IRC log of idbrowser on 2011-05-25

Timestamps are in UTC.

00:02:52 [jkmathes]
jkmathes has joined #IDBrowser
00:04:33 [wbaker]
wbaker has joined #idbrowser
00:06:17 [steve_schultze]
steve_schultze has joined #idbrowser
00:11:01 [scribe]
q+ dirk
00:11:22 [zolli]
zolli has joined #idbrowser
00:11:37 [yoiwa]
yoiwa has joined #idbrowser
00:11:44 [josephboyle]
josephboyle has joined #idbrowser
00:12:23 [mark]
mark has joined #idbrowser
00:13:52 [tlr]
tlr has joined #idbrowser
00:14:02 [tantek]
thanks scribe for fixing the perms
00:14:32 [tlr]
meeting: W3C workshop on Identity in the Browser
00:14:34 [tlr]
rrsagent, make minutes
00:14:34 [RRSAgent]
I have made the request to generate http://www.w3.org/2011/05/25-idbrowser-minutes.html tlr
00:16:03 [tantek]
yes, in my opinion we should introduce <input type="identity-url"> because it does incrementally improve a number of aspects of *exiting* browser login / password functionality
00:16:06 [nico]
nico has joined #idbrowser
00:16:49 [tantek]
you could use <input type="identity-url"> by itself for URL-based login systems such as OpenID or RelMeAuth
00:16:52 [nico]
current discussion: labeling of form fields for credential capture (when the password manager learns creds) and credential presentation (when the pw mgr fills creds in)
00:17:33 [scribe]
q+ tlr
00:17:38 [scribe]
q+ john
00:17:42 [tantek]
and you could use it with <input type="password"> for traditional login (the browser could convert email addresses to mailto: URLs in an <input type="identity-url">
00:17:42 [scribe]
ack dirk
00:17:58 [scribe]
q+ paul
00:18:11 [scribe]
q+ a1
00:18:48 [nico]
"we dont want to assume the browser is in the TCB because it's susceptible to malware"
00:19:00 [tantek]
btw - I prefer <input type="identity-url"> over <input type="identity-uri"> because <input type="url"> already exists in HTML5 (i.e. that bikeshed fight has already been fought - so let's just re-use the existing pattern/decision)
00:19:01 [nico]
(who's the speaker?)
00:19:31 [tantek]
fine, then those sites that don't want to assume the browser can simply not use those <input> types
00:19:36 [scribe]
q+ adams
00:19:55 [nico]
"if you're relying on something that can be easily compromised, that causes more harm than good"
00:20:00 [nico]
(speaker?)
00:20:19 [hober]
<input type=identity-url> falls back to <input type=text> in browsers that don't support it, which is pretty much exactly what you want
00:20:19 [karen]
Dan Schutzer, FSTC/BITS
00:20:37 [tantek]
hober, exactly
00:20:40 [nico]
thanks
00:21:14 [nico]
<something about two factor auth> "to prevent fraud we need end-to-end security"
00:21:41 [scribe]
ack tlr
00:22:02 [nico]
that was Dominique (sp?)
00:22:13 [karen]
Speaker from Bank of America, Dominique Nguyen
00:22:33 [jimklo]
jimklo has joined #idbrowser
00:23:19 [nico]
response: "allowing the browser to get involved in credential presentation, letting the site tell us that we must not do that... we could generate really good passwords for the user, wouldn't that be better?"
00:23:43 [nico]
"you're telling your users to remember memorabe passwords, [implication: that's bad]"
00:24:21 [scribe]
q+ tyler
00:24:22 [nico]
dan: "the concern is about the link in the chain"
00:25:03 [nico]
<missed stuff>
00:25:42 [nico]
"in the browser case they can tell they are using firefox..."
00:25:57 [nico]
dan: "but they can't tell if they're using bank of america"
00:26:27 [nico]
<comment about agency and application mismatch>
00:26:29 [scribe]
ack john
00:27:31 [nico]
john linn: ""we're taking as a premise that the browser is central, so we have to trust it, so it has to be trustworthy, but it's not less vulnerable to attack"
00:28:17 [nico]
dominique: if you can improve the browser, that'd be the first step
00:28:58 [nico]
response: I do want to assume the browser is trusted, working hard to make it trustworthy, but it's a very valid point
00:29:37 [nico]
"it's the simplest possible answer. if I carry a keyfob, that adds value, but there's a large chunk of the market where we can't do that"
00:30:28 [nico]
<comments about designing for unintended consequences>
00:31:09 [scribe]
q+ a2
00:31:09 [nico]
<human brains are full, can't remember enough passwords, it'd be great if they wrote them down, but we told them not to>
00:31:46 [nico]
<comments about generating good passwords for the user>
00:32:17 [nico]
so, I'm not that good a scribe :(
00:32:56 [scribe]
ack paukl
00:32:59 [nico]
harry: if I'd told you that JavaSript would become so universal 10 years ago, you'd have said "impossible!"...
00:33:10 [scribe]
ack tyler
00:33:22 [nico]
harry: so we can do good things that seem impossible now
00:33:59 [dsinger_]
dsinger_ has joined #idbrowser
00:34:02 [nico]
<comment about how easy it seems to steal passwords from the firefox password manager if ff is compromised>
00:34:24 [nico]
<yes, but you're losing your secrets in other ways anyways>
00:34:37 [nico]
<yes, but this could lead to a pandemic>
00:35:02 [scribe]
q+ plh
00:35:04 [nico]
<fair comment, I'm asking whether the banks want us to store user passwords for bank accounts>
00:35:07 [scribe]
ack pal
00:35:10 [scribe]
ack a1
00:35:16 [nico]
sam: as a user I wish you would [let us]
00:35:48 [nico]
<... comments about viability risk>
00:36:54 [nico]
<there are other jurisdictions that don't work the way we're used to, so there are some legal ramifications to consider>
00:37:06 [dsinger_]
S/viability/liability/
00:37:35 [tantek]
um, why are non-lawyers arguing/discussing liability?
00:37:47 [nico]
<does the provider of the browser have liability for losses? one opinion is: it's free, so no, but another is that by providing something you have some responsibility. what the standard is is anybody's guess>
00:38:07 [nico]
tantek: because we have to to some degree?
00:38:09 [tantek]
appeal to meeting chairs: please rule this topic (liability) out of scope for this meeting
00:38:16 [scribe]
tantek, tom smedinghoff is definitely a lawyer :)
00:38:20 [tantek]
oh ok
00:38:23 [tantek]
then the rest of us
00:38:30 [PhilHunt]
q+
00:38:30 [nico]
<we may get class action lawsuits. dunno that it'd come out well for the browser vendors>
00:38:47 [tantek]
nico - we don't have sufficient expertise to have a meaningful discussion - hence request for out-of-scoping the topic
00:38:49 [nico]
<the PR impact of massive compromises would be awful>
00:38:50 [scribe]
ack plh
00:38:56 [scribe]
ack pal
00:38:58 [scribe]
ack paul
00:38:59 [scribe]
ack adams
00:39:33 [nico]
phillip: we don't have an internet security problem, we have a bank security problem (pointing to passwords printed on credit cards :)
00:40:03 [nico]
phillip: separate accounts for spending vs. money mgmt [I missed something]
00:40:32 [nico]
phillip: <missed stuff>
00:40:39 [maryhodder]
phillip said: login is different than the transaction PW
00:40:47 [scribe]
q+ dirk
00:40:53 [scribe]
q+ tom
00:40:55 [nico]
ok, so restated
00:40:58 [scribe]
q+ a3
00:41:14 [scribe]
ack a2
00:42:02 [nico]
brian: you mentioned intermediate steps... I think one might be to have fewer passwords, and reduce the number of servers that they must be shared with, also password verifiers, and this could be done without having to solve the federated problem
00:43:06 [nico]
<one immediate reaction is that there's a lot of points in the design space, well, if we say that too many passwords is the immediate problem, then there's some things we could do... e.g., consolidation on federated auth
00:43:22 [scribe]
ack PhilHunt
00:43:25 [nico]
<...>
00:43:52 [nico]
<a lot of emphasis on passwords; but that's a moving target; banks are moving to multi-factor>
00:44:44 [nico]
sam: I'll be talking tomorrow, but I think that the password manager could be the granddaddy for a good ID manager; let's not throw out something that's useful today that we could make into something great tomorrow>
00:45:04 [josephboyle]
http://www.w3.org/2011/05/25-idbrowser-minutes.html still showing diagnostics not content
00:45:17 [nico]
<comments about distinction between initial and derivative credentials> (did I understand correctly>)
00:45:22 [hallambaker]
hallambaker has joined #idbrowser
00:45:49 [nico]
<we work with Peter Watson and others up in Columbia on componentized stuff that is pretty attractive>
00:46:31 [scribe]
ack dirk
00:46:41 [nico]
<stuff we're not leveraging here in the user/browser/service interaction>
00:46:56 [nico]
<credentials nowadays are mostly compromised on the servers!>
00:47:02 [scribe]
q+ nico
00:47:03 [tantek]
finally! real-world examples of security problems instead of handwaving!
00:47:11 [tantek]
password compromises come from servers, not browsers
00:47:14 [tantek]
e.g. Gawker, Sony
00:47:17 [nico]
heh
00:47:30 [scribe]
ack tom
00:47:36 [nico]
<doesn't France require cleartext passwords be available on demand?
00:47:47 [PHB]
PHB has joined #idbrowser
00:48:10 [scribe]
I believe Tom crafted the legal work behind EV certs, so we have one actual lawyer in the audience.
00:48:43 [nico]
<there's a policy overlay here too; we as society say to the banks "you guys set this up, you're responsible for breaches", so when consumers' accounts are compromised, the users have minimal liability, so this has some impact...
00:49:01 [nico]
<when banks move to two factor auth, it's because they are forced to...>
00:49:41 [scribe]
ack a3
00:49:54 [nico]
<"snopes facts" -- do we have data on hackings?>
00:51:07 [nico]
<maybe we don't see cred theft because the bad guys can use them as it is anyways since they hvave the malware for it>
00:51:27 [nico]
<comment about more labeling of relative value f credentials>
00:51:41 [scribe]
q+ dan
00:52:03 [scribe]
ack nico
00:52:06 [nico]
<msft publishes some such data>
00:53:25 [scribe]
q+ bob
00:53:27 [scribe]
q+ a1
00:53:57 [nico]
I said that server issues are mostly out of scope here... and I asked if Craig had intended to distinguish between initial and non-initial credentials (think tickets)
00:54:10 [nico]
and I said that I like that distinction
00:54:36 [nico]
craig: <missed it>
00:55:38 [nico]
dan: at iiw there was a comment made by... eric saxe? that he was more worried about people's passwords being terrible than about phishing
00:55:58 [nico]
so, fixing phishing but keeping passwords may be a problem
00:56:06 [scribe]
s/missed it/using 2-factor authentication we could use trusted location and devices
00:56:11 [scribe]
s/saxe?/sachs
00:56:27 [scribe]
q+ a4
00:56:32 [scribe]
ack dan
00:56:33 [nico]
<have we thought about doing client assessment stuff?>
00:56:43 [scribe]
ack bob
00:57:03 [nico]
bob, sam: well, there's the lying endpoint problem
00:57:12 [hartmans]
hartmans has joined #idbrowser
00:57:31 [nico]
bob: the servers could make statements about what kinds of practices they want from the clients, that could be useful
00:57:59 [nico]
<service providers will typically ignore claims by clients>
00:58:18 [scribe]
ack a1
00:59:02 [scribe]
ack a4
00:59:11 [nico]
<stolen temporary credentials can still be used to do a lot of harm>,
00:59:29 [karen]
a1 speaker is David Chadwick, University of Kent, UK
00:59:38 [nico]
<comments about devices and doing NEA that way>
00:59:39 [fjh]
fjh has joined #idbrowser
00:59:49 [nico]
(TPMs??)
01:00:02 [scribe]
q+ nico
01:00:05 [scribe]
q+ plh
01:00:09 [nico]
<what could a device say to increase trust>
01:00:18 [nico]
<well, the device could have a public key...>
01:00:58 [nico]
so, yes, TPMs
01:01:16 [scribe]
q+ brian
01:01:16 [karen]
Speaker was Mark Watson, Netflix
01:01:17 [nico]
<privacy considerations>
01:01:53 [nico]
harry: surprising consensus about password managers
01:02:25 [scribe]
ack nico
01:02:27 [scribe]
ack plh
01:03:23 [nico]
<at Mozilla we spend a lot of effort on trying to make tracking harder>
01:03:41 [nico]
(I think that was a comment in relation to the privacy considerations regarding TPMs)
01:03:44 [scribe]
q+ tlr
01:03:57 [scribe]
q+ dan
01:04:00 [nico]
<well, one need not prove identity, just trustworthiness>
01:04:11 [scribe]
q+ sam
01:04:14 [nico]
<so prove this is a Samsung TV, not which one>
01:04:52 [scribe]
ack brian
01:04:59 [jimklo_]
jimklo_ has joined #idbrowser
01:05:04 [nico]
sam: don't see how to do that without violating privacy; also, go to an underround electronics sop sometime, see the counterfeits
01:05:24 [scribe]
ack dan
01:05:24 [nico]
<comment about aliasing>
01:05:25 [scribe]
ack sam
01:05:43 [tlr]
q-
01:05:44 [nico]
dan: <missed it, sorry>
01:06:10 [nico]
<there's a difference when you sign up and pay for something>
01:06:19 [scribe]
s/missed it, sorry/fingerprinting does have legitimate uses sometimes
01:06:28 [nico]
craig: it's more complicated for users to deal with hardware IDs
01:06:38 [nico]
scribe: thanks
01:06:53 [nico]
I'm missing this too
01:07:06 [PHB]
Can get to a pretty solid proof that the browser visiting the site NOW is the same as the browser that visited a month ago
01:08:19 [nico]
bob: basically, it's hard to manage all these IDs, and it's a big DB, and maybe you don't manage it well, and you could lose your users stuff, and so device IDs is hard to deploy
01:09:02 [nico]
harry: asking about crypto APIs
01:09:12 [nico]
so, a hum
01:10:10 [tlr]
andersR: access to credential stores is critical element
01:10:27 [nico1]
nico1 has joined #idbrowser
01:10:38 [tlr]
phb: frameworks are a way to avoid making choices. standards are about making choices.
01:10:48 [tlr]
crocker: discuss more tomorrow
01:11:01 [tlr]
??: framework gives choice of what mechanism to use
01:11:09 [karen]
?? is Nico
01:11:16 [tlr]
s/??/Nico/
01:11:39 [nico1]
y
01:11:53 [nico1]
harry: so more on this tomorrow
01:12:01 [tlr]
tlr: sounds like we need to flesh out scope of api discussion tomorrow
01:12:04 [nico1]
harry: attaching ID to session states (?)
01:12:08 [nico1]
incognito mode
01:12:18 [nico1]
is this something that's of interest to people
01:12:22 [tlr]
identity attached to session state / login/logout functionality
01:12:36 [nico1]
sam: useful, but not necessarily in scope
01:12:52 [nico1]
<let's define what we mean by incognito mode>
01:13:11 [nico1]
harry: I just remember ppl mentioning multiple personane
01:13:14 [nico1]
...
01:13:42 [nico1]
comments about lack of competitiveness regarding incognito mode
01:15:09 [nico1]
dan: nothing prevents users from using pw managers
01:15:30 [nico1]
reply: well, stock browsers don't let you
01:15:35 [nico1]
for bank creds
01:15:49 [nico1]
<use of password managers is growing>
01:16:25 [nico1]
<users don't understand why pw mgrs do or do not fill things in -- whn the pw mgr doesn't then the user thinks it's broken>
01:16:54 [nico1]
harry: asking about consensus regarding the annotations concept
01:17:44 [nico1]
<analogy about how an RFC exists that specifies of annotations, but that no one knew about it!>
01:18:33 [nico1]
<it should be harmless to define these tags>
01:18:45 [nico1]
<unless we start we won't get there>
01:19:07 [nico1]
<it's important to also annotate the cookies>
01:19:33 [nico1]
(basically making the cookie a derivative credentials)
01:19:50 [nico1]
phl: <concurs>
01:20:07 [nico1]
hannes: <also concurs>
01:20:28 [nico1]
bob: that's of a piece with my comment about labeling session IDs
01:20:29 [tantek]
what was the specific RFC for suggested labels?
01:20:33 [tantek]
does anyone know it?
01:20:44 [tantek]
or could the person who spoke with Hixie please dig it up from their email etc. and post it?
01:20:55 [nico1]
tantek: it was said to be 3127
01:21:18 [nico1]
I'm falling behind on scribing
01:21:33 [tantek]
Hixie's argument is sound. Re-inventing a previously failed standard is not a rational path unless you can point out key reasons for failure that your re-invention is specifically addressing.
01:21:38 [nico1]
harry: agenda for tomorrow
01:21:55 [tantek]
I thought "3127" was said like an example of an RFC #, not the actual #.
