W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

Re: Position Paper for W3C Workshop on Identity

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Sat, 23 Apr 2011 13:06:06 -0400
Message-ID: <4DB306FE.4030102@openlinksw.com>
To: public-xg-webid@w3.org
On 4/23/11 12:54 PM, peter williams wrote:
> Good (ignoring the quips). Even worked Quadaffi in (but no Assad!?)
> If one wants to reach out to the traditionalists (still tied to certs), one
> takes a foaf card and one relates the id to a URI pointing at a .crt file of
> a CA (just like the wot vocab points to a .sig file, minted using the PGP
> tool). Then, like wot, one uses a trust metric (PGP in wot's case) to
> compute a confidence value on a chain of relations (relating webids to .crt
> URIs). If this all falls within bounds, designed probably using formal risk
> analysis, one deems the authentication valid. This model scales, and is
> solid (being used for years).
> The point is ... the above metric and system is neither better nor worse
> than any other. We are agnostic. What matters is that a common logic
> framework is doing the relating, and a thousand trust models exist (like
> thousands of ISPs existed for a few years, in 1995 era). Over time, this
> will reduce to 10 and lots of resellers (changing the font, and adding an
> insurance policy and some nominal governance regime), as usual. In realty,
> there is large fanout of the governance space (down to each city, and often
> areas within cities if they have different population migration
> characteristics). In the world of the commodity social web, of course, its
> small fanout - live/hotmail, google, yahoo (and their many resellers) and
> then paypal - though paypal seems to be losing its nerve after the wikileaks
> exposure (from what a little birdy tells me).
> A good model for us is VISA and PCI, where a thousand+ resellers of 10 main
> banks now divvy up the trust space, forcing different security criteria on
> the merchants under their governance control. In reality, its little more
> than a market for selling insurance (as satisfying the technical criteria
> udner audit costs way more than the insurance premium). But, this is all
> part of the game; which verges on social extortion. Webid will eventually
> become an insurance selling space, just like [server] certs sell warranties
> tied back to Lloyds. Formally, this is the commodity trust basis known as
> "compensating controls". To you and me, in the bar, its flogging insurance,
> so the risk is spread across the public, acting as a large population able
> to collectively sustain local damages.
> I don't think we want to say this to the browser guys, who are all engineers
> and product managers probably, though. But if one does, its part of the
> information assurance topic. Demonstrating that webid fits into the way the
> security world actually works, at scale. It is the meaning of life property
> though (since it's about making the money from trust...that pays for
> salaries etc)
> -----Original Message-----
> From: Henry Story [mailto:henry.story@bblfish.net]
> Sent: Saturday, April 23, 2011 8:42 AM
> To: peter williams
> Cc: public-xg-webid@w3.org
> Subject: Re: Position Paper for W3C Workshop on Identity
> On 23 Apr 2011, at 17:05, peter williams wrote:
>> Webid doesn't solve the trust problem. It just binds a key to a
>> name/identifier, and specifies a validation procedure (for SSL).
> yes, saying it solves the trust problem is wrong. It allows it to be
> expressed in the way trust should be: very flexibly. Each agent can decide
> on his own trust policy. Some may choose to trust Rappatoni, others the CIA,
> and yet others Kadhaffi's enlightened leadership.
>> Nicely, the same validation procedure works for other secure channel
>> protocols (e.g. websso). [snip]
> It would be tempting to discuss the meaningoflife issue (42) here, but I
> have a few other priorities on my plate right now, sadly.
> 	Henry
> Social Web Architect
> http://bblfish.net/

We should put this stuff into a Google Docs hosted Presentation or 
Scribd doc. The key thing here is that you grok the big picture 
narrative that needs to act as a WebID segue in presentation format. Of 
course, you can dump as a mail response and others can pick up this 
action. Key is to get this narrative out there as WebID segue.



Kingsley Idehen	
President&  CEO
OpenLink Software
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen
Received on Saturday, 23 April 2011 17:06:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:44 UTC