- From: peter williams <home_pw@msn.com>
- Date: Thu, 10 Mar 2011 09:45:22 -0800
- CC: "'WebID XG'" <public-xg-webid@w3.org>
This is related to the slow down and organize desire. There are a million security issues to be fought. We have to decide on one or two, that are webby - and characterize the essential position of the W3C community. Nothing about webid is going to right all the wrongs of the world. It can make things 1% better than today, though. If we get to take 1%, will have to give 1% in some other area of dispute. What the last week taught me is that the very semantics of https are under threat - specifically since the viability of such as a webid protocol can seen to struggle at a technical level...in a world with mainstream https proxies. This example can be a generalizable "position," in the identity space. There are those who believe the planet of 6 billion is much better off only when intermediaries connect end parties (browser users and websites with content). In the identity space, we see online IDPs being required in order for users to effectively speak globally; and we see dumbed down webservices needing SPs to process the security tokens originated by anyone. For example, an simple SWT-capable RESTful websevice only accepts HMAC-signed tokens, translated from user credentials, using symmetric keys controlled by the SP. Commodity users cannot signal directly. While simple, such IDP and SP "mediation" practices introduce dependency and control. While simple, such practices on the IDP side intermediate users. To be fair, users and webservices do benefit, because IDPs can express and enforce privacy policies on the user's behalf, governing the websites and token translation services. To me, this is the debate question, and thus the design axis (thereby recognizing the threats to the design goal rather than pretending they don't exist). We don't get involved in tracking or any one of the million other cryptopolitical issues. We simply seek to test when end-end web crypto has been hindered (as those with other positions opt to trade these feature off for IDP enforced user profile privacy protection, or SP-based anti-phishing methods that censor malware sites). I used to call this UCI (the world in which users need no intermediation to speak globally). This was because identity commons folks used to proud to promote UCI (not that anything ever emerged, globally). Since UCI is a failed rallying point, perhaps, it's better to focus on the core issue that hinders webid as being the need to preserve the "end-end signalling" - using a better moniker. This is the ability to speak globally with (probably crappy) crypto just as folks can do with self-signed certs, WITHOUT mediators. -----Original Message----- From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org] On Behalf Of Henry Story Sent: Thursday, March 10, 2011 12:55 AM To: jeff@sayremedia.com Cc: WebID XG Subject: Re: Web Tracking and User Privacy: The Next Steps. If anyone here is going there or has time to put together something on identity in the browser and tracking that could be also useful for "ISSUE-14: WebID and Browsers" http://www.w3.org/2005/Incubator/webid/track/issues/14 I think if browsers were to be in charge of identity - clearly displaying it to the user and allowing him to change it - from anonymous to WebID authenticated and back - then one could determine the exact amount of identification one was willing to accept per tab, or even per page. In anonymous mode the browser would send no cookie information at all, ... all the way up to WebID authentication. One could also make the point that without distributed authentication, large portal sites can make one single cookie go very very far, grow in commercial value, and so get huge injections of cash, making the emergence of sites tracking 1/16 of the planet an inevitability. Without distributed identity you get exactly what user privacy advocates fear the most. Henry On 10 Mar 2011, at 04:03, Jeff Sayre wrote: > Something to keep in mind as we work on WebID: > > http://www.w3.org/QA/2011/03/web_tracking_and_user_privacy.html > > Social Web Architect http://bblfish.net/
Received on Thursday, 10 March 2011 17:47:10 UTC