01:22:08 [nico1]
tantek: I thought so too
01:22:17 [nico1]
root around for it?
01:22:30 [nico1]
harry: we might want to re-bake the agenda
01:23:18 [tantek]
who was the Google person that claimed he spoke with "Ian Hixie" [sic]
01:23:20 [tantek]
?
01:23:27 [tantek]
perhaps we can ask him for the specific RFC #
01:23:33 [tantek]
I'd like to track this down
01:23:54 [yoiwa]
RFC 3127 is "Authentication, Authorization, and Accounting: Protocol Evaluation" (Informational)
01:34:49 [karen]
rrsagent, make minutes
01:34:49 [RRSAgent]
I have made the request to generate http://www.w3.org/2011/05/25-idbrowser-minutes.html karen
01:36:39 [nico1]
nico1 has left #idbrowser
01:38:10 [karen]
Harry: we don't have complete agreement
01:38:23 [karen]
...but have more proposals for scope; would like to have that list...10 proposals
01:38:42 [karen]
.Speaker: I did not get the sense...third party; token use
01:38:50 [karen]
Harry: It was brought up several times; we can revisit that
01:38:59 [karen]
...discussion went away from that; like mobile discussion
01:39:08 [karen]
TLR: We have room for that in the Beyond the Browser session
01:39:17 [karen]
Speaker: talking about that as opposed to tokens
01:39:22 [karen]
TLR: Use case will bring it up
01:39:31 [karen]
Bob: Bring up browser support for IP discovery
01:39:36 [karen]
...hoping that may be in
01:39:40 [karen]
...and other concrete suggestions
01:39:50 [karen]
Harry: I think it rather naturally comes into it today
01:39:54 [karen]
...Dinner at Shivas
01:40:04 [karen]
800 California Street, #100
01:40:17 [karen]
Buffet dinner starts at 7:00pm
01:40:25 [karen]
Trent: Please pick up your trash
01:40:33 [karen]
Meeting adjourned
01:40:37 [karen]
rrsagent, make minutes
01:40:37 [RRSAgent]
I have made the request to generate http://www.w3.org/2011/05/25-idbrowser-minutes.html karen
01:40:56 [yoiwa]
yoiwa has left #idbrowser
01:41:45 [karen]
karen has left #idbrowser
01:47:36 [AndroUser2]
AndroUser2 has joined #idbrowser
03:20:04 [Zakim]
Zakim has left #idbrowser
03:41:01 [hartmans]
hartmans has joined #idbrowser
04:02:36 [lowenthal]
lowenthal has joined #idbrowser
04:27:07 [Vladimir]
Vladimir has joined #idbrowser
04:41:09 [bblfish]
bblfish has joined #idbrowser
05:03:45 [hhalpin]
hhalpin has joined #idbrowser
05:21:46 [mixedpuppy]
mixedpuppy has joined #idbrowser
16:17:14 [RRSAgent]
RRSAgent has joined #idbrowser
16:17:14 [RRSAgent]
logging to http://www.w3.org/2011/05/25-idbrowser-irc
16:17:29 [karen]
...is problem about too many passwords; or not at all; too weak
16:17:33 [PHB]
PHB has joined #idbrowser
16:17:35 [karen]
...everyone will have different POVs
16:17:44 [karen]
...no stopping; how do we know when online identity is solved
16:17:49 [karen]
,..it's not a check-mate end
16:18:02 [karen]
...related to that, solutions are not true or false; something is better than another
16:18:10 [karen]
...cannot have a proof for sovling online identity
16:18:25 [tyler]
tyler has joined #idbrowser
16:18:25 [karen]
...maybe say something about crypto
16:18:25 [karen]
...but the overall thing is fuzzier
16:18:26 [tlr]
http://en.wikipedia.org/wiki/Wicked_problem
16:18:30 [karen]
...Next problem is that there is not an immediate test of what will happen
16:18:38 [karen]
...everything has unfortunate side effects
16:18:44 [karen]
...If we roll out @@auth
16:18:52 [karen]
...could push into malware and have other repercussions
16:18:58 [tyler]
Anyone got a link to the Workshop wiki handy?
16:19:00 [karen]
...Cannot look into future or rewind the past
16:19:07 [karen]
...Everything happens in the real world as we speak
16:19:26 [karen]
...If you screw up privacy like Google did, it's challengin
16:19:42 [karen]
...You get damaged by this if you screw up; you lose credibility
16:19:50 [karen]
...It's not like science where you can celebrate failure
16:19:54 [karen]
...In real life, it's bad
16:20:00 [karen]
...If passport failed for Microsoft
16:20:17 [karen]
...some people wrote it off, so they were blackballed
16:20:24 [karen]
...You cannot sit down and choose six different things
16:20:33 [karen]
...We have seen a dozen things already in this Workshop
16:20:50 [karen]
...In science you want to say you have a set of techniques, such as building a bridge
16:20:56 [karen]
...but this space is essentially different
16:21:07 [karen]
...Identity on the Web is not like identity in the real world; no real person's face
16:21:16 [karen]
...Not like identity in Internet with one admin domain
16:21:22 [karen]
...what worked here won't work there
16:21:34 [karen]
...reasons for failure are over-determined
16:21:49 [hodges]
hodges has joined #idbrowser
16:21:51 [karen]
...Did infocard fail due to user experience; too complex a mental model; don't know
16:21:54 [karen]
...cannot rewind the past
16:21:58 [karen]
...All I wanted to do
16:22:03 [karen]
...really interesting framework
16:22:08 [karen]
...I'll put up references
16:22:23 [karen]
...Some white papers you can read
16:22:32 [fjh]
fjh has joined #idbrowser
16:22:37 [karen]
...They have some frameworks for how to address problems to build shared understanding
16:22:44 [karen]
...And most important, capture that somewhere
16:22:51 [karen]
...So next time you can pick up from where you left off
16:22:56 [karen]
...and not recreate all the past conversations
16:23:15 [karen]
...So for today, think about what I said here; we all have different stakes, viewpoints, backgrounds
16:23:25 [karen]
...Be careful when you say the problem is not x it's y
16:23:32 [karen]
...their assumptions and values are different
16:23:36 [karen]
...Other obvious anecdote
16:23:43 [karen]
...Think about the rules for passports
16:23:51 [karen]
s/passports/passwords
16:23:55 [karen]
...Think about how you pick it
16:24:10 [karen]
...All these security experts thought different approaches would work to select them
16:24:19 [karen]
...No consensus, but all defensible positions
16:24:25 [karen]
...So important to have this context
16:24:36 [karen]
Q: Any data to back up assertions
16:24:41 [karen]
A: no
16:24:41 [tantek]
tantek has joined #idbrowser
16:24:56 [karen]
Harry: let's hold questions until end of session
16:25:04 [tantek]
that was me that asked "Did any of them have data to support their assertions?"
16:25:10 [tantek]
answer was "no"
16:25:21 [JeffH]
so there will be some way to recover these irc logs ?
16:25:33 [karen]
Next Speaker: Philipp Hollam Baker, Comodo
16:25:42 [karen]
Topic: Simulation & Design for Deployment
16:25:47 [tantek]
(in reference to the room full of Google security experts all recommending different ways to make "good" (strong) passwords)
16:26:11 [karen]
Problem is how do you get that problem deployed; Internet has 20 billion users
16:26:29 [tantek]
I think that was 2 billion
16:26:30 [karen]
...how I deal with this problem is I design simulations
16:26:42 [karen]
...and identify which audiences need to address protocol
16:26:52 [karen]
...and I simulate; use stuff from control system world
16:26:59 [karen]
...can use software or even Excel
16:27:04 [karen]
...Do need to test assumptions
16:27:09 [karen]
...If you think viral marketing will take off
16:27:19 [karen]
...if you are talking viral or network effect, you are fooling yourself
16:27:25 [karen]
...Chicken and egg problem
16:27:32 [karen]
...getting to critical mass is really hard
16:27:40 [karen]
...Simply having Microsoft say it won't work
16:27:46 [karen]
...some things will kill your proposal
16:27:53 [karen]
...One is deployment deadlock
16:28:00 [karen]
...If servers do this or that
16:28:08 [wbaker]
wbaker has joined #idbrowser
16:28:12 [karen]
...stopped working when Web had a million users
16:28:13 [bblfish_]
bblfish_ has joined #idbrowser
16:28:22 [karen]
...Digest authentication was proposed seven days after basic
16:28:32 [karen]
...Basic was deployed and enmeshed in Web six days after it was proposed
16:28:44 [karen]
...I proposed digest on next day and it took five years to get into browsers
16:28:46 [fjh_]
fjh_ has joined #idbrowser
16:28:51 [karen]
...Once something works well, it's hard to replace
16:29:07 [karen]
...Getting to web sites
16:29:17 [yoiwa]
yoiwa has joined #idbrowser
16:29:18 [karen]
...I won't use your identity scheme if it does save time
16:29:31 [karen]
...Users are aware of razor and blades model
16:29:47 [karen]
...Unlike other workshops, I am seeing technology proposals not business proposals
16:30:03 [karen]
...First proposal is to put the account manager in the cloud
16:30:14 [karen]
...we can do it securely and user never needs to know what is going on
16:30:22 [karen]
...can get access; can support legacy browsers
16:30:30 [karen]
...Why start here? User can do on their onw
16:30:36 [karen]
...I know companies looking at this
16:30:44 [karen]
...they don't need participation of any other party
16:30:52 [karen]
...I'm doing this to save my time, not establish a bus model
16:30:55 [karen]
...Could do in two ways
16:31:07 [karen]
...just solve this problem, make easy to store passwords in the cloud
16:31:20 [karen]
...But then write protocols to go slightly more sophisticated
16:31:32 [karen]
...allow a secure authentication mechanism
16:31:42 [karen]
...not choose too many or invent something new unless I have to
16:31:50 [steve_schultze]
steve_schultze has joined #idbrowser
16:31:59 [karen]
...if I can coopt OpenID or SAML people I can do it faster
16:32:07 [karen]
...phase two builds out on phase one
16:32:17 [karen]
...Finally, this was originally proposed as phase three
16:32:23 [karen]
...putting user names and passwords in the cloud
16:32:34 [karen]
...don't put pw into password manager
16:32:42 [karen]
...Who here does not have a smart phone?
16:32:48 [karen]
[one hand]
16:33:01 [karen]
Philipp: Ok, so you all know you can get AUTH
16:33:14 [karen]
...congrats, you have now simulated a 1960s technology on a smart phone
16:33:23 [karen]
...this thing has a display, keyboard, voice input
16:33:26 [karen]
...could we do more?
16:33:35 [karen]
...I'm buying my phase kit off eBay
16:33:48 [karen]
...so instead of typing passcode, would be nice to have been asked
16:33:51 [karen]
...I mentioned voice
16:33:55 [karen]
...for applications that demand it
16:34:09 [karen]
...Take a picture of person taking purchase; put in a pin number
16:34:18 [karen]
...we could have voice recognition or voice recog biometrics
16:34:22 [karen]
...We have a really powerful toool
16:34:29 [karen]
...This could start to deploy now in the enterprise
16:34:41 [karen]
...i looked up $20 per year for one-time password tokens
16:34:55 [karen]
...This requires no software; can be done quickly and enterprises can adopt unilaterally
16:34:57 [karen]
...thank you
16:35:49 [karen]
Harry: up next is Sam Hartman from Painless Security
16:36:03 [karen]
...I would like to talk about the value of the browser in supporitng identity management
16:36:09 [bkihara]
bkihara has joined #idbrowser
16:36:13 [karen]
...and in supporting the kinds of things that Phil
16:36:21 [karen]
...making things easier to deploy so we get innovation
16:36:23 [karen]
...to start off
16:36:33 [karen]
...One of things to realize is things platform can do
16:36:39 [karen]
...you cannot write Java Script
16:36:46 [karen]
...platform mediates cross application and site information
16:36:54 [karen]
...yesterday Bob talked about the identity selection problem
16:37:07 [karen]
...When he was talking he said it is hard for service providers to drive the selection problem
16:37:20 [karen]
...The platform is in postion to know what the identities are that are broader than one site
16:37:29 [karen]
...site is in position to reasonably know about the identities
16:37:42 [karen]
...So together you can have the platform; a good understanding of what the identities are
16:37:57 [karen]
...better position to ask user who they want to be today versus a site asking it the possibilities
16:38:14 [karen]
...Another thing the platform can be in a position to do
16:38:35 [karen]
...some sites can manage iphones to traditional desktops
16:38:44 [karen]
...can be in enterprise or individuals
16:38:45 [AndroUser]
AndroUser has joined #idbrowser
16:38:49 [jimklo]
jimklo has joined #idbrowser
16:38:51 [dveditz]
dveditz has joined #idbrowser
16:38:53 [karen]
...platform can enforce policy that is broader
16:39:03 [karen]
...Also platform can cross identity beyond justthe web browser
16:39:09 [karen]
...ID not just in some app
16:39:13 [karen]
...used in some web resources
16:39:17 [karen]
...you need the platform's involvement
16:39:23 [karen]
...as we discussed yesterday
16:39:38 [karen]
...there are cases where the browser is used less, particularly the mobile environment
16:39:44 [karen]
...Cannot just treat as a web id problem
16:39:48 [karen]
...finally something the platform can do
16:39:52 [karen]
...that can enable security
16:39:59 [karen]
...Something that one of first presentations talked about
16:40:02 [karen]
...channel bindings
16:40:10 [karen]
...is about tying two security relationships together
16:40:21 [karen]
...Can allow you to have an association with some web site
16:40:30 [karen]
...and can confirm even the certificate has changed
16:40:36 [steve_schultze]
steve_schultze has joined #idbrowser
16:40:39 [karen]
...Also valuable in device authentification
16:40:47 [karen]
...if user has inserted himself into device
16:40:53 [karen]
...could break some use cases
16:41:13 [karen]
...the platform could tie these sorts of identification together
16:41:20 [karen]
...Would be nice to pick one like OpenID
16:41:24 [karen]
...but we cannot just pick one
16:41:26 [Vladimir_]
Vladimir_ has joined #idbrowser
16:41:28 [jimklo_]
jimklo_ has joined #idbrowser
16:41:31 [karen]
...Different organizations...
16:41:43 [karen]
...If you tell me I have to change from one thing to something else
16:41:48 [karen]
...why is that in my best interest?
16:41:52 [fjh_]
fjh_ has joined #idbrowser
16:41:57 [karen]
....Lots of properties to these identity management systems
16:42:06 [karen]
...attempt to consume lots of identities
16:42:21 [karen]
...Some aspects are part of system and a critical part of using
16:42:21 [karen]
it
16:42:27 [karen]
...like Kerberos using it
16:42:34 [bkihara_]
bkihara_ has joined #idbrowser
16:42:37 [karen]
...things based on URIs versus naming things based on other approaches
16:42:48 [karen]
...and sometimes those differences are important to people
16:42:53 [karen]
...if we don't have a way to dispose
16:43:06 [karen]
...and force all identity management to be the same, we will defeat choice of using them
16:43:17 [karen]
...ont he other hand, important
16:43:24 [jtrentadams]
jtrentadams has joined #idbrowser
16:43:25 [karen]
...not to have to know ...
16:43:37 [karen]
...permit only when you need to take advantage of the special properties
16:43:48 [karen]
..I come from identity management background outside of the Web
16:43:52 [karen]
...a lot of things going on there
16:43:57 [bkihara_]
bkihara_ has joined #idbrowser
16:44:10 [karen]
...I think that we have a real opportunity for a convergence of these approaches with what is going on the Web
16:44:14 [dpranke]
dpranke has joined #idbrowser
16:44:21 [karen]
...the best identity management story we have seen is cases where there is a real decoupling from the application
16:44:41 [karen]
...plug in new security mechanism, or deployment and mechanism will work within new environment without being aware of it
16:44:51 [karen]
...Major desktop systems have this such as Microsoft
16:45:00 [karen]
...Take a look of hosted services on Windows Live
16:45:08 [karen]
...where they inveneted a new service
16:45:22 [karen]
...They were not previously aware
16:45:34 [karen]
...At IETF we are working on things
16:45:44 [karen]
...A single way of looking at Open IDE, OAUTH, SAML, Kerberos and public key
16:45:59 [karen]
...the application won't get any of those the same, but can delve into detail
16:46:08 [karen]
...and take advantage of specifics of the mechanism if necessary
16:46:23 [karen]
...also at IETF, project Moonshot is looking at how to create an identity management mechanism
16:46:28 [karen]
...uses SAML to look at things
16:46:38 [karen]
...intended to work well in a federated environment
16:46:47 [karen]
...address privacy issues we are talking about
16:47:07 [karen]
...address mechanisms that are highly integrated into platform
16:47:22 [karen]
...Basically, what I am proposing to look at
16:47:33 [karen]
...is an approach where the application and platform can both contribute
16:47:44 [karen]
...application can take advantage of identity coming from that
16:47:57 [karen]
...and can provide set of mechanisms; can inject an identity into the system
16:48:03 [karen]
...not about solving users typing id into system
16:48:10 [karen]
...about enabling credentials in future
16:48:14 [karen]
...that are not passwords
16:48:17 [karen]
...Final recommendation
16:48:24 [karen]
...more detail from previous slide
16:48:28 [karen]
...Ok
16:48:45 [karen]
Harry: We are going to begin discussion on Platform issue for ten minutes
16:48:55 [karen]
...then continue with Device discussion and then take a break
16:49:19 [karen]
CarlH: Identity really is a wicked problem
16:49:19 [benadida]
q+
16:49:28 [karen]
...I think it will require inconsistency robustness
16:49:32 [Zakim]
Zakim has joined #idbrowser
16:49:34 [benadida]
q+
16:49:34 [karen]
...cannot be algorithmic solution
16:49:41 [karen]
...like credit cards, do you pass this charge or not?
