs sell warranties tied back to Lloyds. Formally, this is the commodity trust basis known as "compensating controls". To you and me, in the bar, its flogging insurance, so the risk is spread across the public, acting as a large population able to collectively sustain local damages. I don't think we want to say this to the browser guys, who are all engineers and product managers probably, though. But if one does, its part of the information assurance topic. Demonstrating that webid fits into the way the security world actually works, at scale. It is the meaning of life property though (since it's about making the money from trust...that pays for salaries etc) -----Original Message----- From: Henry Story [mailto:henry.story@bblfish.net] Sent: Saturday, April 23, 2011 8:42 AM To: peter williams Cc: public-xg-webid@w3.org Subject: Re: Position Paper for W3C Workshop on Identity On 23 Apr 2011, at 17:05, peter williams wrote: > Webid doesn't solve the trust problem. It just binds a key to a > name/identifier, and specifies a validation procedure (for SSL). yes, saying it solves the trust problem is wrong. It allows it to be expressed in the way trust should be: very flexibly. Each agent can decide on his own trust policy. Some may choose to trust Rappatoni, others the CIA, and yet others Kadhaffi's enlightened leadership. > > Nicely, the same validation procedure works for other secure channel > protocols (e.g. websso). [snip] It would be tempting to discuss the meaningoflife issue (42) here, but I have a few other priorities on my plate right now, sadly. Henry Social Web Architect http://bblfish.net/
Received on Saturday, 23 April 2011 16:55:06 UTC