- From: Jeff Sayre <jeff@sayremedia.com>
- Date: Mon, 18 Jul 2011 19:54:35 -0700
- To: "Ben Adida" <ben@adida.net>
- Cc: "Henry Story" <henry.story@bblfish.net>, "Tom Scavo" <trscavo@gmail.com>, dev-identity@lists.mozilla.org, "WebID XG" <public-xg-webid@w3.org>
Ben- For those of us that operate our own communications channels -- websites -- and act as our own email providers, how will the certification of our own email addresses work under BrowserID? Whereas I do have gmail and dotMac email accounts, those are not accounts that I consider my primary email addresses. In fact, I do not use my gmail account. It was simply assigned to me when I created a Google account. Instead, I use my self-created, controlled, and managed email account. It sounds like BrowseID is really geared toward 3rd-party email idP's and not people like myself. If that is the case, then this is a salient advantage that WebID provides. With WebID, I can fully control my identity and act as my own idP. I can vouch for myself. I do not need a 3rd party, who truly does not know me, certify me -- whether for free or a fee. I can demonstrate ownership and control over my domain. It is then up to others to decide if they wish to trust me or not. Overtime, I can build up a large Web of Trust of other users who can also vouch for me. This Web of Trust can then be seamlessly used to further enhance the authentication process. Jeff Sayre > On 7/17/11 8:49 PM, Henry Story wrote: >> >>> Yes, and an interesting experiment it is, too. >> >> agree. > > I'm glad you think so. We think it's important to keep it simple to see > where it goes. > > And though I'm pessimistic about WebID, I'm glad you're experimenting > with it. I will gladly eat my words if you succeed. > >> A lot of people don't want to get into spam registries. The privacy >> advantage of http URLs is that you can't send e-mails using them. So >> one could argue that http URLs are more privacy enhancing :-) > > It's easy to create an email alias that goes to bitbucket, if we find > that that's an important use case. I doubt it, though. > > I don't think we're going to agree on the privacy properties of HTTP > URLs that reveal information to anyone who asks, and that effectively > become logs of all login activity. > >> A question on short keys - this is probably something I have not fully >> understood. >> But if the keys are short lived, don't you have to go back to your >> e-mail provider >> constantly to create new keys? > > Indeed. But we are working on the protocol that will let a provider that > has already certified you re-certify you quietly. So when you log back > into your email provider, your cert is renewed automatically, in the > background. > >> If so is that not a Usability nuisance? > > I'm pretty sure we can make it fully transparent and yet fully > user-consented. But we've got some work left to do to get there. > > -Ben > >
Received on Tuesday, 19 July 2011 02:55:02 UTC