16:49:49 [karen]
...evidence for or against and make the decision
16:49:59 [karen]
...if it is a wicked problem, this is where you need to go
16:50:02 [karen]
...may be onlly thing to do the job
16:50:07 [karen]
? Comment on ???
16:50:19 [karen]
...Smartphone, you don't use browser, just native apps
16:50:31 [karen]
...does not mean browser should not handle identity
16:50:34 [karen]
...there is trust
16:50:42 [karen]
...could be done relatively easily
16:50:46 [karen]
...like OpenID a mechanism
16:50:58 [karen]
...think of bringing app into smartphone
16:51:08 [karen]
...you redirect to identity provider and redirects using a custom URI
16:51:14 [karen]
...what is missing is the first leg
16:51:21 [karen]
...what it means for first app to redirect
16:51:26 [karen]
...when you have direct access to begin with
16:51:35 [karen]
...maybe that is something the browser providers should think about
16:51:39 [fjh]
what makes a browser "trusted"?
16:51:42 [karen]
Sam: I agree that use pattern could be supported
16:51:51 [karen]
...i want to see a way to invoke that pattern
16:52:08 [zolli]
zolli has joined #idbrowser
16:52:13 [karen]
JeffH: I just wanted to support notion of identity spams far outside this thing called the browser
16:52:25 [karen]
...many of apps on smartphones are browsers...mobile code
16:52:34 [karen]
...that environment is getting married to the platform
16:52:41 [karen]
...agree we need to think about this more holistically
16:52:48 [karen]
Q? you may not trust that
16:52:53 [karen]
JeffH: that is a big problme
16:52:58 [karen]
Nico: I want to echo that there are
16:53:05 [karen]
...browser apps and HTTP applications
16:53:13 [karen]
...dapper and that sort of thing
16:53:19 [karen]
...Browser apps use HTTP
16:53:31 [karen]
JeffH: there are protocols in wide use beyond HTTP
16:53:48 [karen]
Q: another approach is to use standardized mechanisms out to the platform
16:53:52 [karen]
...such as what Microsoft has done
16:53:56 [karen]
...with identification
16:54:01 [karen]
...beyond multifactor things
16:54:13 [karen]
...browser can react in more robust way; and can you channel that back
16:54:20 [karen]
...browser can still be the locus
16:54:36 [karen]
Sam: that's great if I trust the browser or if I have an identity for which it's the locus
16:54:42 [karen]
...but in enterprise that does not make sense
16:54:51 [karen]
...If I am an unintended app, the browser is wrong place for it
16:55:02 [karen]
...as a human, the browser is wrong choice for my ID locus
16:55:12 [karen]
...you have described an important use pattern
16:55:22 [karen]
...but many different approches, as Dirk described
16:55:28 [karen]
Ben Adida: one point Phil made
16:55:41 [karen]
...it's not just crypto
16:55:44 [karen]
...hate to bring up SONY; when you concetrate a lot of data into the cloud.
16:55:48 [karen]
...can be more complicated
16:55:55 [karen]
PhilHB:decide what you can accept
16:56:04 [karen]
...such as accepting, storing credit card data
16:56:09 [karen]
...and whether to store in unencrypted
16:56:24 [karen]
...I just had my credit card suspended from Michael's retailer because it was hacked
16:56:33 [karen]
Harry: we will close the queue now
16:56:47 [karen]
Speaker is Direck Balfanz, Google
16:56:47 [bkihara_]
bkihara_ has joined #idbrowser
16:56:54 [karen]
Dirk: I want to do a demo
16:57:06 [karen]
...so thanks, Sam, a lot of what you said will be a great introduction
16:57:12 [karen]
...to what I will talk about on Android
16:57:20 [karen]
...how we are using it on installed apps as well as browser
16:57:25 [karen]
...and talk about how to do this more generally
16:57:35 [karen]
...So what does the account manager on Android do?
16:57:49 [karen]
...so the way it works is you write plug-ins called authenticators
16:58:02 [karen]
...app users an API to say I want a ? complete to talk to some service provider
16:58:15 [karen]
...which of these plug-ins and what account installed on device this token should be fo
16:58:23 [karen]
...plug-in does magic and returns to server
16:58:29 [karen]
...so plug-ins store user credentials
16:58:32 [karen]
...let me show you
16:58:36 [karen]
...here is an Android device
16:58:45 [karen]
...and so the account manager here as a bit of a UI
16:58:56 [karen]
...two accounts currently installed on this device and I can add more
16:58:59 [karen]
...add a Google account
16:59:05 [karen]
...I can say take me to a browser
16:59:15 [karen]
...let me use a more complicated login procedure at Google
16:59:20 [steve_schultze]
steve_schultze has joined #idbrowser
16:59:37 [karen]
...this in an account that has OpenID turned on, so I get redirected to Yahoo!
16:59:54 [karen]
...You could imagine other things like two-factor id, or log-in challenges that complicate things
17:00:38 [karen]
[checking network]
17:00:42 [karen]
...Let's try again
17:00:55 [karen]
rrsagent, make minutes
17:00:55 [RRSAgent]
I have made the request to generate http://www.w3.org/2011/05/25-idbrowser-minutes.html karen
17:01:05 [JeffH]
@karen -- u doing valiant yeoman's work there :)
17:01:07 [karen]
...I can readwrite to Yahoo
17:01:33 [karen]
...So what you will hopefully see, is an installed app AUTH flow
17:01:45 [karen]
...could have been something more complicated like a two-factor authentification
17:01:54 [karen]
...device gets an AUTH token for this account
17:01:59 [karen]
...so now a third
17:02:08 [karen]
...installing on account manager and seeing what is there
17:02:17 [karen]
...store account credentials, don't have to see it again
17:02:24 [karen]
...type into phone and don't have to do it again
17:02:33 [karen]
...uses an API for the accoutn manager which remembers your passwrod
17:02:36 [karen]
...takes care of rest
17:02:44 [karen]
...no need for app to take care of ?
17:02:52 [karen]
...one of APIs it provides
17:02:58 [karen]
...apps can show you this list of accounts
17:03:07 [karen]
...installed lists, some confusions
17:03:11 [karen]
...link with same accoutns
17:03:17 [karen]
...So what an app typically does
17:03:25 [karen]
...it calls the account manager to ask what is installed
17:03:28 [karen]
...then you pick account
17:03:39 [karen]
...after you choose, use the acc't manager and talks to server side
17:03:42 [karen]
...What we did in Honecomb
17:03:49 [karen]
...we added acc't manager to device
17:03:56 [karen]
...here is browser, I am not logged in yet
17:04:08 [karen]
...I want to log into my Picasa Web account
17:04:14 [karen]
...so now at Google log-in page
17:04:22 [karen]
...the browser slid in that butter bar
17:04:28 [karen]
...use that to log in
17:04:38 [karen]
...now logged into my Picasa account
17:04:48 [karen]
...you notice what happened is the log-in page was still there
17:04:51 [karen]
...I could log in manually
17:04:55 [karen]
,..but it offered me the choice
17:05:04 [karen]
...Also works with relying parties
17:05:33 [karen]
...they way this works
17:05:47 [karen]
...is that the server sends a header that says I support logins with google account
17:06:01 [karen]
...openID relying party can also use header
17:06:01 [karen]
...using my account manager
17:06:07 [karen]
...get taken to OpenID approval page on Google
17:06:17 [karen]
...being a relying party, the site could have asked for my id, photo
17:06:26 [karen]
...my address book; so appropriate to show an approval page
17:06:34 [karen]
...shows OpenID back to the relying party
17:06:37 [karen]
...using the account manager
17:06:45 [karen]
...two more slides
17:07:01 [karen]
...plug-ins run their own proprietary protocols
17:07:18 [karen]
...one acc't manager you don't have to write prop. protocols, but could do in a standardized way
17:07:24 [karen]
...uses OAuth to install acccounts
17:07:36 [karen]
...one, standardize ways to get credentials into account manager
17:07:54 [karen]
...second thing we need is a standardized way to use that credential, that OAUTh token
17:08:02 [karen]
...to access something, it's downscoping
17:08:05 [karen]
...go to service provider
17:08:10 [karen]
...to hand to the app
17:08:15 [karen]
...third thing I demonstrated
17:08:26 [karen]
...one of tokens is not standard OAuth is URL
17:08:30 [karen]
..and it logs in the user
17:08:35 [karen]
...one-time use
17:08:42 [karen]
...that magic token makes the user get logged in
17:08:50 [karen]
...hit and get back in return a URL
17:08:54 [karen]
...will log in the user
17:09:00 [karen]
...Google has such a URL
17:09:09 [karen]
...other have them, too, so we could standardize on those
17:09:12 [karen]
...no crypto
17:09:24 [karen]
...not standardize how I authenticate to my ID
17:09:32 [karen]
...browser used standard mark-up
17:09:40 [karen]
...just need standardized way for OAuth token
17:10:08 [karen]
...Once I hit that login URL, I can hit it @@
17:10:20 [karen]
...Yesterday we talked about special cookies, I don't think we need those
17:10:34 [karen]
Harry: I like the "do need to standardize and don't need to" list
17:10:42 [karen]
Sam: you don't need to standardize X for your use case
17:10:49 [karen]
...great to innumerate for each use case
17:11:06 [karen]
...but annoying when you say we don't need to standardize at all, because there are more than one use case
17:11:09 [karen]
Harry: goog point
17:11:12 [karen]
s/goog/good
17:11:26 [karen]
BenA: for that web login URL, do envision some special header
17:11:39 [karen]
...so it's coming from more than redirecting? Coming from outside browser?
17:11:47 [karen]
Dirk: If any random web site
17:12:07 [karen]
...saying I support Google logins, and if not relying party, browser will redirect to Google
17:12:11 [karen]
...and I won't see it
17:12:15 [karen]
BenA: I'll take it offline
17:12:21 [karen]
Q: when Google ? to Yahoo
17:12:25 [karen]
...is Google aware of it?
17:12:37 [karen]
DirK: no, fires off an OAuth flow
17:12:42 [karen]
...I need to log in a user
17:12:51 [karen]
...if OpenID, I need to redirect to Yahoo
17:13:23 [karen]
Harry: closed queue, now prsenting is Mark Watson, Netflix
17:13:42 [karen]
Mark Watson: also joining me is Mitch Zollinger, the real security expert
17:13:49 [karen]
...Provider a user perspective today
17:14:05 [karen]
...When it comes to device authentification, some things not possible
17:14:41 [karen]
... if you define a browser as an id environment, and we (netflix) ship browsers to all sorts of devices
17:14:46 [karen]
... you just don't see the chrome
17:14:56 [karen]
... what does secure actually mean
17:15:07 [karen]
... our service and a bunch of others rely on guarantees of device behavior
17:15:11 [karen]
... this is not a normal part of the web
17:15:21 [karen]
... this makes sure we install a reputable browser
17:15:33 [karen]
...examples are HD content
17:15:43 [karen]
...not just our requirement of our service
17:15:49 [karen]
...Other areas are financial services data
17:15:57 [karen]
...that is out of scope of right now
17:16:07 [karen]
...Could imagine other examples such as electronic medical records
17:16:14 [karen]
...haven't thought a lot, but there are others
17:16:26 [karen]
...how do we determine if device has properties to get the proper content
17:16:36 [karen]
...We have restrictions on the number of devices per account
17:16:42 [karen]
...that is a business decision we took
17:17:05 [karen]
...What do we mean by device authentification, staying at requirements level
17:17:05 [lowenthal]
lowenthal has joined #idbrowser
17:17:16 [karen]
...One, we need to id the type of device accessing the service
17:17:30 [karen]
...we don't care if YouTube sees different identifiers for that device
17:17:43 [karen]
...we use it to make authorization decisions and to restrict access
17:17:53 [karen]
...we need to tell what properties the device has
17:18:12 [karen]
...may come from some software, which is weaker and does not provide guarantees
17:18:23 [karen]
...We need to determine the security properties
17:18:28 [karen]
...could be done with software or hardware
17:18:41 [karen]
...Strength of identity is implicit in the identity itself
17:18:54 [karen]
...for example, we have a trusted relationship with a device manufacturer
17:18:59 [karen]
...and can make decisions
17:19:00 [karen]
...privacy
17:19:13 [karen]
...device identifier is personally identifiable information
17:19:18 [AndroUser2]
AndroUser2 has joined #idbrowser
17:19:21 [AndroUser2]
AndroUser2 has joined #idbrowser
17:19:26 [karen]
...You need some type of user consent to give out to a given destination
17:19:37 [karen]
,,maybe dialogue boxes with certification is not best way
17:19:52 [karen]
...services need to be secure to users satisfaction
17:19:55 [Vladimir_]
Vladimir_ has joined #idbrowser
17:20:04 [karen]
...that user is going to right .com
17:20:17 [karen]
...We are not saying these are "the" requirements; they are our requirements
17:20:17 [fjh]
fjh has joined #idbrowser
17:20:21 [karen]
...not trying to generalize
17:20:24 [karen]
...we need input from others
17:20:33 [karen]
...that could be universally applicable
17:20:49 [karen]
...Java Script APIs for service device authentication is one possible approach
17:20:55 [jimklo]
jimklo has joined #idbrowser
17:20:57 [karen]
...First, possiblity to derive a temporary key
17:21:08 [karen]
...those temp keys should not be visible to Java Script code
17:21:19 [karen]
...should be secure to whatever level...of the platform device
17:21:23 [karen]
...Build whatever protocols you want
17:21:26 [karen]
...to make them secure
17:21:40 [karen]
...There are some services not possible today on the Web platform
17:21:48 [karen]
...secure device authentification is one
17:21:58 [karen]
...on browser side others interested in working on this
17:22:05 [karen]
Harry: Let's go next to Intel presentation
17:22:15 [karen]
...then Q&A and then go to a shorter break
17:22:20 [lowenthal]
are the slides online somewhere?
17:22:50 [karen]
Speaker is Jack Matheson, Intel's application and security products group
17:23:00 [karen]
Jack: this is a new area whe just christoned
17:23:07 [karen]
...mostly talking about platform problems
17:23:12 [karen]
...that is my interest and it is important
17:23:26 [karen]
...First I would like to acknowledge the notion of trust in this relationship
17:23:35 [karen]
...establish trust between you and your services
17:23:38 [karen]
...long-term support
17:23:46 [JeffH]
@karen -- at some point pls announce to group -- perhaps write on the flip chart -- how we can go access these IRC logs from ystdy & today. thanks!
17:23:59 [karen]
...Trust is predicated on user and their device
17:24:08 [karen]
...Problem here is a lot of things
17:24:19 [karen]
...think of device ids, hardware state or testing it
17:24:26 [karen]
...talking about a trusted third party to verify it
17:24:29 [karen]
...that's a big problem
17:24:35 [karen]
...not just in enterprise but also consumer
17:24:39 [karen]
...More philosophically
17:24:47 [karen]
...it's a problem because a device is owned by a user
17:24:56 [karen]
...not user centric but network centric
17:25:04 [karen]
...need a tie between the platform and the privacy of the user
17:25:13 [karen]
...that is not nec. solved by attestation
17:25:18 [karen]
...you can ping me later about hat
17:25:25 [karen]
...mostly stating problems today
17:25:33 [karen]
...Leads to second problem
17:25:43 [karen]
...if you want mass adoption, you need platform that gets to masses
17:25:48 [karen]
...why the platform is so important here
17:25:52 [karen]
...My interest in this workshop
17:26:02 [karen]
...I titled this hardware relevance
17:26:07 [karen]
...I think of browser
17:26:22 [karen]
....user agent has direct access to platform
17:26:30 [karen]
...hybrid solutions, software-device interactions
17:26:40 [karen]
...primary is low cost
17:26:46 [karen]
...If someone snaps a picture
17:26:57 [karen]
...it is very cheap to put on and it is massively adopted
17:27:03 [karen]
...everyone has a camera phone now
17:27:09 [karen]
...other things I will gloss over
17:27:16 [karen]
...Think of user-centric privacy
17:27:24 [karen]
...if a trusted third party is not user centric
17:27:35 [karen]
...and I have seen experiments of putting within device itself
17:27:50 [karen]
...Problem all of them face is that people in business of devices, hardware and platforms
17:28:03 [karen]
...no one wants to introduce legacy
17:28:04 [karen]
...solutions in platform
17:28:11 [karen]
...no one wants to support
17:28:30 [karen]
...So the problem here is that platform vendors want to support identity in a secure, user-centric way, but not in a proprietary way
17:28:34 [karen]
...closing example
17:28:36 [karen]
...TPN
17:28:45 [karen]
...way in which it got accepted is awesome
17:28:55 [karen]
...people who worked in trusted computing got together
17:29:03 [karen]
...so every laptop has a TPM chip
17:29:21 [karen]
...just the perfect example of why we need workgroups to create identity standards that are applicable to the platform
17:29:26 [karen]
Harry: now go to questions
17:29:35 [karen]
...20 minutes then break
17:29:54 [karen]
PHB: going back to other discussion about platforms
17:30:06 [karen]
...we have not decided about how to represent the account identifier
17:30:11 [karen]
...OpenID uses a URi
17:30:15 [karen]
...and type in..
