- From: Peter Ansell <ansell.peter@gmail.com>
- Date: Tue, 30 Mar 2010 09:52:11 +1000
- To: Melvin Carvalho <melvincarvalho@gmail.com>
- Cc: paoladimaio10@googlemail.com, Danny Ayers <danny.ayers@gmail.com>, Semantic Web <semantic-web@w3.org>
On 30 March 2010 08:50, Melvin Carvalho <melvincarvalho@gmail.com> wrote: > 2010/3/30 Paola Di Maio <paola.dimaio@gmail.com> >> Melvin >> >> you provide a nice list, but I have the impression most people find it >> ..... not fun? >> >> I think you can achieve most of what you say below with less complexity >> using more intuitive systems (say open ID) > > Dont get me wrong I'm a big fan of OpenID, but it was the complexity of > OpenID that lead me to FOAF+SSL. With openid you need a server that can > provide and verify your identity. With FOAF+SSL you just need one click to > make your browser into your own identity provider. FOAF also has the > wonderful side-effect that once you've got the ID, you've got all the > friends and other information there, for free. The idea of the technology sounds interesting, as long as users can securely login from anywhere in the world as they can now. Can't go back to the bad old days where logins were restricted to particular workstations. Overall though, Distributed identity isn't a killer application, as proven by OpenID, and distributed social networking may not be as necessary as one might think, per the enormous popularity of *the* widely used social network, Facebook (outranking Google in terms of web traffic), especially given the demise of Google Wave, which was intended to be a distributed social network but failed miserably. People like to keep different parts of their life separate, and may not appreciate that every website may be retrieving their identity without their knowledge. Privacy is non-existent if people don't have a chance to view, understand, and authorise privacy policies, and with FOAF, associates have no way of accepting the agreement themselves before their information is obtained by the server if it automatically decides to retrieve and store their personal information based on a link in a FOAF file. For all its faults, Facebook is in a position to let users restrict where their personal information goes, where this authority won't be available in a distributed network. There are still many questions overall though: Does FOAF+SSL require users to stick to a particular computer? Is it useful and safe for private use on public or company computers? My previous impressions of relying on user certificates is that they were just relying on users passwords on their personal computers to unlock their certificates to avoid using passwords on websites. How is it any more structurally safe to deploy your private key on a public or company computer in order to work with these services than to restrict logins to passwords that users do not have to deploy onto a computer other than to type it in? Would it require users to personally carry their private key around? What happens if they lose their private key? Locked out permanently? Will users need more than one private key if the technology is widely used? How does one retract permission for a private key if it is compromised? If companies require users to regularly rotate their private key as they do with passwords if FOAF+SSL becomes popular with companies, will this destroy the whole system? For all of the complexity of OpenID at least it allows users to choose how they are going to authenticate with their identity provider, and hence does not require them to know about all of the security issues around the use of a private key if the identity provider does not require them to know that. Are private keys are going to be stored on a server somewhere to avoid the issue of having users manage their certificates as they are never going to be widely trained in the protocols of how to do this anyway. If that is the case then why do we need to depart from OpenID as the currently known, if not highly used, method of distributed authentication? How do users authenticate with the place that the certificate is stored when they want to retrieve it? Passwords? Ie, the insecure method that FOAF+SSL is trying to remove? Not sure if the answers to these questions are widely known but I haven't been able to answer conclusively them looking through the few documents that relate to this very new technology. Cheers, Peter
Received on Monday, 29 March 2010 23:52:39 UTC