Re: Browser ID

On 7/15/11 11:56 AM, Danny Ayers wrote:
> Nice work Ben, but...

Thanks Danny. It's a team effort, of course, I only joined Mozilla 3
months ago.

> Ok, email seems fine as a lowest common denominator, but that does
> seem rather to neglect the huge advantage that the Web offers - a HTTP
> URI can effectively provide any information you like (including email
> address in, say, a FOAF or XFN profile).

Three things:

(a) I'm a big fan of linked data, but when it comes to the simple act of
logging into a web site, I'm worried about what it means to force users
to have a profile reachable publicly. That seems inherently at odds with
privacy.

(b) I don't think users think of themselves as URIs. OpenID basically
proved this when they moved away from "people are URIs." Users do think
of email addresses as handles for people.

(c) every web site wants an email address from you so they can contact
you. I need to guarantee that, when you log into a site with BrowserID,
the site gets an email address.

Put (b) and (c) together, and that's why we chose email addresses as the
right identifier.

(a) is the reason that, even if we could guarantee that every FOAF
profile has an email address, I'm not sure a publicly reachable HTTP
profile is the right approach for letting users just log in.

> So far I've barely glanced at the docs, but I get the impression that
> the email address will be passed around in a little bundle of JSON.

Correct.

> while using URIs (including mailto:) would strike me as the neatest
> approach, would it hurt to add another field for a profile URI?

To the JSON assertion? We have plans of eventually adding means for web
sites to discover additional information about you, but I'm not sure
they would go in that initial assertion.

> Whatever, some kind of convergence/compatibility between BrowserID and
> WebID seems very desirable.

Maybe. I'm still not sure I see the advantage. More in my response to
Nathan shortly.

-Ben

Received on Saturday, 16 July 2011 02:16:50 UTC