17:30:26 [karen]
...look on web, way we federate accounts
17:30:46 [karen]
...if we can make that decision to use that same mechanism to represent an account across SAML, and OpenID and OAUth
17:30:53 [karen]
...we could all make that play nicely and simply
17:30:57 [karen]
...and how one relates to another
17:31:07 [karen]
JeffH: Phil makes a good point
17:31:11 [karen]
...a bit confused
17:31:20 [karen]
...what we people use to id ourselves in an online context
17:31:36 [karen]
...may or may not be mapped to what internally in the system is known as an account identifier under the hood
17:31:44 [karen]
...he is talking about user identifiers
17:31:48 [karen]
...we could leverage those
17:31:54 [karen]
...but not nec what gets mapped under hood
17:32:04 [karen]
...people wield multiple identifiers
17:32:17 [karen]
Phil: comes to how you interpret; whether you use DNS
17:32:31 [karen]
...identify provider at xyz.com or Fred a pqr.com
17:32:40 [yoiwa]
yoiwa has joined #idbrowser
17:32:41 [karen]
...have to decide if we are going to use the DNS and nothing else
17:33:00 [karen]
CarlH: In cases where customer has own equipment
17:33:10 [karen]
...it looks identity management should be in the platform
17:33:14 [karen]
...and be just another app
17:33:18 [karen]
...like Google chrome
17:33:23 [karen]
...could be standardized
17:33:31 [karen]
...to do that and have these apps work together
17:33:41 [karen]
...me having 40K apps on my iPhone that won't work together is crazy
17:33:47 [karen]
...so apps must work together on the platform
17:33:55 [karen]
...I didn't hear a revocation story from Dirk
17:34:05 [karen]
Dirk: I had the step of provisioning the account
17:34:08 [karen]
...just an OAuth flow
17:34:17 [karen]
...what fell out was an OAuth
17:34:27 [karen]
...service provider can show tokens
17:34:33 [karen]
Carl: could be tricky to explain
17:34:40 [CraigWi]
CraigWi has joined #idbrowser
17:34:49 [karen]
Dirk: page not very good, hard to discover; I think Facebook is doing a better job
17:34:54 [CraigWi]
q+
17:34:57 [karen]
...service provider knows the token has been issued
17:35:07 [karen]
Carl: should provide a reasonable summary
17:35:25 [karen]
DirK: could be a sitation to voluntarily give up token
17:35:37 [karen]
Carl: How can we explain to users what they have given out and what they can take back?
17:35:44 [karen]
DirK: with Android, you can uninstall
17:35:53 [karen]
...but revocation you have to do on server provider side
17:36:02 [karen]
Dave: a couple things
17:36:10 [karen]
...Jeff's comment of email address, I am a big fan of that
17:36:18 [CraigWi]
from a question yesterday, the Microsoft Security Intelligence Report is at http://www.microsoft.com/security/sir/default.aspx
17:36:18 [karen]
...if you use the @ sign you apply an email address
17:36:33 [karen]
...i dno't have an obvious solution, but we need simplifying assumptions
17:36:37 [karen]
...improve usability
17:36:48 [karen]
...bigger point, there may be low hanging fruit to improve usability
17:37:03 [karen]
...to point that improving usability is worth doing
17:37:06 [hhalpin]
hhalpin has joined #idbrowser
17:37:07 [karen]
...consistency is important
17:37:15 [hhalpin]
q+ craig
17:37:18 [hhalpin]
q+ nico
17:37:18 [karen]
Harry: Phil
17:37:18 [karen]
ack Phil
17:37:25 [hhalpin]
q+ a2
17:37:25 [benadida]
ack me, that was a while ago
17:37:25 [karen]
PHB: I agree with what Dave just said
17:37:35 [karen]
...I tried using ? in mark-ups
17:37:39 [benadida]
ack benadida
17:37:43 [karen]
...most sites require you to use an email account
17:38:00 [karen]
...If you want to aggregate more than a small number of accounts; this may not be your sole email
17:38:13 [karen]
...but it must have to have some email like properties and be used as a customer service account
17:38:16 [tyler]
q+
17:38:22 [karen]
Dave: it's a limiting assumption
17:38:36 [karen]
Dirk: an email address should be a standard attribute because it is pervasive
17:38:46 [karen]
...I don't think it should be "the" identifier of the account
17:38:48 [hhalpin]
ack CraigWi
17:38:51 [karen]
...just an attribute
17:38:52 [hhalpin]
ack craig
17:38:53 [karen]
ack Craig
17:39:04 [karen]
Craig: security analysis report
17:39:10 [karen]
...acc't manager in Honeycomb
17:39:16 [karen]
...MS has a full suite of capabilities
17:39:21 [karen]
...Windows probably sends
17:39:41 [karen]
...further investments in that space, plug-in model, may be worth noting
17:39:47 [karen]
...Phil said about deployment
17:39:52 [RRSAgent]
I have made the request to generate http://www.w3.org/2011/05/25-idbrowser-minutes.html tlr
17:39:58 [karen]
...deployment was both fantastic opportunity and failure
17:40:04 [karen]
...we thought we could get on all machines
17:40:09 [karen]
...but was first version, not improved
17:40:19 [karen]
...with need for deployment to evolve systems
17:40:19 [Brad]
Brad has joined #idbrowser
17:40:23 [karen]
...we won't get it right
17:40:33 [gape]
gape has joined #idbrowser
17:40:34 [karen]
...do get broad deployment and good site of timeline usability is important
17:40:46 [karen]
Sam: a solutoin for some use cases is to have a compoenent of web app
17:40:52 [karen]
...a library you can grad
17:41:00 [karen]
...you have evolution points within the platform
17:41:07 [karen]
...which could give you a better story
17:41:13 [karen]
...either one can bring new features to the other
17:41:15 [karen]
ack Nico
17:41:17 [hannes]
hannes has joined #idbrowser
17:41:18 [karen]
ack Tyler
17:41:19 [hhalpin]
ack nico
17:41:22 [hhalpin]
ack tyler
17:41:22 [karen]
Tyler: question for Netflix
17:41:28 [karen]
...you are user web technologies
17:42:02 [karen]
Mark: we do have user interface stuff in web environment
17:42:10 [karen]
...video streaming is pretty much under covers
17:42:22 [karen]
...we could put together a proposal of a Java Scipt API requirements
17:42:33 [karen]
Tyler: A strawman proposal would be good
17:42:54 [karen]
Harry: yes, we really do need strawman proposals to make work move forward; for more or less every group of passcode features in scope
17:43:03 [karen]
...we are trying to determine how much of device id is in scope
17:43:04 [hhalpin]
ack a2
17:43:30 [karen]
Q: Online acc't manager would also fall back to same issues as yesterday
17:43:33 [karen]
...go into form fill
17:43:35 [karen]
Phil: yes and no
17:43:36 [PhilWolff]
PhilWolff has joined #idbrowser
17:43:43 [karen]
...if site makes it too difficult for me, I don't use
17:43:50 [karen]
...like Huffington Post
17:43:50 [PhilWolff]
PhilWolff has joined #idbrowser
17:43:56 [karen]
...I will give up if it's too difficult
17:44:08 [karen]
...yes, there are idiot web managers that want to control the user experience
17:44:16 [karen]
...and then they become unemployed
17:44:20 [karen]
Q: they are still there
17:44:33 [karen]
Phil: some you cannot reach; if you can get 80-90 percent in, better than zero
17:44:42 [karen]
Q: we make one, I agree, but still suffer
17:44:44 [karen]
...no standard
17:45:10 [karen]
Q: for Intel, from hardware platform perspective, where are the manufacturers in coming up with a standard
17:45:16 [karen]
...why not start at platform and build up
17:45:30 [karen]
...where are we? What is Intel, AMD, as an industry
17:45:38 [karen]
A: No agreement what we need
17:45:51 [karen]
...people like me who approach more philosophically and the business side
17:46:07 [karen]
...no one will use Id priviledges unless there is mass adoption
17:46:23 [karen]
Q: sort of schizophrenic
17:46:33 [karen]
A: lots of things Intel is working on
17:46:40 [karen]
Q: no standards body working on that?
17:46:48 [karen]
Harry: at W3C we work on more Webby things
17:46:57 [karen]
Q: For Google we talked about the "ok" button
17:47:08 [JeffH]
who's the guy asking these good questions?
17:47:11 [karen]
...Ok comes onto screen so fast; you grant permission to get information
17:47:21 [karen]
...have you thought through usability of those who don't want to give approval?
17:47:28 [karen]
Dirk: Google screens are the standard
17:47:33 [karen]
...that we implemented
17:47:46 [karen]
...whatshould go on those consent screens is an interesting problem
17:47:54 [karen]
...informed consent; versus check boxes
17:48:02 [karen]
...yes, it's an interesting problem we are looking at
17:48:10 [karen]
...but a bit orthogonal to identity in the browser
17:48:16 [karen]
...to me it seems like a trust issue
17:48:22 [karen]
...either I trust or I don't
17:48:25 [karen]
...if I trust, they are ok
17:48:43 [karen]
Sam: more like I trust them or I trust them; have you ever said no?
17:48:52 [karen]
Dirk: yes, I have said not
17:49:13 [karen]
Q: If you install an app that asks for phone calls when you want to play a game, you still say yes
17:49:27 [karen]
Dirk: I look at number of stars, who recommended it
17:49:34 [karen]
Harry: Nico, Dominique
17:49:47 [karen]
Nico: to comment on the Android, I want to say, no I don't want that priviledge
17:49:59 [karen]
...I liked your presentation
17:50:07 [karen]
...you exemplified what you can do with a framework and APIs
17:50:14 [karen]
...some of what you showed is somewhat I envision
17:50:22 [karen]
...so you, me and him need to get together
17:50:29 [karen]
Dirk: you are not only one who wants that feature
17:50:45 [karen]
Dominique: I am curious to know scheme of user creating account
17:50:49 [karen]
...how do you deal with elevations
17:50:55 [karen]
...transactions may have a higher value
17:51:00 [karen]
...how do you protect that information
17:51:13 [karen]
...if someone else assume the account of that indiv, but not real person, how do you tell?
17:51:24 [karen]
Dirk: first part of question goes into transaction based authorization
17:51:33 [karen]
...at that point in time I need additional authorization from the user
17:51:48 [karen]
...When you install account, an OAuth token could be used
17:51:56 [karen]
...but not powerful enough to approve all transactions
17:52:15 [JeffH]
on a technical level, an "oauth token" is a "capability"
17:52:16 [karen]
...then service provider sees they are using an OAuth; could send an sms to them
17:52:23 [karen]
Dominique: so resides at service provider?
17:52:33 [karen]
Dirk: yes, service provider decides about OAuth token
17:52:55 [karen]
Q: What if developer asks to turn feature off?
17:53:06 [karen]
Harry: to summarize
17:53:08 [PhilWolff]
Did anyone answer the question raised by Intel about hardware baking in identity protocols that fail to update and keep up?
17:53:10 [karen]
...needs to work with platform
17:53:17 [karen]
...account manager, account manager
17:53:22 [karen]
...help Phil's cloud scheme
17:53:24 [karen]
...show of hands
17:53:29 [karen]
...should we scope ourselves
17:53:34 [karen]
...outside browser mechanisms
17:53:39 [karen]
...The statement is
17:53:42 [karen]
...scoping statement
17:53:58 [karen]
...strong consensus about account managers working outside browsers and in the cloud
17:54:04 [karen]
...yes, we should go outside browser
17:54:18 [karen]
[half room says yes]
17:54:23 [karen]
[no hands for no]
17:54:38 [karen]
...Next, yes device ID should be within scope
17:54:46 [karen]
[about half room shows hands]
17:54:50 [karen]
[a few no hands]
17:55:04 [karen]
Sam: another question, is it valuable to see what IETF is doing
17:55:06 [karen]
...and try to align
17:55:08 [jimklo]
jimklo has joined #idbrowser
17:55:18 [karen]
Nico: in a device, identity comes from platform or the hardware
17:55:30 [karen]
Sam; yes, I agree; but is it desirable for us to work with IETF
17:55:43 [karen]
Harry: I assume answer is yes to work with IETF
17:55:54 [karen]
Mark: you are also thinking about platform capability
17:56:01 [karen]
...whether keys represent you or the device
17:56:04 [JeffH]
my thought is that the particular notion of "device id" that the netflix folks are arguing for is imv a somewhat separable problem
17:56:11 [karen]
Sam; on Android, device id cuold be another account
17:56:17 [karen]
nico: we want to bake a framework in
17:56:22 [karen]
...another one for user id
17:56:26 [karen]
...want ability to have them
17:56:42 [karen]
John Linn: these two topics are valid area of standardization, yes
17:56:52 [karen]
...if it's W3C or others to approach, should discuss
17:56:53 [JeffH]
also, there may be existing work that can be leveraged for "device id" and it isn't necessarily something that needs to be reinvented
17:56:55 [karen]
Harry: good point
17:57:01 [karen]
...one of reason ISOC is co-chairing
17:57:13 [karen]
...is I do believe W3C is happy to coordinate with IETF in this area
17:57:25 [karen]
JeffH: this device Id stuff could largely be done from a protocol perspective
17:57:30 [tlr]
(also, the W3C liaison to the IETF is sitting in the second row and nodding)
17:57:32 [karen]
...in other contexts, don't reinvent it
17:57:43 [karen]
Harry: we will have a protocol discussion in the afternoon
17:57:48 [karen]
...sorry ten minute break
17:57:55 [karen]
rrsagent, make minutes
17:57:55 [RRSAgent]
I have made the request to generate http://www.w3.org/2011/05/25-idbrowser-minutes.html karen
17:58:03 [karen]
rrsagent, make mintues
17:58:03 [RRSAgent]
I'm logging. I don't understand 'make mintues', karen. Try /msg RRSAgent help
18:03:12 [dpranke]
dpranke has joined #idbrowser
18:07:14 [fjh]
fjh has joined #idbrowser
18:07:40 [wbaker]
wbaker has joined #idbrowser
18:13:01 [josephboyle]
josephboyle has joined #idbrowser
18:19:11 [bkihara]
bkihara has joined #idbrowser
18:20:11 [tlr]
rrsagent, draft minutes
18:20:11 [RRSAgent]
I have made the request to generate http://www.w3.org/2011/05/25-idbrowser-minutes.html tlr
18:20:21 [tlr]
tlr has changed the topic to: http://www.w3.org/2011/05/25-idbrowser-minutes.html
18:21:17 [PHB]
PHB has joined #idbrowser
18:21:44 [PHB]
Standing in for Kaliya
18:21:49 [tlr]
ScribeNick: PHB
18:22:01 [PHB]
Ideas for user centricity -
18:22:15 [PHB]
Usability is important
18:22:37 [PHB]
This group is not the default, people can act out online without consequences
18:22:44 [nico]
nico has joined #idbrowser
18:22:48 [PHB]
People use multiple personas, particularly women
18:23:28 [PHB]
Ways to let people manage their own data online
18:23:50 [PHB]
Critical thing is to allow users to have multiple persona
18:23:55 [nico]
I'm curious why women might have more online personas than men, and where's the data to back that up :)
18:24:13 [PHB]
Organized conference earlier this year - she is geeky
18:24:34 [PHB]
Users had 2 facets by default
18:24:45 [nico]
ah, there's the data
18:25:04 [PHB]
Women had an average of 6 facets, some must have had far more to make average
18:25:23 [PHB]
Being seen vs being watched vs being stalked
18:25:46 [PHB]
Being seen is bidirectional
18:25:58 [PHB]
Being watched is unidirectional
18:26:06 [mixedpuppy]
mixedpuppy has joined #idbrowser
18:26:15 [PHB]
Being stalked is aggregating across multiple sources
18:26:25 [bblfish]
bblfish has joined #idbrowser
18:27:01 [PHB]
Personal data services
18:27:02 [fjh]
fjh has joined #idbrowser
18:27:16 [PHB]
users control their own data, users can share and trade in ways that they control
18:27:21 [dpranke]
Is "stalking" an established term in this space
18:27:24 [PHB]
Can get free flights!!
