- From: Henry Story <henry.story@bblfish.net>
- Date: Wed, 19 Oct 2011 00:42:13 +0200
- To: "Harry Halpin" <hhalpin@w3.org>
- Cc: public-identity@w3.org, WebID Incubator Group WG <public-xg-webid@w3.org>
On 18 Oct 2011, at 23:50, Harry Halpin wrote: >> >> On 18 Oct 2011, at 21:58, Harry Halpin wrote: >> >>>> >>>> On 18 Oct 2011, at 21:05, Harry Halpin wrote: >>>> >>>>>> sounds good, but why no mention of WebID? >>>>>> >>>>>> Henry >>>>> >>>>> At the workshop, it seemed people wanted to focus on API based work >>>>> first >>>>> such as the Crypto API, and certificates were discussed but thought of >>>>> as >>>>> out-of-scope for this future working group, although the W3C would be >>>>> happy to see future work around certificates (everyone agrees current >>>>> situation is a mess). The one idea that came up was a possible future >>>>> workshop focused more narrowly on certificates. >>>> >>>> The WebID working group is not a working group about certificates. It >>>> is >>>> about tying >>>> TLS/SSL to identity to the web using simple web architecture. The most >>>> active list of all >>>> the groups you have created recently is the WebId XG list. Few of us >>>> were >>>> present in >>>> California during your discussion. So perhaps you could take that into >>>> account, and allow >>>> us to have a discussion of how webid can tie into these other >>>> protocols. >>>> We did not >>>> look at that in the WebID XG simply in order to make sure we could >>>> deliver >>>> something. >>>> >>> >>> Currently the WebID work does depend critically on certificates, which >>> is >>> why I brought that option of another workshop up (as there's no >>> non-certificate purely API-based option in your draft spec). >> >> It does not depend critically on certificates Harry. Not any more than >> BrowserID does in any case. All that browserid is doing is creating JSON >> based certificates. As I argue int this comparison between BrowserId and >> WebID on stack exchange >> >> http://security.stackexchange.com/questions/5406/what-are-the-main-advantages-and-disadvantages-of-webid-compared-to-browserid >> >> there is not that much difference between those two protocols. If browser >> id decides to create a new JSON format certificate then that's ok with us. >> The only issue is that no browser implements that by default, which is why >> we did not look at that. If browser vendors are interested in developing >> other certificate formats, then that is also ok. But I don't see that this >> is a reason to exclude WebID, since we are developing experience in >> exactly that space. >> >> >>> We are of course following the WebID's work >> >> It does not seem that you are looking carefully enough Harry. >> > > While there is some abstract structural isomorphism between the > BrowserID's use of PKI for assertion signing and WebID's use of putting > URIs in certs (you may also want to add OpenID Connect's Basic Profile > into the list of the things your group should look at), you do critically > depend on TLS and existing cert specifications. We do because that is what works now with browsers, and because we are pragmatic, so we do what works first. But the isomorphism is very strong, as explained in the article cited above on stack exchange. It is just that BrowserId uses e-mail identifiers in order to locate the Issuer of the certificate. We could do the same using X509 without any problem. > At the workshop, there were a number of security/deployment concerns that > Brad Hill voiced and emailed to you. I'd make sure your group addresses > these: > > http://lists.w3.org/Archives/Public/public-xg-webid/2011May/0127.html Harry, what you are pointing to is my reply to Brad Hill's questions. I answered those in detail as you can see from the mail, but then never received any further replies. If you know of issues that I did not cover, or answers that were not satisfactory then please let us know. As it stands it could just as well be that Brad was convinced by those answers. I don't know. Do you? > >>> and look forward to your concrete suggestions that comes from any >>> discussion on the WebID list, >> >> Yes, we could participate here. >> >>> although I would request that WebID-specific discussions stay on the >>> WebID >>> list and then your group gives the W3C a single list of requested >>> changes >>> to the charter, as discussions on this list should ideally focus on >>> textual changes and scoping to the charter. >> >> Ok. I will ask that group. >> > > Also add any commitments you have from any vendors (ideally W3C members) > or large deployment sites that would use and are interested in this > authentication mechanism. Attach that a part of the group's response to > the charter would be appreciated. Will see what we can do there. :-) > >> Henry >> >>> >>> >>>> >>>> Henry >>>> >>>>> >>>>> cheers, >>>>> harry >>>>> >>>>>> >>>>>> On 18 Oct 2011, at 19:53, Harry Halpin wrote: >>>>>> >>>>>>> Everyone, >>>>>>> >>>>>>> While its still not fully baked, we'd like to open the discussion on >>>>>>> the >>>>>>> list over this draft charter for a "Web Identity" Working Group: >>>>>>> >>>>>>> http://www.w3.org/2011/08/webidentity-charter.html >>>>>>> >>>>>>> Everything is fair game - I'm not quite comfortable even with the >>>>>>> Working >>>>>>> Group name. Also, there are issues of how we should scope this, >>>>>>> whether >>>>>>> or >>>>>>> not we should split the work into two WGs (one for a Crypto API and >>>>>>> another for a higher-level identity API and hooks for >>>>>>> device/browser-aware >>>>>>> authentication) or stick it in one WG - and of course relations to >>>>>>> other >>>>>>> standards bodies. >>>>>>> >>>>>>> Also, if any of you are near Silicon Valley we can discuss this in >>>>>>> person >>>>>>> at the W3C Technical Plenary on Nov 1st. I'll send that email out in >>>>>>> one >>>>>>> sec.. >>>>>>> >>>>>>> And if anyone is at Internet Identity Workshop I'm here to discuss >>>>>>> the >>>>>>> charter. >>>>>>> >>>>>>> cheers, >>>>>>> harry >>>>>>> >>>>>>> >>>>>> >>>>>> Social Web Architect >>>>>> http://bblfish.net/ >>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> Social Web Architect >>>> http://bblfish.net/ >>>> >>>> >>> >> >> Social Web Architect >> http://bblfish.net/ >> >> >> > Social Web Architect http://bblfish.net/
Received on Tuesday, 18 October 2011 22:42:46 UTC