12:34:15 RRSAgent has joined #identity 12:34:15 logging to http://www.w3.org/2012/10/31-identity-irc 12:34:23 scribenick: npdoty 12:34:48 Takahiro has joined #identity 12:34:52 henry story on WebID, David Dahl on Mozilla API, Eric on @@@ 12:35:05 Zakim has joined #identity 12:35:08 SteveH_ has joined #identity 12:35:10 hhalpin: background on identity 12:35:12 nkic has joined #identity 12:35:21 develD has joined #identity 12:35:25 ... lots going on, but yet to have a Working Group or a coherent forward direction 12:35:26 sakkuru has joined #identity 12:35:30 ... Mozilla has its work on Persona 12:35:31 wei has joined #identity 12:35:37 betehess has joined #identity 12:35:39 ... what's the role of the client device? 12:35:46 ... Crypto API came out of that 12:35:55 ... looking for the low-hanging fruit that we can enable realistically 12:35:58 kboudaoud has joined #identity 12:35:58 mpastorg has joined #identity 12:36:22 Topic: WebID 12:36:25 trueg has joined #identity 12:36:32 drogersuk has joined #identity 12:36:39 fluffy has joined #identity 12:36:39 richt has joined #identity 12:36:39 yvesr has joined #identity 12:36:49 bblfish: philosophically, start from what identity is -- the relation from a name to a person 12:36:56 oberger has joined #identity 12:36:59 christine has joined #identity 12:37:05 dsinger has joined #identity 12:37:05 ... on the Web we have URIs and we can name people this way 12:37:12 ... several systems that have tried to do this 12:37:32 ... OpenID, OAuth, OAuth2, WebID over TLS, XAML solutions 12:37:34 dan_romascanu has joined #identity 12:37:36 Yuan has joined #identity 12:37:41 ... looking to be able to identify a user in a global context 12:37:56 ... might have a Freedom Box at home with your info and your social network 12:38:11 ... should have a privacy-preserving way to connect when you want to 12:38:23 ... rather than a silo'd system where you have to create new accounts/identities for each service 12:38:34 raw minutes from the #webid F2F at TPAC are available at http://www.w3.org/2012/10/29-webid-minutes.html and http://www.w3.org/2012/10/30-webid-minutes.html 12:38:41 Scribe: richt 12:38:46 scribenick: npdoty 12:39:00 bblfish: started off looking at TLS, which works in the browser 12:39:16 ... good enough to do authentication globally, 10 different implementations in different languages 12:39:30 ... at the same time hhalpin et al working on cryptography in the browser to do something very similar 12:39:41 ht has joined #identity 12:39:46 ... I think BrowserID is doing this without crypto in the browser 12:39:58 present+ Henry S. Thompson 12:40:07 ... should be able to go to a site, click a button, and link your identity there 12:40:16 present+ Alexandre Bertails 12:40:18 ... should be able to describe resources and have access control rules 12:40:35 ... we have all the technologies at W3C to get this going 12:40:52 Arnaud1 has joined #identity 12:40:53 ... need the linked data people for semantics, TLS people, crypto people for Web API 12:41:07 krp has joined #identity 12:41:17 bblfish: from this we can build a distributed social web (speaking about during #social) 12:41:34 svillata has joined #identity 12:41:34 shigeo has joined #identity 12:41:44 ... WebID we've redefined with Tim's help, a dereferenceable HTTP URL with information about the user 12:41:48 q? 12:42:15 rblin has joined #identity 12:42:17 tanvi has joined #identity 12:42:28 hta has joined #identity 12:42:31 who's speaking ? 12:42:35 @@: what WebRTC is trying to do 12:42:43 Topic: WebRTC 12:42:49 ekr is speaking 12:42:51 Eric Rescorla is speaking 12:43:10 ekr: ability to call other users, speak peer to peer between browsers 12:43:21 ... need ability to authenticate and trust 12:43:32 ... know who the person you're calling is, by leveraging the browser infrastructure 12:43:43 s/@@/ekr/ 12:44:07 ... aggregating these account mechanisms, whether I'm on PokerStars or Joe's Calling Service, I should be able to authenticate to my existing social accounts 12:44:14 wseltzer has joined #identity 12:44:20 ... the same way that web sites now can authenticate you with your Facebook Connect 12:44:48 ... the basic insight is that the most difficult part is: while the browser is generic, the servers have to be programmed 12:45:02 ... the relying party isn't on a server, but in the browser, simple to just load javascript in the browser 12:45:16 ... the relying party and the authenticating party both load the JS from the IDP in an iframe 12:45:16 q+ to ask people here what does Identity *on* the Web mean for them (when speakers are done speaking) 12:45:39 youenn has joined #identity 12:45:42 [scribe missed that point] 12:46:03 ekr: can call my friend and know that they're my Facebook friend, without having to trust the site at all 12:46:22 fanfi has joined #identity 12:46:27 rsleevi has joined #identity 12:46:43 Eric Rescorla, an IETF guy, working on this for Mozilla 12:47:05 hhalpin: some kind of key-based authentication is going to be crucial 12:47:16 pmaret has joined #identity 12:47:16 ... some work making it more generic outside of WebRTC WG 12:47:25 bblfish has joined #identity 12:47:37 dbaron has joined #identity 12:47:46 ekr: one thing about the defined interfaces is that any identity is determined based on the IDP domain name 12:47:52 tpacbot has joined #identity 12:48:03 dbaron has left #identity 12:48:03 ... well-known URL to get the JS bridge from, and the set of messages to verify assertions 12:48:26 just found the channel 12:48:31 http://webid.info/spec 12:48:31 is the TLS version of WebID 12:48:31 my home page is http://webid.info/ 12:48:33 SO I mentioned the java cryptography api working group http://www.w3.org/2011/11/webcryptography-charter.html 12:48:35 the ldp Linked Data platform http://www.w3.org/2012/ldp/hg/ldp.html 12:48:52 ah, finally someone's english slow enough to be understandable 12:48:54 tpacbot has joined #identity 12:49:01 mike jones, a long time contributor to LDP 12:49:15 mike: we think that identity solutions have to work for more than just the browser 12:49:18 s/contributor to LDP/contributor to OpenID/ 12:49:42 ... chat clients, Skype clients, etc. 12:49:55 ... building on top of OAuth we were able to make it work for rich clients as well 12:50:15 q+ 12:50:16 q+ 12:50:16 ... in reaction to URL-based identity, lesson from 1st OpenID, most human beings are not willing to remember a URL 12:50:33 ... one thing they may remember is their email address, if you can use something like that as an identifier more people may be willing to use it 12:51:08 bblfish: distinction between the URI and the identity that the user sees 12:51:12 bblfish is making a very important point here 12:51:19 mike: gets to discovery as well 12:51:21 ack bblfish 12:51:25 virginie_galindo has joined #identity 12:51:36 Topic: Demo from David at Mozilla 12:51:44 david: feedback from the crypto API 12:51:48 fjh has joined #identity 12:51:51 ... how can we do crypto without any crypto in the DOM 12:52:03 ... a bridge API, off of window.navigator.bridge.getCypherObject 12:52:29 yes, though WebId over TLS ( http://webid.info/spec still needs to be cleaned up on the new webid definitiion) the URL is hidden in the X509 certificate . The user only sees his name. see video on http://webid.info/ 12:52:57 and it's a point and click operation for the user 12:52:57 ... enable extension APIs so that signed/encrypted data is passed back to the DOM 12:53:08 ... if you don't trust the server with plain text, you might still be able to pull it off 12:53:26 ... feedback from Google, Web Intents could play a role as well 12:53:34 [demo] 12:54:00 david: write some plain text, the browser provides a "crypto console" UI 12:54:06 ... extension authors could provide whatever UI they want 12:54:27 ... encrypt this little passage, and then returns back a cyphertext and signature 12:54:38 ... a JSON object with the important details 12:55:02 ... reading/deciphering pulls the ciphertext into the browser UI 12:55:09 ... the content doesn't have access at all 12:55:11 hhalpin has joined #identity 12:55:12 q? 12:55:15 ... find me if you want to talk later 12:55:31 q+ 12:55:31 npd: awesome 12:55:41 jalvinen has joined #identity 12:56:04 hhalpin: seeing different elements in different WGs that are related 12:56:19 ... harder to phish and authentication 12:56:35 ... do have the work of OpenID Connect, Mozilla Persona, 12:56:56 ... what is the lowest hanging fruit that we can standardize at W3C that can move authentication on the Web into a secure space? 12:57:09 ... could include the work of David, encrypted content into the DOM from outside 12:57:11 @bblfish, suggest you pass the vga cable to Nick Doty in the interim 12:57:39 ... most of the work being done outside of W3C 12:57:44 q? 12:57:47 q- 12:58:23 webr3 has joined #identity 12:58:34 A WebID is a hash HTTP URI which denotes an Agent. You can GET an RDF model as TURTLE. 