18:28:41 [dpranke]
I fear it may be overly charged or polarizing
18:29:30 [zolli]
zolli has joined #idbrowser
18:29:50 [PHB]
Mary-Ann Hona
18:29:54 [PHB]
Hondo
18:30:06 [PHB]
The IBM presentation
18:30:11 [PHB]
The Nexus of identity
18:31:00 [PHB]
Users want two control knobs
18:31:16 [PHB]
one is transparency
18:31:44 [PHB]
Presenting aggregate IBM opinion is hard (!)
18:31:48 [PHB]
yes to everything
18:32:08 [PHB]
Lets do whatever we can to improve usability scalability security
18:32:14 [dveditz]
dveditz has joined #idbrowser
18:32:17 [hhalpin]
hhalpin has joined #idbrowser
18:32:40 [PHB]
In addition to the base products, research into vulnerabilities
18:33:00 [PHB]
acquired company now our X-force group, usability & security
18:33:35 [PHB]
track vulnerabilities, policies, risk based policies and controls
18:33:55 [PhilWolff]
Hodder: ID managers should help users apply/admin personae from the browser, not just authentication.
18:33:58 [PHB]
what exactly wold a well behaved mobile app look like?
18:34:13 [PHB]
identity support outside the browser
18:34:28 [PHB]
less concerned about what it is than being able to talk about it in a common way
18:34:38 [PHB]
Our vision
18:34:54 [PHB]
zurich lab has worked with EU on privacy issues
18:35:11 [PHB]
vision from lab is that users can interact in a safe and secure way
18:35:38 [PHB]
identity mixer, a flexible cryptographic framework
18:35:42 [PHB]
access control
18:35:50 [PHB]
EU projects to make it real
18:36:18 [PHB]
proofs of claims such as 'i am between 12 and 15 years old
18:36:24 [PHB]
can be used with smartcards
18:36:39 [PHB]
addresses all requirements of privacy protecting PKI
18:36:56 [PHB]
Who are you vs access ??? (slide gone)
18:37:18 [PHB]
Resources www.Primelife.eu
18:37:25 [PHB]
(contacts in slides)
18:37:45 [PHB]
TLR: European host of W3C is a participant in that project
18:37:53 [PHB]
Next speaker:
18:38:00 [tlr]
... as are several W3C staffers
18:38:05 [tlr]
(Rigo, Dave Raggett, myself)
18:38:21 [PHB]
John Tolbert from The Boeing Company
18:38:27 [PHB]
History
18:38:44 [PHB]
Talk about identity, use identity for access control
18:39:05 [PHB]
Histor: Users, Groups, ACLs, to Risk Adep AC
18:39:23 [PHB]
Can't say we have got off the simple stuff in some cases.
18:39:28 [PHB]
Machinery of identity
18:39:47 [PHB]
LDAP, Web Access management and so on, PKI, SAML, smartcards
18:40:04 [PHB]
Encouraged by whay I have heard
18:40:17 [PHB]
interested in combination of user and device identity
18:40:39 [PHB]
Get wrapped up in aerospace, defense type world
18:40:50 [PHB]
finance, social media type
18:41:12 [PHB]
use web access management internally extensively
18:41:18 [PHB]
1000s of applications (not users!)
18:41:37 [PHB]
external connection get into
18:41:50 [PHB]
identity is a piece of the puzzle
18:41:53 [PHB]
evrything goes into the middle, access control
18:42:44 [PHB]
Empower people in global trade controls, to author policy and make access control decisions
18:42:59 [PHB]
environment matters, who a person is, where there device is
18:43:05 [PHB]
being able to prove that strongly
18:43:18 [PHB]
identity providers
18:43:31 [PHB]
nobody in this country would go for a national identity card
18:43:43 [PHB]
bottom up may provide what we need in that area
18:44:12 [PHB]
mention the unmentionable - advanced persistent threats
18:44:34 [PHB]
identity in browser can be compromised, for naught if machine is compromised
18:44:44 [PHB]
skip through data protection for time
18:45:08 [PHB]
cryptographic standards needed to bind metadata to data for access control decisions
18:45:31 [PHB]
look to how we can leverage info from groups like trusted computing , extend existing standards, SAML etc
18:46:03 [PHB]
Next speaker
18:46:16 [PHB]
Yahoooooo!
18:46:28 [PHB]
Wendel Baker from right media
18:46:42 [PHB]
Provide open marketplace where Yahoo can buy and sell ads
18:46:54 [PHB]
Pay the bills by monetization
18:46:59 [PHB]
two systems in Yahoo
18:47:05 [PHB]
ONO - Owned and operated
18:47:14 [PHB]
sold on guaranteed basis like a newspaper
18:47:15 [fjh]
fjh has joined #idbrowser
18:47:27 [PHB]
hand money (make good) if can't make display
18:47:49 [PHB]
This is the other system does the infill
18:48:01 [PHB]
How the internet world thinks about monetization
18:48:01 [zolli]
zolli has joined #idbrowser
18:48:21 [PHB]
audience side - getting people to come and read stuff, use service
18:48:26 [PHB]
need to get people to register
18:48:37 [PHB]
how to manage identity in terms of profiles and so forth
18:48:45 [PHB]
goals have is to have more fun
18:48:52 [PHB]
more personalization more interest
18:48:56 [PHB]
does not get any money
18:49:10 [PHB]
two monetize charge people or you do advertising
18:49:25 [PhilWolff]
@dpranke stalking is used for this type of asymmetry among online social science researchers
18:49:27 [PHB]
joke in VC community and can't work out how to monetize become an ad network
18:49:55 [PHB]
to make this interesting need to do more than just push pictures in front of people
18:50:09 [PHB]
need to tailor ad to the viewer
18:50:25 [PHB]
match between who the audience is, set of advertisers and the browser
18:50:45 [PHB]
Someone is providing the venue, set of advertisers would like access to opportunity and the viewer
18:51:03 [PHB]
today are two systems and they are unconnected for various reasons including policy
18:51:16 [PHB]
when you log in you get to choose screen name etc
18:51:35 [PHB]
advertising side is assigned to you by advertiser, public policy space
18:51:48 [PHB]
key about advertising is that you don't have to interact with that
18:52:05 [PHB]
don't need to know very much about the person on the other side of the wire
18:52:21 [PHB]
rough idea that have seen this guy before
18:52:34 [PHB]
amount of time that a buyer is focusing on the metrics is short
18:52:45 [PHB]
audience side identity systems
18:53:10 [PHB]
users should not need to sign in to use this site
18:53:39 [PHB]
users who log in via open id or whatever are better users, spend longer time, play more games etc
18:54:08 [PHB]
other way
18:54:19 [PHB]
got to be some way of identifying site
18:54:33 [PHB]
three screen strategy or four screenm
18:54:47 [PHB]
trying to relate what is going on in the online space to tv, mobile and other
18:54:54 [PHB]
web is the center
18:55:22 [PHB]
vision is that you should be able to do something on your tv, go to the web, mobile and its all the same stuff
18:55:35 [PHB]
need a way to link the identity across the devices so that you know its the same user
18:55:42 [PHB]
other side of the house
18:56:00 [PHB]
everything goes through the exchange that resolves 'who gets the ad'
18:56:24 [PHB]
this notion of who the user or the device is is not tied to what is seen before
18:56:42 [PHB]
advance going on today is linkage between different exchanges
18:56:56 [PHB]
to do that need to map the identity between different marketplaces
18:57:12 [PHB]
very important exchange wants to maintain its idea of who a user is
18:57:17 [PHB]
but need to match up
18:57:21 [PHB]
two sides
18:57:30 [PHB]
voluntary identity, vs forced identity
18:57:48 [PHB]
how strong and by what method should we tie these mechanisms?
18:58:43 [PHB]
Speaker: Chadwick
18:59:04 [PHB]
Trusted Attribute Aggregation
18:59:06 [PHB]
TAAS
18:59:26 [PHB]
Paypal people think of it as a broke
18:59:30 [PHB]
few sites
18:59:34 [PHB]
electronic shopping site
18:59:37 [PHB]
said student
18:59:43 [PHB]
comes to shopping payment time
18:59:54 [PHB]
need a credit card, postal address and student card
19:00:00 [PHB]
two attributes from user
19:00:08 [PHB]
one from bank (credit card)
19:00:14 [steve_schultze]
steve_schultze has joined #idbrowser
19:00:16 [PHB]
and one from schoo (student card
19:00:25 [PHB]
Policy for getting onto the site
19:00:40 [PHB]
is a mime type that causes a plugin to be activated by the browser
19:00:46 [PHB]
user clicks on bookmark
19:00:52 [PHB]
this stops a phishing attack
19:01:02 [PHB]
selects trusted service provider
19:01:19 [PHB]
can use any auth syustem you want we use username and password
19:01:26 [PHB]
has taken policy of the search provider
19:01:34 [PHB]
and filtered it according to the user
19:01:43 [PHB]
got some names and got some addresses
19:02:00 [PHB]
can have an official name given by the government or a name chosen by user
19:02:07 [PHB]
can do a gift purchase
19:02:10 [PHB]
can submit
19:02:24 [PHB]
or save and submit where the system remembers and gets one click shopping
19:02:41 [PHB]
now can go back and get single click shopping
19:02:49 [PHB]
single sign-on from SAML etc
19:03:10 [PHB]
another example from UK e-gov work
19:03:19 [PHB]
to get parking permit must have proof of car ownership
19:03:26 [PHB]
proof od pension
19:03:29 [PHB]
credit card
19:03:45 [PHB]
government currently only doing aggregation of government attributes
19:04:25 [PHB]
this time when user chooses name the only one that works is the officially certified name
19:04:42 [PHB]
user can't choose bill gates, has to match policy from search provider
19:05:01 [PHB]
goes back to site and site says these are attributes that were provided to me
19:05:13 [PHB]
if happy with that can get permit sent in post.
19:05:21 [PHB]
uses SAMLv2
19:05:30 [PHB]
(read slide summary of featues)
19:07:07 [PHB]
similar features today to what Microsoft and IBM will provide in ten years time
19:07:34 [PHB]
Demo is at (someone else must type)
19:07:37 [PHB]
username is guest
19:07:38 [hhalpin]
can someone near the front type that URI into IRC?
19:07:44 [PHB]
passwpord is password
19:07:54 [hober]
s/guest/Guest/
19:08:01 [PHB]
(high security here!)
19:08:09 [PHB]
Time check, we is an hour late
19:08:13 [PHB]
20 mins for discussion
19:08:53 [PhilWolff]
PhilWolff has joined #idbrowser
19:09:13 [PHB]
Dirk? Wicked does not mean bad
19:09:22 [jkmathes]
jkmathes has joined #IDBrowser
19:09:27 [PHB]
Stalking has connotations... is this intentional
19:09:31 [PHB]
loaded term
19:10:08 [nico]
"stalker economy"
19:10:17 [PHB]
?? well, refering to it as stalker economy is that we see people using info in malicious ways
19:10:32 [PHB]
people selling life insurance go online
19:10:38 [dpranke]
dpranke has joined #idbrowser
19:10:40 [PHB]
health insurers
19:10:48 [PHB]
not just you but your friends
19:10:56 [PHB]
so its all kinds of ways
19:11:00 [PHB]
q+
19:11:05 [PHB]
dossiers being compiled
19:11:19 [JeffH]
q+ JeffH
19:11:25 [PHB]
Dan schuster
19:11:28 [nico]
so act anonymously then?
19:11:32 [PHB]
legitimate needs of privacy
19:11:39 [PHB]
trying to support them is chasing tail
19:11:50 [PHB]
can obtain all the information from a variety of sources
19:11:59 [PHB]
photos announcement of church etc
19:12:19 [PHB]
niothing to do with whether know full birthday, who I am etc
19:12:46 [nico]
See Spokeo for a freaky example. As the chairman of a past employer said: "you have no privacy, get used to it"
19:12:47 [PHB]
is complicating id metasystem, but agent can get same info more easily
19:12:51 [yoiwa]
yoiwa has joined #idbrowser
19:12:58 [PHB]
name and age bracket plus zip is enough to identify you
19:14:19 [jkmathes]
jkmathes has joined #IDBrowser
19:15:11 [tlr]
q?
19:15:23 [PHB]
Speaker Jon
19:15:36 [PHB]
Speaker Harry:
19:15:40 [nico]
Enough personal info arguably is identity...
19:15:42 [tlr]
queue=PHB, JeffH
19:15:50 [PHB]
Quicj question at Mary: is google a personal id system
19:16:01 [PHB]
yes
19:16:11 [PHB]
Wendel: device ID in paper
19:16:25 [PHB]
need complex schemes to track people to real id on their net
19:16:32 [PHB]
what is the process to
19:16:42 [hhalpin]
actually I think Mary said "maybe"
19:16:51 [PHB]
netflixy based hardware id is bettrer, have number and can just work with it
19:16:52 [hhalpin]
which does make me wonder what is NOT a personal data store.
19:17:08 [PHB]
scale of the yahoo audience must be lots of
19:17:09 [hhalpin]
Perhaps Wendell's ad-tracking system would not be one, as I am not aware of it per se
19:17:30 [PHB]
state kept, device id would make it simpler, reduce gear, costs, co-lo space and so on.
19:18:34 [mixedpuppy]
mixedpuppy has joined #idbrowser
19:18:57 [PHB]
John Linn:
19:19:12 [PHB]
Trusted components
19:19:14 [bradhill]
ack PHB
19:19:16 [PHB]
is underspecified
19:19:22 [PHB]
should be by whom and for what
19:19:31 [PHB]
(PHB and does not mean trustworthy)
19:19:52 [PHB]
firefox plugin is an adblocker will undo an aspect of the system
19:20:01 [PHB]
need to recognize there are components
19:20:11 [PHB]
different entrants and for different purposes
19:20:21 [PHB]
we engineered it to minimize the trust component
19:20:33 [PHB]
never asks for username and password
19:20:50 [PHB]
(Chadwick) I don't know who you are, idp does not know
19:20:58 [PHB]
aggregator merely aggregates tuples
19:21:10 [PHB]
minimize the amount of trust required in it
19:21:23 [PHB]
will only release links to the entity that gave it to them
19:21:41 [PHB]
trust is a major issue
19:21:56 [PHB]
Tom ?
19:22:12 [karen]
Tantek Celik speaking
19:22:12 [PHB]
Economics, pick any
19:22:23 [PHB]
zero to know cost to check anyone in your system
19:22:41 [PHB]
zero cost to stalk everyone makes a very bad system
19:23:05 [PHB]
Jeff Hodges: This is really important stuff but layer 9
19:23:14 [PHB]
legislation and policy trather than technology
19:23:20 [PHB]
??
19:23:30 [PHB]
(can't hear)
19:23:38 [PHB]
I just want to be this person for today
19:23:43 [bradhill]
ack JeffH
19:23:49 [PHB]
David singer above
19:24:06 [karen]
Greg Kerr, AuthenTec was speaking
19:24:16 [PHB]
Dan: brute force is not as difficult as people imagine.
19:24:34 [PHB]
Sam H.: anonymity and unlinkability is harder than you think no matter what
19:24:56 [PHB]
agree with jeff, every if statement in your code is a potential linkability issue
19:25:07 [PHB]
have bought 40 minutes
19:27:07 [JeffH]
OMG -- Carl Hewitt has an even bigger gear bag than me....
19:27:16 [JeffH]
:)
19:27:38 [PHB]
Dan Schuster
19:27:39 [dpranke]
dpranke has joined #idbrowser
19:28:11 [PHB]
what is different now that would make it a good time to be making changes?
19:28:22 [PHB]
much greater sophistication in malware and fraud etc than before
19:30:20 [PHB]
Government drive
19:30:23 [PHB]
Smartphones
19:30:33 [PHB]
Social networks etc
19:30:39 [PHB]
now may be the time to see things happen
19:30:42 [PHB]
barriers
19:30:52 [nico]
Are logs of this channel being kept?
19:31:00 [PHB]
(summary is in slides)
19:31:05 [nico]
If so, where?
19:31:23 [PHB]
hard to displace historical precedence
19:31:37 [PHB]
must be easier to use, to interface to
19:32:16 [JeffH]
@nico -- apparently irc.w3.org keeps logs and there's a std way to get to them. i dunno offhand what it is. TLR said they'd let us know
19:32:30 [RRSAgent]
I have made the request to generate http://www.w3.org/2011/05/25-idbrowser-minutes.html tlr
19:32:55 [nico]
JeffH, tlr: danke
19:33:21 [PHB]
Financial services: need mutual authentication
19:34:10 [PHB]
(break to find slide)
19:34:15 [PHB]
Don Thibeau Open ID
19:34:26 [PHB]
OIX /NSTIC and path forward
19:34:52 [PHB]
NSTIC talks about an identity ecosystem
19:35:01 [PHB]
new animals in mix - regulators
19:35:13 [PHB]
lawyers, auditors, policy makers
19:35:29 [PHB]
dependency on a new type of infrastucture
19:35:43 [PHB]
lbrings lawyers and accountants into the conversation
19:35:47 [JeffH]
"send lawyers, guns, and money!!@%^" -- warren zevon
19:36:06 [PHB]
Public Private Partnership workshops to kick of in two weeks
19:36:24 [PHB]
Open Identity Exchange is in response to a US govt request
19:36:41 [PHB]
asked openID foundationto participate
19:37:04 [PHB]
How to deliver more service as budgets decline
19:37:09 [PHB]
online and in the cloud
19:37:15 [PHB]
need to solve the identity problem
19:37:23 [PHB]
Open Id Exchange
19:37:36 [PHB]
(PHB does this look like Liberty Alliance?)
