Re: [foaf-protocols] Standardising the foaf+ssl protocol to launch the Social Web

On 10 Jul 2010, at 18:34, Harry Halpin wrote:

>> Great discussion folks!
>> 
>> I think this thread should give the w3 folks we are CCing here a good idea
>> of the passion, quality of work, depth of discussion and breadth of the foaf+ssl
>> community, which includes hackers from every programming language, researchers
>> from every continent, security as well as linked data specialists, and more.
>> 
>> Perhaps we should leave them a bit of time to digest the details of this thread,
>> so they can then let us know how we should proceed.
>> 
> 
> Digesting. Overall, great to follow, +1 to Bruno's points re security.

You mean the one where he suggests that the WebId protocol is not more secure
than OpenId? Why do you think this is true? I think it is clearly wrong, in
fact obviously wrong for a number of reasons of which the simplest is
just the relative complexity of the two protocols.

Just consider the OpenId Sequence diagram.

 http://blogs.sun.com/bblfish/entry/the_openid_sequence_diagram

And compare it with the one on the foaf+ssl wiki

 http://esw.w3.org/foaf+ssl

Every extra connection, every increase in protocol complexity, is an extra
place that something can go wrong.

> Note that the last e-mail was sent with my "Social Web chair/Uni. of
> Edinburgh" hat on, not my W3C hat on.

Is this still ok then?

http://esw.w3.org/Foaf%2Bssl/WebIdWorkingGroup



> With a more W3C hat on....
> I think my last e-mail was not concrete enough about the role of the W3C
> and how Working Groups form. The Social Web final report will try to put
> forward some overview of the landscape and possible role for the W3C, but
> it will *not* be definitive, it will be a suggested roadmap to the W3C. 
> The decision for actual standardization that rests with the W3C management
> and membership.

Indeed.

> 
> The usual process, which I would assume would happen and be recommended by
> the W3C final report, could involve a workshop that looked at what worked
> and what failed on work in digital identity.

That is going to be a huge task.
Perhaps a quick shortcut: they don't comply with Web Architecture. I think following this hint you will see why there is the need for a protocol that does.

> The discussion around this
> would happen after the Social Web XG's final report I think, i.e. it would
> be drafted in August/Sept. As there is a large number of identity specs
> out there, and the workshop could identify their overall space and
> maturity.  However, it's important that all communities get involved in
> the identity space can be involved,

That seems odd to me. I don't see protocols or specs working that way. 
You don't get everyone to work together - most people have no time, and are concentrating on their own problems. You essentially get a group of explorers
who go out and explore something that is clearly missing. Then they come back and report: failure, success, gold out there, aliens,.... whatever. We have already
done the exploring. 

Think of the foaf+ssl group as really a W3C XG. We were just even more
informal even than an XG. But we are reporting back: "there be gold out there
and lots of riches".

> and their specs and backing also be understood.

What needs to be understood is very simple: which of them fit web architecture.

> My earlier recommendations (the wikipage on member supporters
> and clarifying the concept's relationship with other identity work) would
> be essential to allow the W3C management and membership get a grip on
> FOAF+SSL, and every other proposal as well.

It is very easy to get a grip on foaf+ssl. Tim Berners Lee understood it in 
less than 5 minutes. Most people do. The issue is usually with security people
who find they need to rethink their problem space :-) But they usually also come
around. Ian Jacobi gave a talk to the W3C security group a year ago:

http://dig.csail.mit.edu/2009/02/19-foafssl-proj-rev/

They were very happy with it, after mentioning that we did of course need
to have https on the WebID too.

> 
> Whether or not that workshop or the Social Web final report leads to a
> workshop that then leads to standardization would be too hard to say at
> this point, but there ideally would be a clear emerging consensus and
> desire to do so by the various identity communities and vendors. However,
> there is no guarantee for future standardization in this space from the
> W3C - for example, a competing W3C effort that did not work with other
> communities would only fracture the space further

Yes, so the issue is to see what working together with other groups means.
Is it a ftp/http thing? How does it work? I suggest looking at the foaf:openid
relation. It shows how easy this is.

> which the W3C wouldn't want to do. The W3C works best to help build consensus,
> and this would work with the identity space as well as any other.

That is again overly generalising. The W3C does not create consensus full stop.
There are other groups such as OASIS that continue to do their work, and the W3C does not necessarily need to go to the OASIS group each time it develops a new standard. Neither does it go to the Open Web Initiative, neither do they come to the W3C. 

Now there is an interest in the space of the Social Web to help all these groups interoperate. And the Semantic Web is a very good tool to do that. For those reasons one should indeed build a coalition of interests. I am all for that.

> 
> Let's aim high and get the work done. To put the Social Web XG hat back
> on, I think that the main task now is to build a clear draft overview of
> the identity space for the W3C, i.e. the "overview" and "gap analysis" of
> the final report.

Will be helping out with that. I am waiting to have some of the pieces in place.

Henry

Received on Sunday, 11 July 2010 21:48:00 UTC