W3C home > Mailing lists > Public > public-xg-webid@w3.org > February 2011

RE: WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec]

From: Peter Williams <home_pw@msn.com>
Date: Fri, 4 Feb 2011 10:26:04 -0800
Message-ID: <SNT143-w233E5CDAA648CB79F1916592E60@phx.gbl>
To: <nathan@webr3.org>
CC: <public-xg-webid@w3.org>

ok that is the topic of challenge, versus resumable authentication, versus (monitored) anonymous browsing.
Let's assume these days there is NOT such thing as anonymous browsing - thats becuase the ISP is monitoring your client IP address and recording each and everyplace where it associates. It not only monitoring, its recording ...those mere associations - in a :know your customer: type policy. Im only stating what is in the US national id plan...formally. We all know its been going on for years... semi-secretly. its all built into CALEA. 
What we might do (since its being paid for anyways) is USE it, to lessen the "downsides" of security. Perhaps noone has an end-end client IP address any more, only an IPv6 address that proxies them and represents them downstream FROM their ISP. Its a constant IPv6 address (one that ties essentially to the ISP's records of you conduct on the web, anyways). but, its persistent, from the ISP onwards.
Im trying to think different - the monitoring aint going away, so one might as well take some benefit from it, perhaps, in the national id sense.
What consumers dont want is every silos id mgt regime; its simply overload. The one I used at W3C to get here was just an awful bureacratic process, speaking as a user, focussed on W3C various legal paranoias and regulation compliances. that is, it is a classical identity silo. 
The issue with each silo is not their design per se; its that there are 50 of them one has to use, each with a different bureacracy. For all I know, the patent policy on this IX has changed, becuase it was authorized to change with only notice delivered to a website, as agreed in my convulted signup. 
This if course is the "websso" topic - which relates to 1) when to challenge at the UI, 2) when to auto-respond to a challenge, 3) when to do just passive monitoring of the client IP. 4) how to create SOME measure of uniformity, to address the "rules overload".
Then there is the OAUTH variant of websso, cleary introduced and proved in the last year or so based on the takeoff of following/follower driven trust management. A variant of sp-initated websso, the site leverages websso to borrow the IDPs login process (challenge, continuous, or public), but also gets access rights on login-related services of the IDP (like post to its status..., borrow its centralized follow/follower peer trust management). 
Now, we have moved from a protocol (client certs pointing to foaf docs, or ldap records perhaps), to a much bigger space - the whole identity management problem (including websso). Thats probably too big to attack (and very political, since lots of vendors and "bodies" have strong opinions already).
How can we scope this down? on the one hand we want a big impact; on the other, we cannot attack an intracable problem.
My core idea is as I say, very simply. If W3C just liberates client certs from obscurity, its had a big impact, since that draws the semweb FOAF file with them. This delivers the semweb in a tangible way to a million consuming websites. Then, the rest of the ontologies speak for themselves, when driving further application.

> Date: Fri, 4 Feb 2011 17:42:06 +0000
> From: nathan@webr3.org
> To: home_pw@msn.com
> CC: public-xg-webid@w3.org
> Subject: Re: WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec]
> Peter Williams wrote:
> >
> > There is an issue here.
> >
> > The scheme in [1] argues for passwords (unphisable ones) - saying certs and the like are too hard
> >
> > The issue is "websso".
> >
> > The biggest problem any consumer talks about (anyone ever talk to them?) is that they dont want 50 passwords - which is the situation today.
> >
> > Do we accept the "authentication silo" as an issue - albeit a cultural one?
> >
> > Even if I had the miracle of MutualAuth, do I really want 50 passwords, on 34 different password regimes, and 14 differnet lifecycles, and 3 different uses of email for recovery?
> I won't really know what you want, but when I view twitter i don't want
> to have to enter a password, when I view my bank account I do, and in
> both cases I want webid.
> Layering :) one does not preclude the other.
Received on Friday, 4 February 2011 18:26:44 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:41 UTC