Re: Group Certificates and their utility or uselessness from Timothy Holborn on 2016-06-06 (public-rww@w3.org from June 2016)

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Mon, 06 Jun 2016 14:09:58 +0000
To: carmen r <_@whats-your.name>, public-rww@w3.org
Message-ID: <CAM1Sok1e7LtsWDqX_HiGHsDwggxaKQ_++=j6fMiSyZxww=JFrg@mail.gmail.com>
On Fri, 3 Jun 2016 at 19:01 carmen r <_@whats-your.name> wrote:

> > We need a human centric web. i see differentiators between that and our
> service orientated heritage
>
> hi tim(h), sometime in past couple of years tim(bl) in an interview (maybe
> TIME.com) mentioned work
> yet to be done on social aspects of the web - with a brief mention of
> identity or certificates,
> also even more briefly noting the idea of family certificates.
> as you know, software-support of even the basic user-certificate feature
> is in-flux and incomplete in
> shipped web-browsers. https://www.w3.org/Webauthn/ appeared, and there's
> https://fidoalliance.org
>
> Yup.  I remember a confirmation email to that effect a few years ago, and
i note it's in the SoLiD todo list.

My thinking is to use Manu's WebDHT work, but incubate it in WebID.

https://lists.w3.org/Archives/Public/public-webid//2016Jun/0001.html

When Credentials was established, i remember a debate around the identity
issues vs. what is now becoming 'verifiable claims', which is a constituent
of identity; but obviously far less difficult from a situation of 'service
orientated' design demands.

I'm SO VERY interested in a Human Centric Solution - i don't think
block-chain is it - I think leveraging the social-graph may offer
alternatives, but i think that's beyond the scope of credentials - and it
looks like the payments work has some sort of preference for the browsers
to be the identity provider, or something like that...  Not entirely sure,
but some disruption happened.

_____
> membership of a group could be based on possession of a certificate
>
> My thinking was to use a new type of 'virtualised layer' that tries to
create something that's HTTP compatible, leveraging LDP, Linked-Data,
HTTP-SIGNATURES, etc.

In the model i'm thinking about; the WebID-TLS cert identifies the machine
/ machine account.  The identity chain is actually in the WebID-DHT Chain,
which is decentralised across an entities social-graph, and can have varied
permissions applied to the WebID-TLS certs located on various machines.

But my models also suppose this concept of a 'knowledge banking industry'
where an array of service providers store data on behalf of people, in a
manner that allows them to move the data to another service provider if
they're unhappy with the service qualities.

http://bigthink.com/videos/what-is-emergent-thinking  kinda explains it.

group-certs could be exchanged in person with mobile-devices via NFC
> tapping or camera and QR-scanning,
> after both members initiate a key-exchange session using their
> cert-management UI. or cert is escrowed
> online in a group's private space, which you could download into browser
> as a member
>
> enhanced-security Solid daemons could store blobs only decryptable by
> key-holders, ACL check becomes
> pointless other than to avoid sending data that won't be decryptable
> _____
>
>
When we start looking to use the TLS Certs at that layer - i think it
starts to get complicated and is vulnerable to browser-company desires
influencing things in ways that produce delays / lack of functionality.  It
seems more stable to work at the linux-server layer, then provide the
presentation platform to the browser clients.

bit like doing complex stuff behind the scenes then using word-press as the
publishing engine..




> unsure if you mean "service orientated" as in online service run by a
> single company
> as in to get "Group" features, everyone creates an account on a particular
> online site
>
> Social-Network-Silos are an example of service orientated design, data
goes in from humans.  The Idea is that the platform has a preference for
incorporated entities rather than human entities (independent to their role
as agents for incorporated agents or other forms of agent).

We need a service provider to support human centric services.  that is,
services designed to help the end-user primarily.  that is much the concept
that i believe established banks, from the days when people kept their
valuables under their beds. the bank securely stored, provided services



> fancier next-of-kin, and power-of-attorney and delegated/proxy scenarios
> are the kind of thing that
> could potentially be enabled via shared group or family certificates. none
> of this is shipping now,
> instead major services are implementing things on an adhoc basis:
>

Many of those use-cases should be covered by verifiable claims.


> “They listened to all the pundits and drew up the documents. Then the bank
> says, ‘That’s very nice, but it’s not our form.’”
>
>
> http://www.nytimes.com/2016/05/10/health/finding-out-your-power-of-attorney-is-powerless.html
>
> > Other situations may involve 'digital hostage' styled use-cases
>
> keeping in mind the classic https://xkcd.com/538/ when thinking about
> keys is good
>
> will check.


> a concensus system involving group-members could robustify against this
> attack,
> you can hold a wrench and point a gun at one person, but can you round up
> enough
> like-minded evil to do this to >50% of the group-members which would be
> required to
> do X where X is something like transfer ownership, add new members to
> group etc
>
> i think social groups is better than hash-power.  if everyone walks from
you, perhaps thats the worst thing; not the loss of ya data.  Energy cant
help that, often money does, but i' prefer to see it made for the right
reasons more often.

Tim.H.
Received on Monday, 6 June 2016 14:10:37 UTC