19:38:28 [PHB]
restructure other identity providers from telco space
19:38:30 [PHB]
and people in data aggregation biz
19:38:32 [dpranke]
dpranke has joined #idbrowser
19:38:49 [PHB]
OIX is center of gravity to sort out what it means to become a trust framework
19:39:16 [PHB]
OIX is trying to do is to become the partner in the public-private partnership
19:39:23 [PHB]
private sector will lead
19:39:31 [PHB]
what are the goals?
19:40:07 [PHB]
technology + policy
19:40:22 [PHB]
policy interoperability + technical interop = trust framework
19:40:30 [PHB]
truste by whom and for what
19:41:15 [PHB]
OIX is providing plumbing, and best practices
19:41:26 [PHB]
plumbing is rules + tools
19:41:36 [PHB]
RISK Wiki
19:41:45 [PHB]
knowledge center where people can post stuff
19:41:58 [PHB]
pull from the risk wiki components they can re-use
19:42:13 [PHB]
set of tools , metadata listing service
19:42:27 [PHB]
what are requirements for each provider
19:44:41 [PHB]
pilots taking place
19:44:49 [dveditz]
dveditz has joined #idbrowser
19:44:50 [PHB]
bine email address to postal address (etc)
19:45:28 [yoiwa]
yoiwa has joined #idbrowser
19:46:27 [PHB]
Francisco Corella on the NSTIC
19:47:15 [PHB]
One goal of NSTIC is to get rid of passwords
19:47:24 [PHB]
is being achieved right now with social login
19:47:43 [PHB]
or by other social site like myspace or linked in
19:47:46 [PHB]
is this good?
19:47:50 [PHB]
unfortunately not
19:48:01 [PHB]
current social login is moving us in wrong direction
19:48:13 [PHB]
social site can track users login
19:48:20 [PHB]
allows credential to be sent enclair
19:48:43 [PHB]
so use facebook at cafe with wifi it is very easy for hacker to attack you
19:49:05 [PHB]
specific to OAUTH is that rp must register with the site
19:49:16 [PHB]
so if login with facebook becomes ubiquitous
19:49:28 [PHB]
facebook controls the web, can revoke registration
19:49:37 [PHB]
reinforces facebook monopoly
19:49:52 [PHB]
can't persualde rps to register with them
19:50:03 [PHB]
competitor can't persualde rps to register with them
19:50:19 [PHB]
zero knowledge proof like IBM or uprove or
19:50:31 [PHB]
need an interim soliution
19:50:39 [PHB]
will take time
19:50:54 [PHB]
having interim solution makes it possible to develop framework
19:51:02 [PHB]
ahead of the zero knowledge proof
19:51:24 [PHB]
HTTP extension for delegated identity
19:51:28 [PHB]
(details on slide)
19:53:47 [dpranke]
dpranke has joined #idbrowser
19:54:56 [PHB]
Dan Schuster back
19:56:24 [PHB]
Speaker Thomas J. Smedinghof
19:56:43 [PHB]
from ABA identity management legal taskforce
19:56:50 [PHB]
defining what it is
19:57:09 [PHB]
came down to looking at it from 50,000 fott level to two buckets of items
19:57:16 [PHB]
tools and rules
19:57:30 [PHB]
operational specifications
19:57:34 [PHB]
legal rules
19:58:52 [fjh]
fjh has joined #idbrowser
19:59:39 [PHB]
need to understand law when developing the rules
19:59:50 [PHB]
sometimes causes problems, sometimes fills in blankc
20:00:05 [PHB]
privacy is heavily regulated in the EU
20:00:14 [PHB]
in healthcare in the us
20:00:24 [PHB]
can't stand up rules for privacy that violate them
20:00:33 [PHB]
but may not cover everything
20:00:53 [PHB]
a dozen states regulate security for all companies
20:01:06 [PHB]
different countries used to regulate encryption in different ways
20:01:09 [PHB]
the law is there
20:01:20 [PHB]
the same thing happens with the legal rules
20:01:25 [PHB]
body of law is out there
20:01:31 [PHB]
but don't know what it says
20:01:40 [PHB]
what is your liability?
20:01:49 [PHB]
what is liability of browser vendor for liability?
20:01:57 [PHB]
in password manager?
20:02:07 [PHB]
legal rules can define that liability
20:02:11 [fjh]
q+
20:02:22 [PHB]
how mucgh each party agrees to bear and so forth
20:02:37 [nico]
This isn't a legal issue yet, it's a political issue first
20:02:40 [PHB]
can specify in contract or default in existing law
20:02:48 [PHB]
(PHB - mention the rulebook approach)
20:03:05 [nico]
eventually it may also be a legal issue
20:03:26 [PHB]
can do it through statue or regulation
20:03:42 [PHB]
(will lag, be incomplete)
20:03:51 [PHB]
need some sort of contractual structure
20:03:59 [PHB]
facebook does have a contract
20:04:03 [PHB]
agree by clicking
20:04:04 [JeffH]
Tom providing a good overview of why we -- eg in "identity biz" -- need to pay attention to Layer 9 (legal/regulatory/contractural) issues
20:04:20 [PHB]
look at Identrus PKI suystem 4000 pages
20:04:28 [PHB]
can do it in a lot of different ways
20:04:37 [PHB]
common legal barriers
20:04:38 [steve_schultze]
q+
20:04:42 [PHB]
key issues
20:04:44 [PHB]
q+
20:04:57 [dveditz]
dveditz has joined #idbrowser
20:05:00 [PHB]
(describes slide)
20:05:05 [paul]
paul has joined #idbrowser
20:06:26 [dpranke]
q+
20:07:11 [wbaker]
wbaker has joined #idbrowser
20:07:14 [PHB]
ways to establish contracts
20:07:23 [PHB]
credit card model
20:07:30 [PHB]
non participants, how can they be injured
20:07:35 [PHB]
not a party to the system
20:07:44 [PHB]
what are their rights
20:07:46 [PHB]
open question
20:08:06 [PHB]
back to
20:08:13 [PHB]
Dan Schuster
20:08:48 [PHB]
requirements wish list
20:08:49 [nico]
nico has joined #idbrowser
20:08:59 [PHB]
want to set up a secure trusted authenticated path
20:09:17 [PHB]
authenticate all information that is exchanged
20:09:27 [PHB]
sufficiently granular
20:09:42 [PHB]
(delgates can act for others etc
20:09:55 [PHB]
Decouple proofing authentication and authorization
20:09:56 [CraigWi]
q+
20:11:18 [PHB]
(summary is on slides)
20:15:52 [bradhill]
ack fjh
20:15:56 [PHB]
frederick:
20:16:02 [PHB]
legal stuff is important
20:16:12 [PHB]
sets direction ut not detail
20:16:19 [PHB]
case law resolves detail
20:16:30 [PHB]
fast time to market for business reasons
20:16:37 [PHB]
how can sync the two up
20:16:38 [PhilHunt]
PhilHunt has joined #idbrowser
20:16:53 [hhalpin]
q?
20:16:57 [PHB]
speaker: law is always behindd and don't know in the interim, make up own rules
20:17:05 [hhalpin]
q+ hannes
20:17:44 [hhalpin]
ack steve_schultze
20:18:11 [PHB]
steve:
20:18:18 [PHB]
hoping to rely on contracts
20:18:33 [PHB]
how reasonably would they make their way to relying parties
20:18:46 [PHB]
relying partiy agreements, how do they bing the RP?
20:18:50 [PHB]
bind
20:19:04 [Vladimir_]
Vladimir_ has joined #idbrowser
20:19:11 [PHB]
are there universes in which there are contracts that might bind end users?
20:19:24 [fjh_]
fjh_ has joined #idbrowser
20:19:39 [PHB]
Thomas: hard to do in open environment
20:19:54 [PHB]
easy to get Amazon, Ebay to agree
20:20:00 [PHB]
hard to get consumers
20:20:17 [PHB]
Don - that is the opportunity of a trust framework
20:20:33 [PHB]
solves problems of bilateral contracts
20:20:39 [hhalpin]
ack PHB
20:20:54 [tlr]
phb: faced open contracts problem when we founded a certain large CA
20:20:58 [fjh]
q?
20:21:00 [tlr]
... one of the approaches was a rulebook mechanism
20:21:11 [tlr]
.. join an exchange - there's a rule book that everybody has a bilateral contract with the rulebook
20:21:14 [tlr]
... that then mediates disputes
20:21:15 [tlr]
.
20:21:17 [tlr]
s/.//
20:21:25 [tlr]
... avoids need for everybody to have bilateral contract with everybody else
20:21:29 [tlr]
... didn't get to point of requiring that
20:21:31 [JeffH]
fyi: Steven Roosa – The Devil is in the Indemnity Agreements: A Critique of the Certificate Authority Trust Model’s Putative Legal Foundation http://citp.princeton.edu/events/lunch/steven-roosa/
20:21:34 [tlr]
... audience tag in SAML was inspired by that
20:22:09 [hhalpin]
http://etherpad.mozilla.org:9000/V0zRDKeAU0
20:22:13 [tantek]
tantek has joined #idbrowser
20:22:15 [PHB]
don: NYSE is the referree for the transactions
20:22:17 [hhalpin]
http://etherpad.mozilla.org:9000/V0zRDKeAU0
20:22:24 [hhalpin]
etherpad for open discussion lighting proposal sign-up
20:22:26 [hhalpin]
URI above
20:22:37 [PHB]
Thomas, is a common appraoch, has lot opf merit
20:22:41 [hhalpin]
q?
20:22:42 [PHB]
how to bind consumer?
20:22:51 [PHB]
Dirk:
20:22:55 [hhalpin]
ack dpranke
20:23:32 [tantek]
hhalpin - I added the form annotation straw proposal you asked me to do to the etherpad
20:23:36 [PHB]
how does the browser into the rp thing?
20:23:50 [PHB]
large body of work wrt the duties of the identity provider
20:23:56 [PHB]
less for the relying parties
20:24:27 [hhalpin]
q?
20:25:26 [hhalpin]
ack CraigWi
20:25:33 [PHB]
Thomas: depends on how you set up the system, can vary from none to much
20:25:42 [PHB]
DirK : is it too early for me to tell
20:25:50 [nico]
nico has joined #idbrowser
20:26:29 [PHB]
craig: in what way is the user directly involved?
20:26:33 [hhalpin]
q?
20:26:35 [hhalpin]
q+ a2
20:26:47 [PHB]
Don: got one experiment going on now
20:26:55 [jimklo]
jimklo has joined #idbrowser
20:27:08 [PHB]
gives user ability to control what they expose etc.
20:27:28 [PHB]
proxy model, terms of service between myself and AOL becomes fabric in which all is taking place
20:27:45 [hhalpin]
ack hannes
20:27:50 [PHB]
Dan: this is going to be regulatory rather than legal if users being abused
20:27:53 [PHB]
Hannes
20:28:19 [PHB]
nobody knows waht trust framework means before that was federation etc.
20:28:32 [PHB]
NSTIC credit card model is mentioned
20:28:53 [PHB]
unfortunate direction because that model is not secure or
20:28:58 [PHB]
good
20:29:26 [PHB]
not sre where issues likel liabilities lie or whtheer wider community wants to use
20:29:49 [PHB]
Phil: id in browser is good should really be able to share it
20:29:59 [hhalpin]
ack a2
20:30:02 [PHB]
have family of 5 thousands of contacts
20:30:08 [PHB]
how can one member share with others?
20:30:42 [PHB]
thomas on the crexit card issue, agree not good model but not specific implementation but the way the issues are worked legally and contractually
20:30:57 [PHB]
provides one p[ossible model of how to bind users to one model with a regulatory overlay
20:31:17 [PHB]
Don thing that made credit card issue work in US was the last leg and limited exposure
20:34:10 [dpranke]
I will also note that the way payments work internationally, there is a lot of variance and cultural differences that may make a global ecosystem for
20:34:59 [dpranke]
Trust and identity much more difficult.
20:37:38 [Hadley]
Hadley has joined #idbrowser
20:45:16 [dpranke]
dpranke has joined #idbrowser
20:46:53 [nico]
nico has joined #idbrowser
20:50:15 [nico_]
nico_ has joined #idbrowser
20:50:19 [nico__]
nico__ has joined #idbrowser
21:06:45 [lowenthal]
lowenthal has joined #idbrowser
21:08:44 [lowenthal]
q?
21:11:02 [lowenthal]
ScribeNick: lowenthal
21:16:03 [tlr]
tlr has joined #idbrowser
21:16:29 [lowenthal]
starting: protocol & api proposals
21:16:37 [lowenthal]
moderator: halpin
21:17:15 [lowenthal]
video presentation in lieu of henry story
21:17:19 [bradhill]
bradhill has joined #idbrowser
21:17:31 [lowenthal]
paper topic "the webid protocol & browsers"
21:18:05 [lowenthal]
story video presentation will occur last
21:19:01 [CraigWi]
CraigWi has joined #idbrowser
21:19:14 [bblfish]
hi
21:19:16 [lowenthal]
talking: yutaka
21:19:17 [bblfish]
is this now?
21:19:29 [fjh]
fjh has joined #idbrowser
21:19:40 [jkmathes]
jkmathes has joined #IDBrowser
21:19:48 [benadida]
benadida has joined #idbrowser
21:20:01 [bblfish]
presentation available online at http://bblfish.net/blog/2011/05/25/
21:20:08 [lowenthal]
keywords: can't get there from here
21:20:15 [bhill2]
bhill2 has joined #idbrowser
21:20:18 [lowenthal]
..."phishing is fun & profitable"
21:20:31 [lowenthal]
problem: form auth insecure against forging
21:20:43 [lowenthal]
web pages control behaviour 100%
21:21:02 [lowenthal]
even if we could make a secure password field, phishers could forge it via js
21:21:17 [lowenthal]
http auth is only potentially better
21:21:36 [lowenthal]
currently sucks: both basic and digest are insecure
21:21:55 [lowenthal]
lacks feature: ugly dialog, no ux, customization
21:22:04 [lowenthal]
no logout, gues access, session management
21:22:12 [lowenthal]
little motivation to fix http auth
21:22:18 [lowenthal]
because not currently used
21:22:27 [lowenthal]
so no motivation to use http auth
21:22:34 [lowenthal]
... chicken & egg problem
21:22:45 [lowenthal]
but: we cannot fix form auth
21:22:55 [lowenthal]
we need to cut the gordian knots of this problem
21:23:06 [tantek]
tantek has joined #idbrowser
21:23:10 [lowenthal]
we need mechanisms to mitigate current problems
21:23:23 [lowenthal]
proposal: password-based http auth protocol
21:23:42 [lowenthal]
strongly protects against eavesdropping mitm, forwarding, offline attacks
21:23:54 [lowenthal]
mutual site/user identification
21:24:08 [lowenthal]
auth success iff correct site && correct password
21:24:20 [lowenthal]
with a phishing site, authentication fails
21:24:29 [lowenthal]
users can confirm that they are talking to correct sit
21:24:48 [lowenthal]
where correct means the same site the user made an account on (ie tofu)
21:24:59 [lowenthal]
that is: true, bidirectional shared secret
21:25:09 [lowenthal]
need to overcome 'usability' problem
21:25:20 [lowenthal]
by supporting current web app design
21:25:33 [lowenthal]
secure ui needed
21:25:44 [lowenthal]
[preventing password stealing by imitation]
21:25:55 [lowenthal]
mutual auth result should be available to the user
21:26:06 [lowenthal]
need 'non-modal' ui
21:26:16 [lowenthal]
ui in a non-content browser-controlled area
21:26:27 [lowenthal]
example: adjacent to address bar
21:26:44 [lowenthal]
but each browser can implement own ui, subject to requirements
21:26:57 [lowenthal]
coordination may be desirable
21:27:06 [lowenthal]
standardization desired
21:27:11 [lowenthal]
use cases:
21:27:26 [lowenthal]
standalone, for any website, like email
21:27:36 [lowenthal]
combine with id amangement like pw managers?
