Re: the openid para from Henry Story on 2011-04-28 (public-xg-webid@w3.org from April 2011)

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 28 Apr 2011 15:37:50 +0200
To: Dan Brickley <danbri@danbri.org>
Cc: peter williams <home_pw@msn.com>, public-xg-webid@w3.org
Message-Id: <5102B00F-87A2-449E-8545-457BBF299FD7@bblfish.net>
On 28 Apr 2011, at 10:34, Dan Brickley wrote:

> On 28 April 2011 04:50, peter williams <home_pw@msn.com> wrote:
>> 
>> "OpenID reduces the account multiplication issue by allowing users to login
>> to every site using the same global identifier. This provides a base from
>> which WebId can be deployed, procuring the following extra advantages:
>> Protocol simplicity: the WebID protocol is a lot simpler, requiring only one
>> more connection over and above the connection to the requested resource,
>> where the result is cacheable. OpenID requires seven TLS connections,
>> significantly more than WebID. These additional steps create opportunities
>> for denial of service attacks, making it more difficult to secure and to
>> debug."
>> 
>> I think we are still learning to make effective pitches. The above, for
>> example, now submitted, sounds somewhat catty. If my sales team used that
>> tone about our competition, Id consider him jaded and time for retirement.
> 
> I have to agree. I have nothing but admiration for the technical
> progress of this work, but I do find the messaging re OpenID over the
> years has been needlessly (and perhaps unintentionally)
> confrontational. Last thing we need is a retread of the unfortunate
> tribalism that was 'microformats versus Upper Case Semantic Web'.
> WebID stands on its strengths. And in some cases, being able to fall
> back to OpenID (eg. from the certless cybercafe PC scenario) is more
> appealing than messing around using a password to install (and then
> remove) a transient WebID cert on an uknown PC.

Dan, if you were to add a sentence or two, and were we to be able to send
in a last minute update - usually one can in the review process - what would you
add?

I tried to present WebID in the text as something one could have in addition to
I used the word "extra", to OpenId. That WebId has some cool new features is not
wrong I hope. I am sure OpenID 2 also makes that type of claim with respect to OpenId 1.
Or that OAuth or XAuth also make that claim with regard to OpenId.

It's quite difficult to get these things right in the amount of space we had available.
Perhaps all that is needed is a couple of sentences for what OpenId can do that WebID cannot:
 - deal with browsers that have no client certs
 - deal with the wide adopted openid endpoints -> openid4.me (no longer works though)
 - (I am not sure I'd make a big case about shared computers because the only thing that can
    solve that with any limited degree of security is cryptokeys or token cards, one time passwords,
   though perhaps one time passwords make more sense with openid for short lived logins)

> [snip]
> The culture around W3C --- a standards organization, after all ---
> tends unconsciously towards answering all "what should we do?"
> questions with answers that are variations on "make or improve a
> standard!". With WebID we can afford to think more broadly, ...

Well one can always think more broadly. But I don't see why this is just
something that one should raise at the WebID community. If we had just thought
more broadly and not focused on the details of how one can do the WebID protocol
as it is specified now, who would have done it? 

> and if
> software-oriented activities have a better chance of getting us where
> we want to go, to put some time into that(*). Updating the various
> wordpress, drupal, mediawiki etc etc openid addons to handle WebID too
> would be a big boost. But then so would having a not-for-geeks "login
> with your Web identity" narrative that would subsume technology
> differences between OpenID and WebID.

I will try to build something like that. We had http://openid4.me/ if you
recall. I have heard mostly silence from the OpenId community with respect
to WebId. Well Peter Williams is nearly the only one who made the jump I think. 
(and what a jump) 

I don't see folk getting upset with http because it is solving something like
ftp and there are then two protocols to do something similar. I am not sure
even if it makes sense to ask them to "work together". That does not stop the 
browsers implementing ftp and http.

Furthermore we  had a few implementations showing how to do openid and 
webid together (OpenId4.me). But note also that to get them to work *together* we first need 
to make sure WebID  is clearly defined, otherwise there is no WebID to work with OpenID.

When setting out to make a new discovery one always has to differentiate oneself from the 
others, by emphasizing certain things that appear irrational and unimportant to the main team.
A vegetarian for examples makes a decision to stop eating meat. It is a decision that will often be
felt by the others to be 'weird', 'selfish', 'arrogant' and so on. But it is what 
in a open society we allow: people try new forms of life, go their own way, make new discoveries 
and everyone benefits.  There was a restaurant in San Francisco that only served uncooked vegetables 
when I was there in the 1990s. I thought it quite weird when I discovered that, but there 
food was very good. They probably would never have discovered all the great dishes had 
they not started with that odd initial value judgement. 

In this case we have the same with new protocols.  I remember a similar critique
being made of the OpenId folk of not being mature, arrogant, cowboys perhaps, by the other
identity folks when they got going. They did something different and got very far with it. In 
the semantic web the same happened with linked data. I think this is just unavoidable. You 
have to go your own way, if you want to do something new. (The foaf+ssl group never hid what
it was doing, always worked in the open) Once the new group has learnt to define itself, has had 
successes it can usually step back and start constructing  bridges.  I am all for doing that
for anyone who has time. 

But very first we just need to get the tests done. I have been speaking of WebId as being
protocol independent for a very long time. We can build test for each of them, but as 
we have already discussed at length we need to start somewhere. These tests don't need to
be exclusive btw of any protocol. An implementation can say "I don't know this protocol"
and that's ok. When we have the tests for a few obvious protocols we can work with other
groups towards a logic of authentication that will be useful for both of us. I think it
is more likely to be a logic of authorization though. And there the semantic web gives us
again a lot of power. 

Henry


Social Web Architect
http://bblfish.net/
Received on Thursday, 28 April 2011 13:38:22 UTC