Re: WebID, BrowserID and NSTIC from Francisco Corella on 2011-07-25 (public-xg-webid@w3.org from July 2011)

From: Francisco Corella <fcorella@pomcor.com>
Date: Mon, 25 Jul 2011 12:50:10 -0700 (PDT)
To: "nathan@webr3.org" <nathan@webr3.org>
Cc: Henry Story <henry.story@bblfish.net>, WebID XG <public-xg-webid@w3.org>, Karen Lewison <kplewison@pomcor.com>
Message-ID: <1311623410.6896.YahooMailNeo@web125514.mail.ne1.yahoo.com>
Nathan,

> First let me just say, you have a fantastic collection of white
> papers, I'm thoroughly enjoying reading them, especially Mechanising
> Set theory, and NSTIC architecture proposal.

Thank you!

> A few minor comments on what you've written:
> 
> Francisco Corella wrote:
> > The privacy goals of NSTIC include revealing as little information
> as
> > necessary to the relying party, and preventing relying parties that
> > share information from jointly tracking the user if at all possible.
> > WebID, if used as a general purpose identifier for the Web at large,
> > does not meet that goal. 
> > This not a theoretical issue, it is a very practical one.  If WebID
> > were used as a general purpose WebID, a malicious medical insurance
> > company in the US could set up a health information Web site with
> > discussion groups.  If a user signed up with a WebID and joined a
> > discussion group on cancer, the insurance company could later deny
> > insurance to the user on suspicion that the user had cancer or a
> > dependent who has cancer.  This issue can be avoided by using
> instead
> > a "login certificate" issued by the relying party itself, as we
> > propose in section 4.6 of our white paper.
> 
> Assuming a single WebID per person, then yes there would be an issue,
> however there is no reason why a specific website or application
> cannot issue each user with their own, unique to that website, WebID,
> certificate and all. It appears to me that this would be equivalent to
> a login certificate, indeed that's exactly what it would be, surely?

Yes, but isn't a WebID supposed to be backed by a web of trust?  
What would be the web of trust for a WebID that's issued by a site and
only submitted to that site?  And why us a WebID in that case when you
can use a simple PKI certificate?

> As a user I'm very keen to get away from the one person one identifier
> side of the web, just looking at google dashboard is somewhat scary -
> the sooner we can have multiple profiles, one for each side of our
> life, with only us as an individual knowing the correlation, the
> better. Thus, any identity solution must, at the least, easily support
> multiple identifiers and sets of credentials. WebID seems to allow
> this?

I'd go one step further, and say that an identity solution should
support multiple types of credentials, because different types are
useful for different purposes.  In our proposed architecture for NSTIC
we accomodate Idemix and U-Prove "privacy-enhanced" credentials, PKI
certificates (ranging from a certificate issued by the US Social
Security Administration to assert that the user owns a social-security
number, to a "login certificate" issued and used by a relying party)
and "bare keys" for session maintenance.  We will soon revise the
white paper to add WebIDs, and PKI certificates issued by email
service providers to assert that the user owns an email address.  We
also accomodate the submission of multiple credentials simultaneously,
which makes sense in several use cases.

Francisco
 
Francisco Corella, PhD
Founder & CEO, Pomcor
Twitter: @fcorella
Blog: http://pomcor.com/blog/
Web site: http://pomcor.com


>________________________________
>From: Nathan <nathan@webr3.org>
>To: Francisco Corella <fcorella@pomcor.com>
>Cc: Henry Story <henry.story@bblfish.net>; WebID XG <public-xg-webid@w3.org>; Karen Lewison <kplewison@pomcor.com>
>Sent: Sunday, July 24, 2011 3:29 PM
>Subject: Re: WebID, BrowserID and NSTIC
>
>Hi Francisco,
>
>First let me just say, you have a fantastic collection of white papers, I'm thoroughly enjoying reading them, especially Mechanising Set theory, and NSTIC architecture proposal.
>
>A few minor comments on what you've written:
>
>Francisco Corella wrote:
>> The privacy goals of NSTIC include revealing as little information as
>> necessary to the relying party, and preventing relying parties that
>> share information from jointly tracking the user if at all possible.
>> WebID, if used as a general purpose identifier for the Web at large,
>> does not meet that goal.  
>> This not a theoretical issue, it is a very practical one.  If WebID
>> were used as a general purpose WebID, a malicious medical insurance
>> company in the US could set up a health information Web site with
>> discussion groups.  If a user signed up with a WebID and joined a
>> discussion group on cancer, the insurance company could later deny
>> insurance to the user on suspicion that the user had cancer or a
>> dependent who has cancer.  This issue can be avoided by using instead
>> a "login certificate" issued by the relying party itself, as we
>> propose in section 4.6 of our white paper.
>
>Assuming a single WebID per person, then yes there would be an issue, however there is no reason why a specific website or application cannot issue each user with their own, unique to that website, WebID, certificate and all. It appears to me that this would be equivalent to a login certificate, indeed that's exactly what it would be, surely?
>
>As a user I'm very keen to get away from the one person one identifier side of the web, just looking at google dashboard is somewhat scary - the sooner we can have multiple profiles, one for each side of our life, with only us as an individual knowing the correlation, the better. Thus, any identity solution must, at the least, easily support multiple identifiers and sets of credentials. WebID seems to allow this?
>
>Best,
>
>Nathan
>
>>> ________________________________
>>> From: Henry Story <henry.story@bblfish.net>
>>> To: WebID XG <public-xg-webid@w3.org>
>>> Sent: Wednesday, July 20, 2011 1:48 AM
>>> Subject: WebID, BrowserID and NSTIC
>>> 
>>> A very interesting article is up "BrowserID and NSTIC" http://bit.ly/oIKw1P . NSTIC stands for "National Strategy for Trusted Identities in Cyberspace"
>>> 
>>> The article finally points us to the documentation of the BrowserId spec "The verified e-mail protocol"
>>>  https://wiki.mozilla.org/Identity/Verified_Email_Protocol/Latest
>>> which is nice. Weird how that link never seems to have appeared anywhere.
>>> 
>>> And it points to a very interesting PDF that I have not had time to read in full
>>> detail "proposed NSTIC architecture".[1]
>>> 
>>> I pointed out the relation between WebID and BrowserId on that blog post, and perhaps we
>>> will be able to have Francisco Corella talk to us a bit more about what is going
>>> on at NSTIC and how WebID could be used there.
>>> 
>>>     Henry
>>> 
>>> 
>>> [1] http://pomcor.com/whitepapers/ProposedNSTICArchitecture.pdf
>>> 
>>> Social Web Architect
>>> http://bblfish.net/
>>> 
>>> 
>>> 
>>> 
>>> 
>
>
>
>
Received on Monday, 25 July 2011 19:50:49 UTC