21:27:52 [lowenthal]
with federated logins, use http auth to sign into initial provider
21:28:19 [lowenthal]
currently proposing standardization in ietf
21:28:30 [lowenthal]
we should start standardizing, rolling out asap
21:28:45 [lowenthal]
one we reach major adoption, we may see a world with web auth
21:29:01 [lowenthal]
mailing list http-auth@ietf.org
21:29:27 [lowenthal]
talking nicolas williams
21:29:40 [lowenthal]
cryptonector lls, secureendpoints
21:29:56 [lowenthal]
proposing http auth system
21:30:02 [lowenthal]
http auth challenges
21:30:07 [lowenthal]
multiple infrastrustuces
21:30:15 [lowenthal]
preserve investment
21:30:30 [lowenthal]
need federation, authorization, granularity
21:30:43 [lowenthal]
need to define, protect session & associate w/session
21:30:54 [lowenthal]
need to supprt browser & non-browser http apps
21:31:06 [lowenthal]
need better ux: browser chrome, os integrations
21:31:11 [lowenthal]
constraints:
21:31:15 [lowenthal]
improve security
21:31:28 [lowenthal]
minimal/no mods to current software/hardware stack
21:31:44 [lowenthal]
nobody is going to rebuild / reconfigure current software stacks
21:31:51 [lowenthal]
apps must control when auth happens
21:32:02 [lowenthal]
may also wish to define mechanisms
21:32:13 [lowenthal]
... attributes, results
21:32:19 [lowenthal]
& apps want control over ui
21:32:25 [lowenthal]
certainly more than current http auth
21:32:33 [lowenthal]
proposal: REST-GSS
21:33:02 [lowenthal]
pluggable app-layer auth, supporting passwords, kerberos, pki, samil, openid, oauth... &c
21:33:07 [lowenthal]
entirely above http
21:33:17 [lowenthal]
auth done via post
21:33:45 [lowenthal]
post initial token to well-known uri, return 201, w/token, session uri
21:33:51 [lowenthal]
logout via delete
21:34:00 [lowenthal]
works at all http versions
21:34:17 [lowenthal]
sessions bound via 'mic' [like hmac]
21:34:22 [dpranke]
dpranke has joined #idbrowser
21:34:33 [lowenthal]
still possible to use cookies if web developers want
21:34:54 [JeffH]
ss-rest similar to draft-hammer-oauth-v2-mac-token-05
21:34:57 [lowenthal]
similar to msoft's integrated windows authentication
21:35:17 [lowenthal]
useful for enterprise applications
21:35:25 [lowenthal]
position paper focused on protocol
21:35:31 [lowenthal]
no for some ui & api elements
21:35:38 [lowenthal]
ui: dom element w/ login button
21:36:15 [lowenthal]
browser mechanism to indicate status, like https lock icon only indicating your identity, rather than server's
21:36:26 [lowenthal]
easy to switch between identities stored in browser
21:36:38 [lowenthal]
api:
21:36:50 [lowenthal]
xmlhttprequest bindings of the same thing
21:36:57 [lowenthal]
sometimes a script will want to trigger auth
21:37:04 [lowenthal]
similar for status enquiries
21:37:39 [lowenthal]
perhaps script will want to specify target name, (but we want something like same-origin restrictions to prevent credential hijacking)
21:37:59 [lowenthal]
server-side can be implement in cgi completely using current ots tech
21:38:07 [lowenthal]
doesn't need modification to http stack
21:38:21 [lowenthal]
but can be integrated to make things easy, and make ui modification
21:38:42 [lowenthal]
hopefully can train users not to enter passwords into web pages
21:38:52 [lowenthal]
making browser chrome non-spoofable is tricky
21:39:01 [lowenthal]
why rest-gss? alternatives?
21:39:04 [lowenthal]
pros:
21:39:13 [lowenthal]
many cots implementations of gss-api
21:39:25 [lowenthal]
mit, heimdal, windows &c
21:39:40 [lowenthal]
oauth, openid now support one-way id
21:39:43 [mixedpuppy]
mixedpuppy has joined #idbrowser
21:39:45 [lowenthal]
os integration
21:39:48 [lowenthal]
pluggable
21:40:01 [lowenthal]
need a new mechanism like 0-know passwd proofs? add it!
21:40:08 [bhill2]
q+
21:40:08 [lowenthal]
auth at the correct layer
21:40:31 [lowenthal]
makes ssl less of a point of failure
21:40:42 [lowenthal]
alternatives: same with sasle?
21:40:46 [lowenthal]
something new?
21:40:59 [lowenthal]
use tls better? where do we get client certs?
21:41:17 [lowenthal]
api primer, message flow slides skipped
21:41:25 [lowenthal]
slides have notes, will be available online
21:41:33 [lowenthal]
one last thing:
21:41:34 [tlr]
tlr has joined #idbrowser
21:41:38 [lowenthal]
abstraction is key
21:41:51 [lowenthal]
much talk of single-frameworks using single mechanism
21:42:02 [lowenthal]
here can add/switch mechanisms as you like it
21:42:07 [lowenthal]
w/o code changes
21:42:14 [lowenthal]
q?
21:42:48 [lowenthal]
now talking biran
21:42:58 [lowenthal]
backplane protocol in id scenario
21:43:17 [lowenthal]
problem: site composed of widgets coming from different servers
21:43:27 [lowenthal]
each widget has its own notion of user auth
21:43:37 [lowenthal]
widgets want to know about auth to each other
21:43:58 [lowenthal]
<illustration indicating widgets on lady gaga site>
21:44:05 [lowenthal]
widgets want to know who's logged in
21:44:17 [lowenthal]
ux: don't want users to have to login to each widget
21:44:22 [lowenthal]
now talking vlad:
21:45:02 [lowenthal]
when a user logs into a widget, authorizing server notifies backplane server, which notifies other widgets which want to know about it
21:45:19 [lowenthal]
backplane is a method for sharing messages between server-side applications & widgets
21:45:31 [lowenthal]
want to convey info between widgets & server-side components
21:45:46 [lowenthal]
<example backplane message>
21:46:03 [lowenthal]
have defined a js api for widgets to collaborate
21:46:15 [lowenthal]
differences in security settings of different clients that use backplane
21:46:24 [lowenthal]
design reflects this difference
21:46:33 [lowenthal]
widgets cannot post to backplane, only listen
21:46:47 [lowenthal]
only get partial information, so that sensitive information will not be exposed
21:47:00 [lowenthal]
widgets only get info tied to a browser session
21:47:13 [lowenthal]
backplane v1 has been develped ~1yr, used by wapo, espn
21:47:20 [lowenthal]
see backplanespec.com
21:47:46 [lowenthal]
now talking jeff hodges
21:48:05 [lowenthal]
on behlaf of ietf sec area & apps directors
21:48:10 [lowenthal]
crypto apis
21:48:26 [lowenthal]
web pages sometimes want to do crypto operations
21:48:40 [lowenthal]
sign, verify, encrypt, decrypt &c
21:49:10 [lowenthal]
how do pages do crypto on client-side?
21:49:25 [lowenthal]
currently: everyone writes their own crypto primitives in js
21:50:02 [lowenthal]
is it good for web pages to dynamically, insecurely embed crypto implementations
21:50:15 [lowenthal]
[no]
21:50:28 [lowenthal]
currently pages xss their aes
21:50:30 [lowenthal]
=[
21:50:45 [lowenthal]
may good implementations to choose from
21:50:58 [lowenthal]
*many...
21:51:46 [lowenthal]
position: we should not do this, we should have a js crypto aip, built on browser/os libraries
21:51:54 [benadida]
q+
21:52:00 [lowenthal]
we currently have implicit agreement
21:52:18 [lowenthal]
so: who do wee need to do it, and which standards body is desireable?
21:53:06 [lowenthal]
many threads at w3, ietf talking about need for this
21:53:29 [lowenthal]
so, lets use existing crypto, rather than recoding & introducing bugs
21:53:38 [dpranke]
Q+
21:53:44 [lowenthal]
now: henry story video presentation, from apache
21:54:02 [bblfish]
video online here for those following remotely http://bblfish.net/blog/2011/05/25/
21:54:08 [bblfish]
(with bonus)
21:54:11 [lowenthal]
how webid works in existing browsers
21:54:29 [lowenthal]
net is a distributed network in a distributed namespace
21:54:35 [nico]
nico has joined #idbrowser
21:54:36 [lowenthal]
<birdsong in background>
21:54:52 [bblfish]
:-) yes there's a forest here in Fontainebleau
21:54:55 [lowenthal]
we can use hashtag urls to identify users
21:55:18 [lowenthal]
demo: viewing profiles
21:55:38 [lowenthal]
example: webid listed via hashtag uri
21:55:51 [lowenthal]
clig, get profile, add as contact
21:56:09 [lowenthal]
if we have many friends, privacy issue
21:56:26 [lowenthal]
ideally, individuals should be able to secure pii
21:56:37 [lowenthal]
webid protocol attempts to solve this
21:56:44 [lowenthal]
built on tls, x509
21:56:47 [lowenthal]
what's new?
21:57:18 [lowenthal]
instead of authenticating server relying on ca to auth bob, gets info from bob's profile url
21:57:37 [lowenthal]
creating a cert/public-key from a user's homepage
21:57:55 [lowenthal]
browser makes keypair, sends pub part to server
21:58:34 [lowenthal]
what can we do with a webid
21:58:38 [lowenthal]
use on a new service
21:58:46 [lowenthal]
authenticate by selecting a client certificate
21:58:54 [lowenthal]
log in using this cert
21:59:10 [lowenthal]
server gets name, picture &c...
21:59:11 [lowenthal]
q+
21:59:18 [lowenthal]
what happend during login?
21:59:33 [lowenthal]
login button pointed to https endpoint
21:59:39 [nico]
nico has joined #idbrowser
21:59:39 [lowenthal]
server requests client cert
21:59:49 [lowenthal]
browser allows uder to pic client cert
22:00:05 [lowenthal]
browser can show this different way
22:00:17 [lowenthal]
firefox sucks, iphone rocks at this ux
22:00:25 [lowenthal]
server verifies keys
22:00:32 [lowenthal]
server derefs url
22:00:57 [lowenthal]
now server confirms that key on cert is same as key on remote profile
22:01:23 [lowenthal]
now cert knows that user is same as profile creator
22:01:57 [lowenthal]
this is a very limited form of authentication
22:02:10 [lowenthal]
not a lot of proof offered
22:02:23 [lowenthal]
webid uses existing tech to create a referential web of trust
22:02:45 [bblfish]
(there are a lot of papers listed at http://www.w3.org/wiki/Foaf%2Bssl
22:02:49 [lowenthal]
no need to place attributes in cert: placed in client profile page, limited by access
22:03:16 [lowenthal]
this should look like the mozilla prototype from aza raskin
22:03:48 [lowenthal]
want os vendors to support crypto usb keys like gpf cryptokey
22:03:56 [lowenthal]
webid.info/spec
22:03:56 [bblfish]
the demo is the second video on http://bblfish.net/blog/2011/05/25/
22:04:20 [bblfish]
you can call me on skype bblfish or us number +1 (510) 931-5491
22:04:27 [lowenthal]
now moving to general discussion
22:05:03 [lowenthal]
fred hirsh: html5 & web notifications: is that relevant to you, esp re ntofications?
22:05:08 [lowenthal]
vlad: no, not directly
22:05:49 [lowenthal]
q?
22:06:40 [nico]
nico has joined #idbrowser
22:06:41 [lowenthal]
brad hill, re gss rest, missing some details. how do we identify the target, needs to be done a priori by client, other side of mutual auth missing
22:07:02 [lowenthal]
answer: does not rely on target
22:07:15 [lowenthal]
ex oauth doesn't do that, still needs tls to auth
22:07:29 [lowenthal]
kerberos/pki can cope with that
22:07:35 [lowenthal]
q- bhill
22:07:42 [dveditz]
dveditz has joined #idbrowser
22:08:23 [bblfish]
answer to twitter: #WebID is nothing new. It just does what TLS was designed to do from the start- we just use URIs instead of distinguished names (@shingou was saying "why invent something new"?)
22:08:28 [JeffH]
sam hartman interjecting
22:08:45 [lowenthal]
if no security indicators in chrome... web apps should have same auth powers as native apps
22:09:08 [lowenthal]
starting from trusted https, have guarantees, if not, fewer guarantees
22:09:35 [lowenthal]
perhaps you could sue these sorts of signals to create an indicator (whether or not anyone would look at it)
22:10:17 [lowenthal]
williams: don't want sites to be able to hijack credentials... except when we do
22:10:33 [lowenthal]
adida:
22:10:39 [tyler]
tyler has joined #idbrowser
22:10:55 [mark]
mark has joined #idbrowser
22:11:06 [tyler]
q
22:11:12 [tyler]
q+
22:11:19 [mark]
q+
22:11:31 [lowenthal]
q about crypto api. risk of over-specification. important to be flexible enough to cover all use cases
22:11:45 [lowenthal]
focus on minimum spec that covers maximum spread of case
22:11:57 [lowenthal]
let's use apis for algos, rather than process
22:12:08 [lowenthal]
hodges: food for though for standardization effors
22:12:58 [lowenthal]
another q: this has happened before. is this a browser-specific problem or should js just have a crypto lib in general?
22:13:50 [bblfish]
me +1 for crypto lib. A lot of people would like to use crypto libs to access keys in keychain. It would be best if those keys were protected by the chrome.
22:13:51 [lowenthal]
hodges:punt to brian. interesting question. happened on lists before. mark miller, brendon suggest workgroup to make in-lang crypto, still not sure if it's a good idea.
22:14:26 [lowenthal]
brian: ui integration make/manage keypairs is critical, and good reason to do it browserwise rather than language-wise
22:14:36 [lowenthal]
that's assuming we have crypto primitives
22:15:03 [lowenthal]
williams: pkcs11 is lousy for a crypto api, but does work well for key storage
22:15:15 [lowenthal]
we should bake in crypto apis
22:15:20 [lowenthal]
[raw crypto]
22:15:31 [lowenthal]
but also want pkcs11 so that we can use hardware tokens
22:15:42 [lowenthal]
we risk loosing browser integration
22:15:53 [lowenthal]
if we don't have a browser implementation, people will make it anyway
22:16:19 [lowenthal]
another answer: apis will happen, only open question is how. going to be decided by es-discuss
22:16:50 [lowenthal]
if only we had existing, running code that we can reimplement
22:17:17 [lowenthal]
agree: there are certain classes of operations folks want for specific applications
22:17:19 [bblfish]
hardware tokens would be very nice. The second demo on that page shows already how far one can go with them http://bblfish.net/blog/2011/05/25/
22:17:29 [bblfish]
but hardware tokens need better browser integration
22:17:34 [lowenthal]
williams: eg hashes, c-lib objects
22:17:59 [lowenthal]
david speaking for henry
22:18:09 [lowenthal]
greg to willaims
22:18:10 [bblfish]
currently from the 2nd video on that slide, it is clear that one has to download drivers to get browser to work with crypto key
22:18:22 [tyler]
Zakim, who is on the q
22:18:22 [Zakim]
I don't understand 'who is on the q', tyler
22:18:24 [lowenthal]
how will mechanisms be distributed into this api?
22:18:45 [nico]
nico has joined #idbrowser
22:18:57 [lowenthal]
williams: ex windows, solaris, &c, apps use gss-api portably, agnostic to mechanism as long as mechanism has the correct properties
22:19:02 [lowenthal]
q?
22:19:08 [lowenthal]
q- benadida
22:19:17 [lowenthal]
q- dpranke
22:19:22 [lowenthal]
q- lowenthal
22:19:41 [lowenthal]
we should be able to do it purely in js?
22:19:47 [lowenthal]
but then we'd loose browser integration
22:19:54 [bblfish]
q+
22:20:35 [lowenthal]
q- tyler
22:21:08 [lowenthal]
q: what gui should one show a user for sensitive functions like signing, key operations
22:21:26 [lowenthal]
hodges: not necc. depends on use case
22:21:45 [lowenthal]
specifically: depends who provides the key
22:21:57 [bhill2]
q+
22:21:58 [tyler]
q+
22:22:20 [tyler]
lowenthal, why did you remove me from the q?
22:23:17 [lowenthal]
trick is to create a simple api which covers most use cases,: sign, encrypt, decrypt, verify, tls
22:23:46 [lowenthal]
to do this, need access to crypto pimitives, under hood
22:24:02 [lowenthal]
dirk: can i be logged into two accounts
22:24:09 [lowenthal]
dave: yes,
22:24:30 [lowenthal]
pick certs (&ids) case-by-case
22:24:51 [lowenthal]
dirk: multi-login, a la google!
22:25:18 [lowenthal]
dave: not sure
22:25:37 [lowenthal]
williams: gss-rest, use session id interchangably
22:25:44 [lowenthal]
different tabs
22:26:39 [hhalpin]
hhalpin has joined #idbrowser
22:26:53 [hhalpin]
anyone scribing?
