RE: the openid para from peter williams on 2011-04-28 (public-xg-webid@w3.org from April 2011)

From: peter williams <home_pw@msn.com>
Date: Thu, 28 Apr 2011 08:43:06 -0700
To: <nathan@webr3.org>, "'Dan Brickley'" <danbri@danbri.org>
CC: <public-xg-webid@w3.org>
Message-ID: <SNT143-ds92E093452C69268E2BF1E929B0@phx.gbl>
Is time to get off the keygen hobbyhorse, and solve this for grandma. Why are we using keygen from 1995, when we don’t use HTML (now having proper DOM controls?) 

 

The reason folks in the microsoft universe don’t bother arguing about keygen (just ignoring it for a decade) is that its pointess – endless rhetoric and posturing by vendors and their proxies.  But, using the object tag, the very same control that IE uses to do keygen-equivalent also browsers to talk to a web service or a messaging interface, that does FULL lifecycle management of certs/keys. It will quite happily re-mint your own and your machine’s cert(s) daily, without you even blinking - assuming its in a directory managed PC environment. Making it work in the web is a matter of will power, and vendor cooperation (so Mozilla can improve its MS support, too).

 

If the id conference did anything, it would move past almost 15 years of bickering about keygen – and let the web catch up with what the enterprise space has done with browsers for almost a decade.

 

AS we discussed on another thread, the world of enterprise LAN is starting to creep into the web - providing more value add than the basic document paradigm. We just must not sound like the folks who objected to mosaic, wanting lynx to rule the waves. The web may boot using scripts, but its not limited to them.

 

Now RDF and certs have something in common - there are legions of folks trained to whine, to simply stop them happening. They threaten (change). But, over time, folks catch up. I doubt RDF is a threat to Microsoft product managers anymore, being a minor shift from where they are. It just requires consensus now (unlike a decade ago). Its jus ta different serializer for metadata libraries that are just as sophisticated as the stuff from HP in Bristol, UK.

 

Myopenid could do webid tomorrow, its that easy for them. They already support client certs! They could thus "bridge" webid to openid.  

 

The implementor of starterSTS <http://startersts.codeplex.com/>   can easily bridges openid to ws-fedp.

 

Thought Microsoft’s ACS v2 NOW does OAUTH, Facebook Apps, Yahoo and live to ws-fed bridging it doesnt (obviously) allow just any old wordpress openid OP to do the same. It would allow the ws-fedp fvrom starterSTS to bridge in, though, indirectly allowing wordpress sites to talk to the rest of the Microsoft universe. If there are any java EE STS out there left, it will talk to them, too, using older protocol versions.

 

So just imagine – a world, taking 2 days or less, in which

 

Webid logs on to myopenid, which asserts to starterSTS that re-asserts to ACS, that talks to any Microsoft powered websso site ( in addition to all the places that myopenid talks natively, and all the million sites that can process certs, and do foaf validation callbacks on a server). 

 

Now, this is the multi-culturalism I want to promote – to engender adoption. Nothing about such cooperation diminishes one’s own unique slice on life – here being a friending model that is like facebook but rather more open and MUCH less controlling. In fact, such practices help show the differences - allowing sites with n library choices now to pick the one that is BEST for their kind of web app. So long as that local choice adds some local value, and doesn’t diminish global interoperability, it all works.

 

There is a moment to be seized and it will be lost within the month, if not taken.

 

 

 

 

-----Original Message-----
From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org] On Behalf Of Nathan
Sent: Thursday, April 28, 2011 6:18 AM
To: Dan Brickley
Cc: peter williams; public-xg-webid@w3.org
Subject: Re: the openid para

 

Dan Brickley wrote:

> On 28 April 2011 04:50, peter williams < <mailto:home_pw@msn.com> home_pw@msn.com> wrote:

>> "OpenID reduces the account multiplication issue by allowing users to 

>> login to every site using the same global identifier. This provides a 

>> base from which WebId can be deployed, procuring the following extra advantages:

>> Protocol simplicity: the WebID protocol is a lot simpler, requiring 

>> only one more connection over and above the connection to the 

>> requested resource, where the result is cacheable. OpenID requires 

>> seven TLS connections, significantly more than WebID. These 

>> additional steps create opportunities for denial of service attacks, 

>> making it more difficult to secure and to debug."

>> 

>> I think we are still learning to make effective pitches. The above, 

>> for example, now submitted, sounds somewhat catty. If my sales team 

>> used that tone about our competition, Id consider him jaded and time for retirement.

> 

> I have to agree.

 

+1

 

> Last thing we need is a retread of the unfortunate tribalism that was 

> 'microformats versus Upper Case Semantic Web'.

 

definitely, that vs mentality is possibly one of the biggest blockers to adoption.

 

> WebID stands on its strengths. And in some cases, being able to fall 

> back to OpenID (eg. from the certless cybercafe PC scenario) is more 

> appealing than messing around using a password to install (and then

> remove) a transient WebID cert on an uknown PC.

 

This is probably our biggest issue, we need to do something abotu that fast, cert management is a huge PITA - my cert expired last week, I use it for loads of things (use the keys from it for github, w3c cvs, my own svn stuff, dav servers etc) this thing expiring is a really big problem at the minute, and the levels of pain it's going to take to re-issue the the cert with the same keys is not something my mum could manage.

 

> From the point of view of the more descriptively-oriented FOAF work, 

> multi-protocol is not just unavoidable, but essential. Protocols are 

> the papertrail that let us move from RDF triples to RDF quads, to keep 

> track of who-said-what and to then be able to query them usefully in 

> SPARQL or even reason about them. There is a level of abstraction

 

missing, a level of abstraction is missing at the minute. Needs focus.

 

> While WebID and digital signature (PGP or otherwise) are key tools 

> there, so are custom REST APIs, XMPP, and other older, more 

> domesticated protocols like IMAP and POP.

 

+1

 

> Regarding multi-protocol, perhaps the most effective thing that could 

> be done in the WebID community would be to create or patch 

> opensource/free software tools to be protocol agnostic, and which 

> would allow Web developers to implement 'login with openid or webid or 

> facebook or twitter or ...' rather than face each hurdle separately.

 

+1

 

> Updating the various wordpress, drupal, mediawiki etc etc openid addons to handle WebID too would be a big boost.

 

I think we can safely say that's about to happen in the near future ;)

 

> But then so would having a not-for-geeks "login with your Web 

> identity" narrative that would subsume technology differences between 

> OpenID and WebID.

 

agree!

 

> (*) saying this, I'm painfully aware that I've not had time to put 

> much time into any of this lately, so maybe I shouldn't be cavalier in 

> making suggestions for how others assign their time.

 

Who has? Although it feels like there are quite a few of us with renewed focus to attack the big picture with real working code spanning multiple projects and groups. It's going to be a fun / interesting year.

 

Best,

 

Nathan
Received on Thursday, 28 April 2011 15:43:35 UTC