W3C home > Mailing lists > Public > semantic-web@w3.org > March 2010

Re: call to arms

From: Peter Ansell <ansell.peter@gmail.com>
Date: Tue, 30 Mar 2010 09:52:11 +1000
Message-ID: <a1be7e0e1003291652q3313caf7sb49bfaa169873bd0@mail.gmail.com>
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: paoladimaio10@googlemail.com, Danny Ayers <danny.ayers@gmail.com>, Semantic Web <semantic-web@w3.org>
On 30 March 2010 08:50, Melvin Carvalho <melvincarvalho@gmail.com> wrote:
> 2010/3/30 Paola Di Maio <paola.dimaio@gmail.com>
>> Melvin
>>
>> you provide a nice list, but I have the impression most people find it
>> ..... not fun?
>>
>> I think you can achieve most of what you say below with less complexity
>> using more intuitive systems (say open ID)
>
> Dont get me wrong I'm a big fan of OpenID, but it was the complexity of
> OpenID that lead me to FOAF+SSL.  With openid you need a server that can
> provide and verify your identity.  With FOAF+SSL you just need one click to
> make your browser into your own identity provider.  FOAF also has the
> wonderful side-effect that once you've got the ID, you've got all the
> friends and other information there, for free.

The idea of the technology sounds interesting, as long as users can
securely login from anywhere in the world as they can now. Can't go
back to the bad old days where logins were restricted to particular
workstations.

Overall though, Distributed identity isn't a killer application, as
proven by OpenID, and distributed social networking may not be as
necessary as one might think, per the enormous popularity of *the*
widely used social network, Facebook (outranking Google in terms of
web traffic), especially given the demise of Google Wave, which was
intended to be a distributed social network but failed miserably.
People like to keep different parts of their life separate, and may
not appreciate that every website may be retrieving their identity
without their knowledge. Privacy is non-existent if people don't have
a chance to view, understand, and authorise privacy policies, and with
FOAF, associates have no way of accepting the agreement themselves
before their information is obtained by the server if it automatically
decides to retrieve and store their personal information based on a
link in a FOAF file. For all its faults, Facebook is in a position to
let users restrict where their personal information goes, where this
authority won't be available in a distributed network.

There are still many questions overall though:

Does FOAF+SSL require users to stick to a particular computer? Is it
useful and safe for private use on public or company computers?

My previous impressions of relying on user certificates is that they
were just relying on users passwords on their personal computers to
unlock their certificates to avoid using passwords on websites.

How is it any more structurally safe to deploy your private key on a
public or company computer in order to work with these services than
to restrict logins to passwords that users do not have to deploy onto
a computer other than to type it in?

Would it require users to personally carry their private key around?
What happens if they lose their private key? Locked out permanently?
Will users need more than one private key if the technology is widely
used? How does one retract permission for a private key if it is
compromised? If companies require users to regularly rotate their
private key as they do with passwords if FOAF+SSL becomes popular with
companies, will this destroy the whole system?

For all of the complexity of OpenID at least it allows users to choose
how they are going to authenticate with their identity provider, and
hence does not require them to know about all of the security issues
around the use of a private key if the identity provider does not
require them to know that.

Are private keys are going to be stored on a server somewhere to avoid
the issue of having users manage their certificates as they are never
going to be widely trained in the protocols of how to do this anyway.
If that is the case then why do we need to depart from OpenID as the
currently known, if not highly used, method of distributed
authentication? How do users authenticate with the place that the
certificate is stored when they want to retrieve it? Passwords? Ie,
the insecure method that FOAF+SSL is trying to remove?

Not sure if the answers to these questions are widely known but I
haven't been able to answer conclusively them looking through the few
documents that relate to this very new technology.

Cheers,

Peter
Received on Monday, 29 March 2010 23:52:39 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 08:45:17 UTC