RE: WebID TLS from Peter Williams on 2011-11-09 (public-xg-webid@w3.org from November 2011)

From: Peter Williams <home_pw@msn.com>
Date: Wed, 9 Nov 2011 10:56:37 -0800
To: <henry.story@bblfish.net>
CC: "public-xg-webid@w3.org" <public-xg-webid@w3.org>
Message-ID: <SNT143-W580FB2EEC28114C8A283EB92DF0@phx.gbl>
Stop drivelling about shadows. Its inappropriate. My general measure is that if Peter cannot do it, neither can the rest of the bottom half of the class (who also fail their exams, or have given up even trying). But, I do keep trying. Such is life, when you are born inherently stupid. All you can do is try harder, and improve oneself. My claim to fame is that I dont give up in strong crypto (which reminds me of Henry, who just will not give up on the ideals of the semantic web). Only once I can program it (as the worlds worst programmer), or use it (as the world worst user), or argue it (as the worlds worst communicator), is is ready for prime time. Its quite an effective measure, Ive found - for crypto-related topics. It has to be real, dumb and stupid, if its to be useful to and used by the masses. And, it has to be proud of being dumb - which probably means that folks like yourselves will want to have nothing to do with it. It has to fit general society, including users like me. It has to have made political tradeoffs, too. It may even faciliate such as spying (but just a little less than the previous web praxis did, which is a win for me).  Openid took (me) 5+ years to get the point where *I* could bring it a community of ordinary folks as something "commodity". That it was used meantime in 15 developer-led site - that probably no longer exist or work properly anymore - is irrelevant to me. Now, we will see if its main claim to fame (its convenient to borrow your Google or Yahoo login to access a website account) really counts for anything. We have already had to drop support for certain IDPs, including wordpress web2.0 IDPs, as their site's user experience is too tied to the "correct" way of using openid. It means its almost unusable (or, more honestly, we cannot afford the $15 phone call it takes to explain wordpress openid behaviour and thereby re-educate the comrade/brother/sister). NOw, the amount of running code I have implementing the openid spec is zero. Huh? WEll, that explains why I get an F in class! Strangely, the breakthrough was the use of a gateway  - a model not mentioned in the spec - that insulated our adopting site FROM the various agendas associated with openid.  It turned out that it was the biases and the agendas that were the problem all along, not the bit formats. If that (agenda insulating) gateway were to accept webid (it already accepts https client certs, note), Id be accepting webid today. It doesn't, though. Now, some of the openid provider that are being gatewayed to us COULD be accepting client certs with webids within - verifying them as condition of releasing the openid assertion. But, I cannot find any who do. Zero. Thus, I COULD be working with such a chain of assertions, in which users have webids (and client certs), were openid provider to verify them. Should that happen, Microsoft could be gatewaying the openid assertion to me, and I could be consume the information in the claims (sourced to the foaf card).  THOUGHT - if someone can make the openid4me site accept webids, and said openID provider actually works with Microsoft's gateway (ACS), I dont mind hooking things up, for an experiment. Sorry for the report card.  That it works in 15 research sites is about as interesting to me as there are 15 distribution of Linux, including one in Bulgarian. If you are Bulgarian open source user, you probably think differently to me. I want you to succeed, in using the URI field in a cert. I really do. Its one of the proudest things of my prpofessional life, that I got ISO to put it in there. It went in before folks understood the power of the URI. Now that they do, I suspect we are discovering just why it fails to get used in the websso space, why the URI name form is not implemented in the commodity APIs for certs, and why when profiled by initiatives like this, there is so little uptake. Its quite a threat - to the social order. And, that makes folks nervous. it will require a very special chair to handle such nervousness in the intended constitutuency, and things do not bode well in that particular regard.   > From: henry.story@bblfish.net
> Date: Tue, 8 Nov 2011 10:59:17 +0100
> CC: public-xg-webid@w3.org
> To: home_pw@msn.com
> Subject: Re: WebID TLS
> 
> Peter, 
> 
>  consensus is formed with people who participate with running code. As they say at the IETF: "Rough consensus and running code". I never saw running code from you nor a webid, nor even text to improve the spec. You attended perhaps two meetings at most.  
> 
> As far as WebId maturity goes, we have over 15 implementations in most languages, and more are coming up. We never had problem getting people with hardly any experience in either TLS or semantic web getting going in this.
> 
> But ever since you came onto the foaf-protocols mailing list, stepping out of the openid list where most people ignored you, and you strutted your paranoid "knowledge", taking on airs of someone who has been around the field since the beginning, but who by your own avowals on this list never accomplished anything - not even the phd you started - you have slowed us down in constant off topic discussions. So of course it is natural for one who does not wish to accomplish anything to blame society, secret circles, and other fantomatic agencies for their own failures. 
> 
>  Please step out of the shadow lands you are inhabiting, by  participating constructively with working code or services or be gone.
> 
>   Henry
> 
> On 7 Nov 2011, at 21:41, Peter Williams wrote:
> 
> > You note Henry's question.
