RE: Web Tracking and User Privacy: The Next Steps.

This is related to the slow down and organize desire.

There are a million security issues to be fought. We have to decide on one
or two, that are webby - and characterize the essential position of the W3C
community. Nothing about webid is going to right all the wrongs of the
world. It can make things 1% better than today, though. If we get to take
1%, will have to give 1% in some other area of dispute.

What the last week taught me is that the very semantics of https are under
threat - specifically since the viability of such as a webid protocol can
seen to struggle at a technical a world with mainstream https
proxies. This example can be a generalizable "position," in the identity

There are those who believe the planet of 6 billion is much better off only
when intermediaries connect end parties (browser users and websites with
content). In the identity space, we see online IDPs being required in order
for users to effectively speak globally; and we see dumbed down webservices
needing SPs to process the security tokens originated by anyone. For
example, an simple SWT-capable RESTful websevice only accepts HMAC-signed
tokens, translated from user credentials, using symmetric keys controlled by
the SP. Commodity users cannot signal directly. 

While simple, such IDP and SP "mediation" practices introduce dependency and
control. While simple, such practices on the IDP side intermediate users. To
be fair, users and webservices do benefit, because IDPs can express and
enforce privacy policies on the user's behalf, governing the websites and
token translation services.

To me, this is the debate question, and thus the design axis (thereby
recognizing the threats to the design goal rather than pretending they don't
exist). We don't get involved in tracking or any one of the million other
cryptopolitical issues. We simply seek to test when end-end web crypto has
been hindered (as those with other positions opt to trade these feature off
for IDP enforced user profile privacy protection, or SP-based anti-phishing
methods that censor malware sites).

I used to call this UCI (the world in which users need no intermediation to
speak globally). This was because identity commons folks used to proud to
promote UCI (not that anything ever emerged, globally). Since UCI is a
failed rallying point, perhaps, it's better to focus on the core issue that
hinders webid as being the need to preserve the "end-end signalling" - using
a better moniker. This is the ability to speak globally with (probably
crappy) crypto just as folks can do with self-signed certs, WITHOUT

-----Original Message-----
From: []
On Behalf Of Henry Story
Sent: Thursday, March 10, 2011 12:55 AM
Cc: WebID XG
Subject: Re: Web Tracking and User Privacy: The Next Steps.

If anyone here is going there or has time to put together something on
identity in the browser and tracking that could be also useful for
"ISSUE-14: WebID and Browsers"

I think if browsers were to be in charge of identity - clearly displaying it
to the user and allowing him to change it - from anonymous to WebID
authenticated and back - then one could determine the exact amount of
identification one was willing to accept per tab, or even per page. In
anonymous mode the browser would send no cookie information at all, ... all
the way up to WebID authentication.

One could also make the point that without distributed authentication, large
portal sites can make one single cookie go very very far, grow in commercial
value, and so get huge injections of cash, making the emergence of sites
tracking 1/16 of the planet an inevitability. Without distributed identity
you get exactly what user privacy advocates fear the most.


On 10 Mar 2011, at 04:03, Jeff Sayre wrote:

> Something to keep in mind as we work on WebID:

Social Web Architect

Received on Thursday, 10 March 2011 17:47:10 UTC