(after this email, I suggest we move off the OpenID list to discuss this) More below:
On Jun 8, 2010, at 6:05 PM, Story Henry wrote: [...] > Perhaps you mean that you could create a WebID and assert you are me, by > using my public key? But that would never work, because you don't have the > corresponding private key. I shall assert that I am you, and make myself a private/public keypair, create a corresponding FOAF file and upload it to the server I control. Who's to say that I am not you, cryptographically-speaking anyway? > > I just added that as a FAQ > http://esw.w3.org/Foaf%2Bssl/FAQ#Could_I_not_simply_copy_your_foaf_profile_onto_my_server_and_pretend_I_am_you.3F > > >> Which is to say, why bother with all the crypto if a user can self-assert >> his or her WebID and FOAF file anyway? > > Without the crypto you would not have authentication. True, in some sense, just not a relevant one. You are certainly, with SSL client certs, authenticating that the owner of the associated private key is the same entity presenting the cert signed with that key. And that this same entity created the cert with the WebID attribute in it. That's like me saying "my name is Henry" and a server saying "that guy says his name is Henry, he signed that his name is Henry, and I verified that he signed the name Henry". > You would just have a web page describing a person. The crypto allows the > server to tie a description of a person to > agent at the other end of the https connection. > >> OpenID relies on an OpenID provider "vouching" that a particular URI is >> "owned" by some user for whom the OpenID provider has an account. > > We do the same, but we bypass the need for the Identity Provider. > > (Perhaps this is the sticking point, as people have developed businesses > around that? I think there are many more businesses that can be built in this > area.) Well, perhaps, and I would also note that I actually like self-assertion. I don't have a problem with it for lots of use-cases. I don't think it's a problem that people can lie either. But the reason people want identity providers, I think, and the potential (note: potential) value they bring is the ability to make an assertion backed up by something close to facts - ie. a verification or "real" authentication process. One interesting assertion is "this requester I'm sending over to you was authenticated by me to have a user account at my site, and supplied a password at 10am this morning". If I trust the sender of that assertion enough, I might use that assertion as the basis to authenticate that requester at my site too. Same goes for wielders of URLs - "I assert that the requester I'm sending to you indeed has a user account linked to the URL that requester supplied". Another assertion is "I signed this guy's certificate because he gave me a boatload of paperwork about his company (...and some money!)" > >> You could also run your own OpenID provider and self-assert that way. And >> the question is whether that is a particularly interesting thing to do in a >> Web context (as we self-assert all the time without any special protocols >> needed and it works fine for many things without new techniques, systems or >> other technology). > > yes, it is not that different from usual e-mail authentication login, which > is what powers most of the web currently. Except that here > > 1. You don't have to create an account on every server > 2. You don't have to give your email out > 3. you can do it in one click, > 4. you get linked data with it > 5. you can bring your social network along with you > 6. No need for limited Attribute Exchange > > And I think that's just the beginning. But I should be careful, or Dick Hardt > will say I am overselling myself. The above is proven to work. I'm not saying it doesn't. But what is the difference between your solution and a semi-automated form-filling application without any crypto magic? > > And the social aspect is exactly how Facebook and LinkedIn increase the > quality of the data: it is crowd sourcing of attribute validation. Your > friends are the people who vouch for you. Yes, this is the interesting part of your work, but it still seems entirely unrelated to SSL. Cheers, - johnk > No need for big co, or big governments. (Though they too have a role to play) > >> >> Regards, >> >> - johnk >> >>> it may be worth going over to the foaf-protocols mailing list >>> >>> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols >>> >>> Henry >>> >>> >>>> >>>> Regards >>>> Signer: Eddy Nigg, COO/CTO >>>> StartCom Ltd. <http://www.startcom.org> >>>> XMPP: [email protected] <xmpp:[email protected]> >>>> Blog: Join the Revolution! <http://blog.startcom.org> >>>> Twitter: Follow Me <http://twitter.com/eddy_nigg> >>>> >>>> >>>> _______________________________________________ >>>> specs mailing list >>>> [email protected] >>>> http://lists.openid.net/mailman/listinfo/openid-specs >>> >>> _______________________________________________ >>> specs mailing list >>> [email protected] >>> http://lists.openid.net/mailman/listinfo/openid-specs >> > _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