22:26:59 [lowenthal]
see google documentation to conclude
22:27:07 [lowenthal]
behavior complex, dynamic
22:27:21 [lowenthal]
dirk: sensible for gss, up to server to identify
22:27:33 [lowenthal]
dave: use two identities for one request
22:28:06 [bblfish]
I am just thinking of the time going by, and all the discussion is on Javascript. But much more important in my view is to allow the end user to see WHO he is logged in as. Users need immediate feedback to their idenitty. If a user does not know who he is, if he cannot physically in a gesture control his idenitty, then he cannot feel in control. If he does not feel in control he will feel alienated, and you will have a lot of trouble and a lot of resistanc
22:28:07 [bblfish]
So I put the work of Aza Raskin as the top priority. A user has to be able to control at least sometimes what he is also by being able to publish information about himself, and control who (at least initially) sees it. So here is a pointer to Aza's initial article http://www.azarask.in/blog/post/identity-in-the-browser-firefox/
22:28:17 [mark]
q?
22:28:18 [Deiu]
Deiu has joined #idbrowser
22:28:27 [dpranke]
q+
22:28:40 [lowenthal]
tyler: what about offline scenarios using post to iframes so that it works offline
22:28:47 [lowenthal]
williams: have not thought about offline
22:28:49 [nico]
nico has joined #idbrowser
22:28:51 [hhalpin]
q?
22:29:02 [lowenthal]
same-origin restriction applying
22:29:18 [lowenthal]
backplane works that way too
22:29:21 [lowenthal]
unusual use-case
22:29:29 [jimklo]
jimklo has joined #idbrowser
22:29:46 [lowenthal]
brian: signing is sensitive. need to think about it carefully, and no delegate arbitrarily
22:30:23 [lowenthal]
important concern, in fact more important than api in general
22:30:51 [lowenthal]
williams: not a new problem. if script wants to use its own key. but if script want to use user's key, then we need to worry
22:31:51 [hhalpin]
q?
22:32:08 [lowenthal]
brian: may need to build them on-top of browser-only
22:32:14 [lowenthal]
bblfish, your q?
22:32:18 [lowenthal]
anything further?
22:32:20 [bblfish]
It's above
22:32:24 [bhill2]
When it's my time in the queue (for bblfish): for webID, what possible chance of adoption is there for intra-handshake, user-supplied call-outs by servers and termination appliances given the attack surface, resource and performance cost, and denial-of-service risks that introduces? isn't this a impossible to surmount deployment blocker? also- how to relay that information from a termination appliance down to the webapp?
22:33:11 [lowenthal]
q: protected key store, or script doing arbitrary operations?
22:33:23 [lowenthal]
hodges: both! presentation high-level
22:34:36 [lowenthal]
siddarth: have talked about webid, certs &c. esp when using ssl client auth, client has very little control about session. if wrong cert selected, only option is to close browser, which sucks. something to think about for standardization
22:34:46 [lowenthal]
bblfish, any response to bhill2?
22:34:56 [bblfish]
denial of serivce attacks could be reduced to the minimum if it were possible for the server to be on the client. For then the whole internet could be down: if you can connect to the server then it can connect to you. So I think one needs ipv6 for that. In any case WebID inherits all of the goodness of the web such as caching. It also
22:35:08 [lowenthal]
siddarth: important to give applications more control
22:35:17 [bblfish]
is possible to have more than one WebID in Subject Alternative Name of X509
22:35:24 [bblfish]
we are playing with that at the Webid XG
22:35:25 [lowenthal]
<redacted>
22:35:58 [bblfish]
finally you can have trusted proxies you could ask for their version of the facts
22:36:08 [lowenthal]
bhill: derefing a url mid-handshake is crazy-talk
22:36:13 [bblfish]
but I think it's best to start simple
22:36:23 [benadida]
benadida has joined #idbrowser
22:36:23 [bblfish]
it works :-)
22:36:44 [bblfish]
you only have to derfer first time bhill
22:36:49 [bblfish]
then you have a cache
22:36:53 [bblfish]
lookup
22:37:07 [lowenthal]
dave: need to have browser make certs
22:37:26 [lowenthal]
but still need the validation to confirm that current user is same as url owner
22:37:31 [bblfish]
it is just as easy to have your freedom box make a cert for you
22:37:50 [lowenthal]
bhill: that sounds challenging
22:37:58 [lowenthal]
dave: can do crypto confirmation
22:38:09 [bblfish]
why? Does Google validate that you are the same person as the password knower each time?
22:38:13 [lowenthal]
fetching web-page is crucial to do verification
22:38:26 [bblfish]
in any case TLS already has to do that
22:38:31 [lowenthal]
bhill: fetching a webpage is a risk
22:38:43 [lowenthal]
dave, jh, dos is risk
22:38:43 [bblfish]
it has to if it is serious do a connection to veriffy certificate is not on BAD cert list
22:39:00 [bblfish]
dos is less risk because it is distributed
22:39:07 [bblfish]
everyone can have their own box
22:39:12 [bblfish]
so no center to attack
22:39:21 [bhill2]
tls already has to fetch a webpage to verify a cert?
22:39:30 [bhill2]
1st: most sited don't accept client certs at all
22:39:39 [lowenthal]
hannes: re backplane. mixed-content. let indie js widgets chat?
22:39:44 [bhill2]
so AIA, OCSP, etc for client auth is not a current issue
22:39:50 [tlr]
Most slides are now linked from the agenda: http://www.w3.org/2011/identity-ws/agenda.html
22:39:51 [lowenthal]
vlad: actually, widgets only listen, not talk
22:39:58 [bblfish]
revocation of keys works simply by deleting key from your home page . Clerezza has a delte button for that
22:40:20 [bblfish]
tls should verifiy that cer is not revoked
22:40:25 [lowenthal]
hannes: doesn't this risk breaking the same-origin policy?
22:40:29 [bhill2]
second, if those do exist and need to be fetched, they are supplied by the authorities in a limited set of trust roots, not by the user
22:40:44 [lowenthal]
vlad: yes, a risk of giving sensitive info to widgets
22:40:45 [bhill2]
it's an entirely different risk picture for a server that wants to start accepting auth
22:40:49 [bblfish]
most sites don't accept client certs because of ONE reason. It make no sense without WebID
22:40:53 [lowenthal]
prior config needs to take place
22:40:54 [bhill2]
from a distributed trust infrastructure
22:41:04 [lowenthal]
widgets need message payload
22:41:10 [bblfish]
because most client certs for something other than then army only works for one company
22:41:24 [lowenthal]
hannes: openid &c user chooses what gets shared. doesn't this violate that principle?
22:41:28 [bblfish]
for client certs to make sense in consumer space: they have to work globally on every server
22:41:35 [bhill2]
*most* sites don't even deploy anonymous TLS for server auth because of the cost
22:41:42 [bhill2]
webId makes that dramatically worse
22:41:46 [bblfish]
yes, cost is high
22:42:00 [bblfish]
DANE and DNS-sec is going to make it possible to have self signed server certs
22:42:05 [lowenthal]
vlad: actually owners get control of info/signaling
22:42:09 [bblfish]
and so mass deployment of TLS
22:42:14 [lowenthal]
hannes: that is dangerous
22:42:23 [lowenthal]
mod: you two should fight outside
22:42:28 [bblfish]
:-)
22:42:32 [lowenthal]
mod:
22:42:51 [lowenthal]
backplane: is it being standardized in an open body
22:43:03 [lowenthal]
answer: not currently being standardized, wants to be
22:43:15 [bblfish]
I should have just pointed at the FAQ. Most of those questions are listed there sorry http://www.w3.org/wiki/Foaf%2Bssl/FAQ
22:43:16 [lowenthal]
webid is currently a w3c incubator project
22:43:38 [lowenthal]
tlr: incubators will be replaced soon
22:44:25 [lowenthal]
websec api does not yet have a standards body or a list
22:44:58 [lowenthal]
hodges will now create a mailing list for crypto apis, possibly at ietf
22:46:29 [vaibhav]
vaibhav has joined #idbrowser
22:46:32 [lowenthal]
gss-rest is not currently in a standards track [gss track of ietf?] if interested, could find a place for it at ietf
22:46:35 [lowenthal]
who is interested?
22:47:06 [lowenthal]
ex dom elements might need to be at w3c
22:47:24 [lowenthal]
protocol could be ietf, but might as well be w3c
22:47:37 [lowenthal]
adjourn
22:49:15 [bblfish]
btw, as I mentioned if people wish to talk around a virtual coffee feel free to skype me on bblfish
22:49:25 [bblfish]
or call +1 (510) 931-5491
22:49:41 [bblfish]
Sorry could not be in the US
22:52:01 [bblfish]
multi id over single session? Clerezza has implemented that btw
22:52:13 [bblfish]
You can login with password + WebID together
23:11:39 [tantek]
tantek has joined #idbrowser
23:13:37 [bhill2]
bhill2 has joined #idbrowser
23:14:11 [mark]
mark has joined #idbrowser
23:15:48 [hhalpin]
tantek: id markup for forms
23:16:03 [hhalpin]
... <input type="identity-url"
23:16:14 [hhalpin]
type=password, pwtype="sign-in"
23:16:31 [HAYASHI]
HAYASHI has joined #idbrowser
23:16:40 [hhalpin]
pwtype = "sign-in|create|confirm"
23:16:43 [hhalpin]
dittosingup
23:16:56 [hhalpin]
straw proposal
23:17:27 [hhalpin]
<input type="checkbox" rememberme>
23:20:07 [bhill2]
scribenick bhill2
23:20:08 [fjh]
fjh has joined #idbrowser
23:20:32 [bhill2]
discussion on whether confirm password should be autofilled
23:20:46 [bhill2]
should browser do this, or is this necessary user-interaction confirmation
23:21:40 [bhill2]
scribe: bhill2
23:21:51 [bhill2]
ScribeNick: bhill2
23:22:09 [bhill2]
<a little help, people?>
23:22:23 [hhalpin]
fallback to normal url
23:22:30 [hhalpin]
and normal type "email"
23:22:33 [hhalpin]
for both inputs
23:22:36 [tantek]
perhaps consider using role="identity"
23:22:36 [tlr]
tlr: <input type="url" identty>
23:22:40 [tlr]
tlr: <input type="url" identity>
23:22:41 [tlr]
or role
23:22:43 [tlr]
something like that
23:22:59 [hhalpin]
lowenthal: the incentives for using the type and representing the type are not aligned
23:23:27 [bhill2]
dpranke: give banks, etc. an option to force re-authentication to browser pwd manager
23:23:33 [bhill2]
instead of disabling autofill
23:23:35 [hhalpin]
dirk: banks refuse to use auto-complete because they do not have a client smart enough to check
23:24:25 [tantek]
input type="identity-username"
23:24:30 [tantek]
idtype similar to role
23:24:35 [mixedpuppy]
mixedpuppy has joined #idbrowser
23:24:39 [bhill2]
stevemitchell: add additional types, smartcard, etc.
23:25:39 [bhill2]
who?: linkage of cookies to be created as a result of signin
23:25:53 [bhill2]
greg: but advertisers will just do that, not a t rustworthy semantic
23:26:24 [hober]
role="" is inappropriate for this; role="" is for WAI-ARIA annotations and not a generic "attach additional semantics to this element" attribute
23:26:44 [bhill2]
dave crocker: what layer to model this at - may happen at different protocols, versions?
23:27:18 [bhill2]
tantek: specifically proposal to address at level of html form annotations, taxonomy is based strictly on existing examples
23:27:51 [bhill2]
dcrocker: how to mature this idea into new and improved protocols, specify protocols and details
23:28:22 [bhill2]
dan: make even more abstract, include ability to trigger, e.g. phone OTP
23:28:53 [bhill2]
dpranke: rules for password requirements in annotations, better than existing pattern regex indications
23:29:19 [JeffH]
a nerd's perspective on some problem: "just create the right regex? eh?"
23:29:21 [tantek]
a way for the site to communicate its password requirements (length, special characters, etc.)
23:29:51 [bhill2]
dpranke: rfc 3106, supplanted by 4112, ecml alliance has vanished years ago, no need to conform to that
23:29:55 [benadida]
benadida has joined #idbrowser
23:30:09 [bhill2]
tlr: draft has 20 pages
23:31:23 [bhill2]
tantek: user still has control over "remember me" box, just option to delegate preferences to browser
23:32:34 [bhill2]
new speaker: tyler close, google
23:33:36 [bhill2]
topic: web introducer
23:33:46 [tantek]
thanks everyone - great suggestions
23:34:01 [bhill2]
many existing identity systems, based on existing browser tech
23:34:11 [bhill2]
what tiny chagnes could we make to allow new systems to evolve?
23:34:13 [hober]
You can communicate password requirements with the form constraint validation API: http://www.whatwg.org/specs/web-apps/current-work/complete/association-of-controls-and-forms.html#the-constraint-validation-api
23:34:19 [dpranke]
Ecml appears to have been largely about ecommerce, wallets, (Billing address, card number) etc.
23:34:51 [bhill2]
e.g. nascar problem for openID, and full window page transitions for redirects to IdP
23:35:20 [bhill2]
two problems; how does RP discover IdPs, how does IdP get consent from user?
23:35:51 [bhill2]
demo: small API to do these two things
23:36:12 [tantek]
my slides btw: http://tantek.com/presentations/2011/05/idinputs/
23:36:14 [dpranke]
@hober : last I looked that API didn't work for me.
23:36:37 [hhalpin]
http://web-send.org/introducer/
23:36:42 [hhalpin]
the draft spec
23:36:58 [bhill2]
example bookmark sharing service. clicking shows a list from the user agent showing what social bookmarking services the user has configured
23:36:59 [hhalpin]
http://web-send.org/bookmark/
23:37:04 [hhalpin]
the bookmarking example
23:37:35 [bhill2]
UI is from user agent, choices not shared with server, UI is clickjacking resistant (so IdP gets reliable confirmation of user intent)
23:37:41 [dpranke]
dpranke has joined #idbrowser
23:37:51 [bhill2]
browser pops iframe for completion of the action
23:38:16 [bhill2]
nascar is avoided by browser presentation: can be aware of context-sensitive valid choices
23:39:20 [bhill2]
same idea works for lightweight version of openid-like protocol to deliver email address attestation
23:39:39 [bhill2]
could be a variety of types, vcards, calendar entries...
23:40:20 [bhill2]
new feature in browser: browser services in a gold bar
23:40:34 [bhill2]
allow services to be registered in browser
23:41:10 [bhill2]
new options show up in the browser-presented bookmark sharing service choices after simple opt-in
23:41:34 [bhill2]
no need to rely on site to have your service button (reddit, digg, etc..)
23:42:06 [bhill2]
anyone can hook into this API and get 100% coverage of all offerings of that type on the web
23:42:15 [bhill2]
question: failover?
23:42:28 [bhill2]
implemented in firefox using only javascript
23:42:50 [bhill2]
unmodified firefox demo
23:43:05 [bhill2]
opens transparent iframe to trusted site and uses clickjacking to get dropdown
23:43:41 [bhill2]
if using <select> is implemented by OS, at highest z order so no clickjacking
23:44:13 [bhill2]
question: mike perry: are there other side channels for sites to extract this information from the user?
23:44:26 [bhill2]
web-send.org/features.html has a list of features
23:44:36 [bhill2]
question is about "preference privacy"
23:44:59 [bhill2]
dpranke: lots of debate if this is a good thing or not - many publishers won't deploy unless they can get the list
23:45:18 [bhill2]
protocol def should enable preference privacy, allow services to voluntarily disclose their presence
23:45:37 [bhill2]
http://web-send.org/
23:45:59 [bhill2]
trent: end of on-the-fly turbotalks
23:46:47 [mixedpuppy]
mixedpuppy has joined #idbrowser
23:46:47 [bhill2]
new topic and speaker: hhalpin for moving foward, strategy and tactics
23:46:58 [nico]
nico has joined #idbrowser
23:47:38 [bhill2]
browser makers to the front of the room please
23:47:50 [bhill2]
discussion: what are people actually interested in shipping?
23:48:58 [bhill2]
hhalpin: quick overview of w3c process, =JeffH to summarize IETF process
23:49:14 [bhill2]
Workshop->public-identity@w3.org
23:49:20 [bhill2]
public-identity-request@w3.org
23:51:32 [tlr]
subject: "subscribe"
23:52:02 [bhill2]
Report -> Workshop later | Not the time / punt | Community Track | Charter, working group, eventual w3c recommendation
23:52:57 [bhill2]
nico: question, post report track, can different ideas live in different tracks?
23:53:00 [bhill2]
yes
23:53:28 [bhill2]
other option: send to IETF or other body
23:53:36 [bhill2]
new speaker = jeffh to represent IETF process
23:54:29 [bhill2]
IETF starts with discussion (optionally), leads to mailing list (optional), leads to BoF at IETF meeting after some administrative process
23:55:43 [bhill2]
formal BoF may lead to, drop topic | a second BoF | formal Working Group | punt to IRTF for more research | goto 10
23:56:23 [bhill2]
sometimes RFC may happen with no working group with area director sponsorship
23:57:07 [bhill2]
nico: another option is to recharter an existing WG
23:59:25 [bhill2]
hhalpin back as presenter
23:59:44 [bhill2]
informal votes on what is worth pursuing plus feedback on browser folks on what might get done
23:59:57 [bhill2]
the list is: