Re: WebID, BrowserID and NSTIC from Francisco Corella on 2011-07-25 (public-xg-webid@w3.org from July 2011)

From: Francisco Corella <fcorella@pomcor.com>
Date: Mon, 25 Jul 2011 11:34:14 -0700 (PDT)
To: Kingsley Idehen <kidehen@openlinksw.com>, "public-xg-webid@w3.org" <public-xg-webid@w3.org>
Cc: Karen Lewison <kplewison@pomcor.com>
Message-ID: <1311618854.45274.YahooMailNeo@web125503.mail.ne1.yahoo.com>
Kingsley,

> On 7/24/11 8:23 PM, Kingsley Idehen wrote:
> > On 7/24/11 7:34 PM, Francisco Corella wrote:
> >> This not a theoretical issue, it is a very practical one.  If WebID
> >> were used as a general purpose WebID, a malicious medical insurance
> >> company in the US could set up a health information Web site with
> >> discussion groups.  If a user signed up with a WebID and joined a
> >> discussion group on cancer, the insurance company could later deny
> >> insurance to the user on suspicion that the user had cancer or a
> >> dependent who has cancer.  This issue can be avoided by using instead
> >> a "login certificate" issued by the relying party itself, as we
> >> propose in section 4.6 of our white paper.
> > But, nothing about WebID implies that a personal is 'You'.
> >
> > Let's take the Spiderman and Peter Parker scenario. You can have WebIDs for both, and only the real identity behind either knows about the owl:sameAs relation.
> >
> > I am saying WebID == Who You Really Are. It just enables identifiers to be verified. It basically caters for alter egos etc..
> 
> Meant to say:
> 
> But, nothing about WebID implies that a personal URI refers to 'You', specifically. It just enables verifiable identifiers that are associated with identities :-)

OK, WebID can be pseudonymous, but each pseudonym needs to backed by a
different web of trust, which gets tricky.

Anyway, independently of what identity technology you use, pseudonyms
are not always appropriate, because they allow tracking.  Colluding
real parties can share information to get a complete picture of all
your activities under a particular pseudonym.  You can mitigate the
attack by using many different pseudonyms, and being careful about
which pseudonym you use for which relying party.  But many relying
parties just need to know that you are the same user who visited them
earlier.  In that case you don't need a pseudonym, or equivalently you
need a pseudonym that's only used for that relying party; that's what
a "login certificate" is, in our proposal.

Preventing tracking by colluding relying parties is an explicit goal
of NSTIC, according to Howard Schmidt's post to the White House blog,
at
http://www.whitehouse.gov/blog/2011/04/26/national-strategy-trusted-identities-cyberspace-and-your-privacy .

Francisco


Francisco Corella, PhD
Founder & CEO, Pomcor
Twitter: @fcorella
Blog: http://pomcor.com/blog/
Email: fcorella@pomcor.com
Web site: http://pomcor.com


>________________________________
>From: Kingsley Idehen <kidehen@openlinksw.com>
>To: public-xg-webid@w3.org
>Sent: Sunday, July 24, 2011 2:36 PM
>Subject: Re: WebID, BrowserID and NSTIC
>
>On 7/24/11 8:23 PM, Kingsley Idehen wrote:
>> On 7/24/11 7:34 PM, Francisco Corella wrote:
>>> This not a theoretical issue, it is a very practical one.  If WebID
>>> were used as a general purpose WebID, a malicious medical insurance
>>> company in the US could set up a health information Web site with
>>> discussion groups.  If a user signed up with a WebID and joined a
>>> discussion group on cancer, the insurance company could later deny
>>> insurance to the user on suspicion that the user had cancer or a
>>> dependent who has cancer.  This issue can be avoided by using instead
>>> a "login certificate" issued by the relying party itself, as we
>>> propose in section 4.6 of our white paper.
>> But, nothing about WebID implies that a personal is 'You'.
>> 
>> Let's take the Spiderman and Peter Parker scenario. You can have WebIDs for both, and only the real identity behind either knows about the owl:sameAs relation.
>> 
>> I am saying WebID == Who You Really Are. It just enables identifiers to be verified. It basically caters for alter egos etc.. 
>
>Meant to say:
>
>But, nothing about WebID implies that a personal URI refers to 'You', specifically. It just enables verifiable identifiers that are associated with identities :-)
>
>-- 
>Regards,
>
>Kingsley Idehen    
>President&  CEO
>OpenLink Software
>Web: http://www.openlinksw.com
>Weblog: http://www.openlinksw.com/blog/~kidehen
>Twitter/Identi.ca: kidehen
>
>
>
>
>
>
>
>
>
Received on Monday, 25 July 2011 18:34:43 UTC