RE: slow down and organize

So far webid protocol is pure internet security protocol. There is not one ounce of anything webby (except the option to use 15-year old self-signed certs for clients and servers - which exist and work globally due to the webby influence of (non-W3C) webby-effective people in 1996 era).


The internet provides a space for the web to define your ideals of social webiness (decentralized spaces, etc), creating interesting modes of trust and reputation. You take the keys in the various self-signed certs, and build graphs that link them. You can get religious and believe that only rdf can do that, or you can inboke an equivalent religion and use ldap (and/or 16 other techniques) to do the same –tied to the traditions of the ldap naming/identifier scheme (or 16 others name forms). http identifiers are just name form #17.


We need to now see foaf and semweb inferences actually do what they claim. The other #16 are using the same “webid protocol” already. The scale is not web, usually (which is hopefully the distinguishing feature of this group).


Remember, all webid protocol does is use 15 year old client authn in TLS to deliver a client cert to a server process, that looks up a key in a remote file. In linked data world, one uses SPARQL. In X.500, one uses ldap queries. In SAML2, one uses the AttributeQuery protocol. In …. #13 other schemes, there is some other remote search query.


What linked data PROPOSES for scheme #17 is great. But, can we just do it rather than talk about it? Start with the simplest version of linked data, and don’t make me learn anything about federated social webs. Just let me read a foaf card on the web, test it for a key – just like I already do with an ldap query. Do that as simply as possible, ideally in a manner that a billion PCs can do today, with no change. Don’t make me learn turtle, don’t make me learn n3, don’t make me learn inferences due to RDFa. Just let me test a key exists in a remote file, using a trivial webservice.


From: [] On Behalf Of Reto Bachmann-Gmuer
Sent: Thursday, February 24, 2011 1:57 AM
To: peter williams
Cc:; WebID XG
Subject: Re: slow down and organize


On Wed, Feb 23, 2011 at 7:17 PM, peter williams <> wrote:

We cannot rearchitect internet security - and this seems the underlying
goal. It's not realistic. The mail overload on now many topics should have
shown that its not feasible - as there are 100+ topics more, yet. Effective


commodity internet security requires dominance of 12+ disciplines at 80%
competency - as 75,000 CISSP certified folks doing internet security every
day know.

I think there are fundamental differences between "Internet Security" and what WebId offers. Internet Security is mainly driven by the concerns of corporation who want to have secure communication while using the cheap internet infrastructure. For this legal identities have to be mapped to cryptographic identities and security is ideally hidden away from the user to the lower level protocols. The vision here is to have save citadels on an insecure net. Where interaction with the rest of the world is necessary https-sites combined with various form of client authentication (as people seemed reluctant to just walk around with digital-id) should assure that the customer's is (in terms of what the passport owned) who the company thinks he is.

WebId is fundamentally different. It arises from the decentralized architecture of the web, where nobody cares that you're a dog or how the digital identity relates to a physical person. The web offers social spaces that can be detached from the social networks in the physical world, but even in such detached networks trust and reputation is being built. That's why we need WebId, the WebId is the DNA of your virtual personae which may or may not be related to who you really are. With the web becoming more and more an interactive place the traditional asymmetry between the authenticated site and the unauthenticated user is no longer practicable. With the online information sphere becoming the most important space for social change linking the identities to legal entities can be more a risk than a security feature.

Don't scare people away from security, its good to have 12 years of training with 100+ topics however also that 1/2 day GnuPG training of your local anarchists might cause an increase in the costs you cause to the secret services (if they think you're interesting enough :) ). WebID is easier than PGP and it integrates easily into the browser this is what will hopefully make more people using it.

For the Web and the Internet to reach their full potential we need end-to-end security with users capable of controlling they cryptographic secrecy and identity they use, this decision cannot be delegated and are highly context and application dependent. For this we do not need to invent new technologies, its just about making existing decentralized security concepts more web-friendly and thus more attractive.


Received on Thursday, 24 February 2011 16:49:08 UTC