12:58:38 betehess: just want to talk about identity, not necessarily simultaneously solve the problem of authentication 12:59:10 We ran a workshop last May: 12:59:17 q+ 12:59:21 bblfish has joined #identity 12:59:24 ... regarding OpenID in particular, when we want to speak about identity on the Web, it's very different than the identity that we expose to the user 12:59:26 http://www.w3.org/2011/identity-ws/ 12:59:33 Folks may want to look at the final report: 12:59:35 ... when we talk, define what you mean by identity on the Web 12:59:40 ack betehess 12:59:40 betehess, you wanted to ask people here what does Identity *on* the Web mean for them (when speakers are done speaking) and to 12:59:42 http://www.w3.org/2011/identity-ws/report.html 12:59:50 ack hta 13:00:03 relation of Openid to WebID for example: foaf:openid . 13:00:21 hta: when we say HTTP URI, URIs as identifiers is fine, but don't resolve them 13:00:26 q? 13:00:31 q+ timbl 13:01:04 timbl: the people who believe you shouldn't look things up will never go away 13:01:09 https://openid.net/connect/ 13:01:19 The OpenID specs are linked from there: 13:01:22 ... in past discussions at IETF it was thought that it was perhaps too dangerous, like with the hotel problem 13:01:30 [scribe doesn't actually know what the hotel problem is] 13:01:46 timbl: work on building systems for looking up URIs without necessarily resolving them 13:01:56 https://www.mozilla.org/en-US/persona/ 13:02:01 Mozilla Personae: 13:02:06 ... could have a separate group on what to do when you're in a hotel and have a captive portal when you're trying to look something up 13:02:10 mnot has something of a solution for this problem, it's been published 13:02:36 ... definition from the LDP WG, everything is defined by HTTP URIs and people look them up all the time 13:03:00 RFC 6585 13:03:02 ... the question of what you're using as an identifier 13:03:19 ... in some cases you'll require different levels of authentication, even if the identifier is the same 13:03:21 EKR, do you have the latest URI for your work on the WebRTC identity work? 13:03:28 youenn has joined #identity 13:03:36 q? 13:03:47 ... nice clean architecture so you can plug on to it 13:04:03 ... Henry has a way to authenticate using SSL 13:04:03 the point of HTTP URIs is that you don't need to define a new service to get information about them, just use the Web (HTTP GET) 13:04:16 ... authentication protocols can be designed separately 13:04:38 hhalpin: ekr is not irc 13:04:44 ... the Linked Data Working Group can tell you what info you'll get back when you request a URI, content negotiation and different formats, another flexibility point in the architecture 13:04:45 hhalpin: http://tools.ietf.org/html/draft-ietf-rtcweb-security 13:04:47 s/Linked Data Working/LDP Working/ 13:04:54 q? 13:04:58 ack timbl 13:05:24 slejeune has joined #identity 13:05:29 ashok: follow up to betehess, wonder if what you're asking for is "verified identity", the identity that really points to a person that would be accepted by, for example, the passport office or the social security office 13:05:53 betehess: important to make a clear distinction between identity and authentication 13:05:57 q? 13:06:07 ... what HTTP URIs give you is the ability to name what you are speaking of 13:06:13 Markus has joined #identity 13:06:22 ... don't need to create new protocols 13:06:39 q? 13:06:47 ... we do RDF but not saying that you need to do RDF for authentication 13:07:00 hhalpin: comments? 13:07:17 hhalpin: the identity space gets caught up in a number of well-known debates 13:07:27 ... should we use an email address, an HTTP URI or something else? 13:07:46 ... want a system with some decent security properties (beyond username, password and cookies) 13:08:08 ... separate the concerns from what string you want to use as an identifier, distinct from the question of better authentication 13:08:38 ... have yet to see a coherent plan for those pieces 13:08:44 q+ 13:09:04 ... right now, it's trickier than not to do key-based authentication with OpenID 13:09:19 mike: OpenID will use the browser, just generic browser functionality, if that's where your client is 13:09:36 ... if it's something in an app on your phone or your desktop, it's still possible