> > 
> > It reads to me: I'll admit logically what Peter and melvin (and others) assert, but I want the group to agree that nothing can be done to advance it. What should be advanced is that which would have been advanced anyways should we have not logically extended the definition.
> > 
> > Net result: pointless decision and lack of trust in the method of formulating consensus on direction and end goal. It's pointless arguing and debating policy, that is.
> > 
> > Folks don't seem to understand that a consensus decision is measured as much by its tone as its results. Otherwise, it's just yet another pressure group, grinding some ax (some web doctrinal approach, or other).
> > 
> > There is nothing wrong with research projects grinding axes. But, that is the class they are assigned - which means one waits for maturity before  considering any adoption (beyond some throwaway demo sites).
> > 
> > On Nov 7, 2011, at 1:52 AM, "Melvin Carvalho" <melvincarvalho@gmail.com> wrote:
> > 
> >> On 6 November 2011 02:29, Peter Williams <home_pw@msn.com> wrote:
> >>> 
> >>> Since webid was unable to pursuade anyone (at all?) to adopt https client
> >>> certs for use on the general internet, I guess the group nhas decided that
> >>> its appropirate to ensure webid is security protocol agnostic.  I heartily
> >>> agree. It will help the "portrayal" of W3C to show the webid is not tied to
> >>> any one security protocol (e.g. a transport layer or IPsec layer protocol).
> >>> That is, its not just another religiously-motivated group wanting its own
> >>> security token forma (for no particular reason other than it uses some or
> >>> other preferred presentation syntax/format).
> >>> 
> >>> Ive long argued that when my IDP using a signed SAML2 assertion delivers the
> >>> webid in a web services call, the properties of said "proof" version of
> >>> SAML2 are really not that different to a cert delivering the webid. The cert
> >>> is a signed object, and is carried by a security protocol between browser
> >>> and site. Said protocol ensures the cert is delivered to the intended
> >>> recipient (when TLS handshake tunneling is used).  Similarly, in the web
> >>> services world, the SAML2 token is a signal from browser-hosted script to
> >>> the site, similarly. The SAML2 handshakes accomplish what jhttps
> >>> accomplishes : deliverrs an identitificatio blob to the intended recipient.
> >>> Obviousl, this web services version of SAML2 (available worldwide in
> >>> windows, now) varies from the more traditional websso version of SAML2, in
> >>> which the browser is involved - being a mere conduit in the passing of a
> >>> signed token from one site, to another. Obvbiously, its pretty trivial to
> >>> move off of SAML2 blobs for web services and use signed JSON blobs, swapping
> >>> bit formats (yet again).
> >> 
> >> Peter, IMHO, this was always the case.  One reason this is a good
> >> opportunity to clear up possible confusion.
> >> 
> >>> 
> >>> 
> >>> 
> >>> 
> >>> ________________________________
> >>> From: henry.story@bblfish.net
> >>> Date: Sun, 6 Nov 2011 01:37:41 +0100
> >>> CC: public-xg-webid@w3.org
> >>> To: scorlosquet@gmail.com
> >>> Subject: Re: WebID TLS
> >>> 
> >>> 
> >>> On 5 Nov 2011, at 23:57, Stéphane Corlosquet wrote:
> >>> 
> >>> Hi Henry,
> >>> 
> >>> On Sat, Nov 5, 2011 at 6:42 PM, Henry Story <henry.story@bblfish.net> wrote:
> >>> 
> >>> Can we agree to specialise on WebID over TLS for the rest of this Incubator
> >>> Group, and leave all the other possible protocol implementations for later,
> >>> say like for when the Cryptography Working Group has finished its API?
> >>> 
> >>> I thought that was already the case. Can you clarify and give some examples
> >>> of what would *not* be included then?
> >>> 
> >>> There was a bit of confusion in a few e-mail exchanges recently on the list,
> >>> so I just wanted to make sure we are in agreement. We can have this document
> >>> be WebID over TLS leaving open for later WebId over BrowserId type JSON
> >>> certificate for example.
> >>> We still have quite a bit of work to do to finish the current spec. It will
> >>> be quite an achievement to finish it. I'll put more energy back into the
> >>> spec now. ( I was of in Saint Etienne this week, and was taken up into a lot
> >>> of meetings at the university there - which also had very bad
> >>> connectivity).
> >>> Btw, don't forget we have our weekly meetings now in Skype, so we can do a
> >>> bit of video conferencing and even some screen sharing. Every month we then
> >>> will have a more formal meeting.
> >>> Henry
> >>> 
> >>> Steph.
> >>> 
> >>> 
> >>> We need to focus on getting something done so at the end we have some real
> >>> things to show.
> >>> 
> >>> Henry
> >>> 
> >>> 
> >>> Social Web Architect
> >>> http://bblfish.net/
> >>> 
> >>> 
> >>> 
> >>> 
> >>> Social Web Architect
> >>> http://bblfish.net/
> >>> 
> >> 
> 
> Social Web Architect
> http://bblfish.net/
> 
>
Received on Wednesday, 9 November 2011 18:57:20 UTC