to exchange claims there 13:09:59 ... re: comment on "verified identity", identity is really contextual, you're never going to have just one 13:10:33 ... holding some of the plastic identity tokens -- driver's license, corporate badge, grocery store loyalty program, frequent flier card 13:10:43 ... these different identities used in different places, some of them used in multiple places 13:11:02 ... have different levels of verification, release different claims about me, all of which matter in context, but I couldn't cross the border with some of these 13:11:24 q+ to comment on contexts 13:11:26 q+ 13:11:29 mozilla is working on a contextual identity solution - https://wiki.mozilla.org/Security/Contextual_Identity_Project 13:11:31 ... while as a computer scientist I do want us to develop common infrastructure for claims about me 13:11:59 ... need to recognize different levels of requirements 13:11:59 q- 13:11:59 ack bblfish 13:12:01 fanfi has joined #identity 13:12:16 bblfish: identity is contextual, but it's also social 13:12:44 has anyone discussed OpenPGP in the previous days ? 13:12:55 ... certificates have an issuer as well, with browser developers you can massively increase trust by creating a space of an official social network 13:13:30 ... countries having a list of shops, browser can do a lookup and verify whether it's listed in an appropriate official source 13:13:35 ... an institutional social web 13:13:43 ... can solve both problems simultaneously 13:13:45 just wanted to say that the LDP community already has some answers to speak about the "context" that was mentioned by Mike: WebACLs. Again, this relies on a clear notion of URI-based identity and it decoupled from authentication 13:14:13 ... when I go to a shop web site, the shop can look up a list of banks from the official government source 13:14:20 [demo] 13:14:46 bblfish: WebID with TLS, go to a website, a selector UI from the agent 13:14:59 ... and then the site gets a nice picture of me 13:15:21 ... browsers have had this for a long time, just need to provide more functionality about choosing a certificate and getting more information from it 13:15:44 q+ 13:16:13 ashok: agree with your goals and use cases, worried about a different set of problems, like cyberbullying, where you can make negative comments about people without being able to find out who it was that made the comment 13:16:20 ... a fairly significant privacy problem 13:16:30 ... possibly a different use case from what you're working on 13:16:49 cyber bullying is not something I think one can solve technically 13:17:02 but one should look into it... 13:17:08 I could say a few words. 13:17:18 hhalpin: is there any interest in this room trying to form WG or CG or brainstorming more about enabling better forms of authentication for web apps? 13:17:26 [some hands] 13:17:32 worth mentioning that Ann Bassetti is proposing a session (the next one I believe) trying to organize a workshop 13:17:44 hhalpin: what else are we interested in working on? 13:18:00 bblfish: I'd like to get WebID over TLS through an official WG 13:18:46 http://webid.info/spec/ 13:18:58 WebID over TLS is just using TLS and Linked Data 13:19:01 cullen: my observation is that we have too many identity systems, what can we do to get less of them? [xkcd reference to yet another standard] 13:19:05 so it's not really inventing anything new 13:19:23 hhalpin: some commonalities, key-based authentication being the most generic thing going on 13:19:31 q+ 13:19:36 ack hhalpin 13:19:55 cullen: a lot of application developers struggling to understand the differences between these 13:19:57 ie. TLS is in the browser available since 1998, so it's just a way of making what we have work globally 13:20:13 ... ekr proposing an abstraction over identity systems 13:20:23 abstraction and standardization are two different things 13:20:32 +1 ? 13:20:33 webid list 13:20:33 List of people for WebID over TLS 13:20:34 +1 13:20:35 hhalpin: who wants to work on WebID? 13:20:35 pro-WebID: Sebastian Trueg (OpenLink SW) 13:20:39 timbl has joined #identity 13:20:47 +1 13:20:47 melvster has a +1 13:20:53 fjh has joined #identity 13:20:54 Tim Berners-Lee 13:20:56 webid +1 13:21:03 the proposal is *not* clear 13:21:24 jeff @@: the question is not whether I think WebID over TLS is the way to go, but what is the right forum for getting the major players to agree 13:21:34 The proposal is a WebID Working Group charter 13:21:48 ... need a padded room for people to hammer things out 13:21:48 rblin has joined #identity 13:22:04 hhalpin, WebID could be used as is by LDP (nothing about authentication) 13:22:11 +1 for WebID WG charter 13:22:31 @@: if you don't have the major players at the table, it doesn't matter what this forum does, unless it has significant uptake 13:22:51 hhalpin: more generic version of the WebRTC proposal? 13:22:58 s/@@/Mischinsky/ 13:23:05 what's the question ? 13:23:08 fluffy: http://xkcd.com/927/ 13:23:41 Takahiro has joined #identity 13:23:52 hhalpin: is anyone interested in the problem of getting data to the DOM that's encrypted? David with a proposal and others 13:24:00 I mean, all these things are interesting, they don't solve the same problems 13:24:03 need to look more into crypto in app, but sounds very interesting 13:24:12 [a few hands] 13:24:22 jalvinen has left #identity 13:24:24 I still don't have a clue what this all has to do with identity... but maybe a problem of language 13:24:27 Since you can publish your public key at your WebID you can then use those keys to encrypt things 13:24:27 npdoty interested, hhalpin interested 13:24:36 bhill2 has left #identity 13:24:36 hhalpin: final comments? 13:24:50 public-identity@w3.org 13:24:52 we have public-identity@w3.org for further discussion 13:24:57 rrsagent, draft minutes 13:24:57 I have made the request to generate http://www.w3.org/2012/10/31-identity-minutes.html npdoty 13:25:03 great thanks 13:25:43 tantek has joined #identity 13:28:10 dsinger has joined #identity 13:29:11 dsinger has joined #identity 13:31:03 sakkuru has joined #identity 13:31:03 kinji has joined #identity 13:32:22 trueg has joined #identity 13:32:41 yaso has joined #identity 13:32:54 kinji has left #identity 13:33:07 yvesr has left #identity 13:33:19 SteveH_ has joined #identity 13:33:38 krp has joined #identity 13:33:42 Takahiro has joined #identity 13:34:28 adambe has left #identity 13:34:57 oberger has joined #identity 13:35:37 hta has joined #identity 13:36:03 hta has left #identity 13:36:05 oberger has joined #identity 13:36:32 timbl has joined #identity 13:37:01 dsinger has joined #identity 13:37:03 rsleevi has left #identity 13:40:14 Arnaud1 has joined #identity 13:42:58 The demo I made of WebID over TLS was this site https://my-profile.eu/ 13:43:13 rrsagent, draft minutes 13:43:13 I have made the request to generate http://www.w3.org/2012/10/31-identity-minutes.html bblfish 13:43:50 fluffy has left #identity 13:45:08 burn has left #identity 13:56:15 ekr has joined #identity 13:56:18 q+ 13:59:43 q- 13:59:46 q- ekr 14:05:17 yaso has joined #identity 14:07:05 tantek has joined #identity 14:11:14 nkic has left #identity 14:19:30 tantek has joined #identity 14:20:58 krp has left #identity 14:27:14 trueg has joined #identity 14:28:31 dsinger has joined #identity 14:35:36 Takahiro has left #identity 14:40:50 sakkuru has joined #identity 14:44:45 fwagner has joined #identity 14:47:48 sburr has joined #identity 14:52:08 kinji has joined #identity 14:59:08 dsinger has joined #identity 14:59:23 yaso has joined #identity 15:00:04 kinji has joined #identity 15:01:28 Takahiro has joined #identity 15:02:29 dsinger has joined #identity 15:03:37 fwagner has joined #identity 15:05:54 oberger has joined #identity 15:06:06 Takahiro has joined #identity 15:06:35 richt has joined #identity 15:07:10 timbl has joined #identity 15:07:25 ht has joined #identity 15:09:51 timbl has joined #identity 15:11:29 tantek has joined #identity 15:13:06 ArnaudLH has left #identity 15:16:35 SteveH_ has joined #identity 15:19:35 yaso has joined #identity 15:22:19 ht has joined #identity 15:40:35 yaso has joined #identity 15:50:20 yaso has left #identity 15:56:49 SteveH__ has joined #identity 15:58:55 nkic has joined #identity 16:00:28 SteveH__ has left #identity 16:03:19 tanvi has joined #identity 16:03:34 tanvi1 has joined #identity 16:04:00 kinji has joined #identity 16:05:19 tanvi2 has joined #identity 16:05:29 Takahiro has joined #identity 16:05:56 tanvi2 has joined #identity 16:06:14 Takahiro has left #identity 16:06:15 timbl has joined #identity 16:07:57 oberger has joined #identity 16:08:02 fwagner has joined #identity 16:11:58 richt has joined #identity 16:25:08 Zakim has left #identity 17:21:24 tpacbot has joined #identity 17:49:52 timbl has joined #identity