See also: IRC log
<scribe> scribenick: npdoty
henry story on WebID, David Dahl on Mozilla API, Eric on @@@
hhalpin: background on
identity
... lots going on, but yet to have a Working Group or a
coherent forward direction
... Mozilla has its work on Persona
... what's the role of the client device?
... Crypto API came out of that
... looking for the low-hanging fruit that we can enable
realistically
bblfish: philosophically, start
from what identity is -- the relation from a name to a
person
... on the Web we have URIs and we can name people this
way
... several systems that have tried to do this
... OpenID, OAuth, OAuth2, WebID over TLS, XAML solutions
... looking to be able to identify a user in a global
context
... might have a Freedom Box at home with your info and your
social network
... should have a privacy-preserving way to connect when you
want to
... rather than a silo'd system where you have to create new
accounts/identities for each service
<betehess> raw minutes from the #webid F2F at TPAC are available at http://www.w3.org/2012/10/29-webid-minutes.html and http://www.w3.org/2012/10/30-webid-minutes.html
<richt> Scribe: richt
<scribe> scribenick: npdoty
bblfish: started off looking at
TLS, which works in the browser
... good enough to do authentication globally, 10 different
implementations in different languages
... at the same time hhalpin et al working on cryptography in
the browser to do something very similar
... I think BrowserID is doing this without crypto in the
browser
... should be able to go to a site, click a button, and link
your identity there
... should be able to describe resources and have access
control rules
... we have all the technologies at W3C to get this going
... need the linked data people for semantics, TLS people,
crypto people for Web API
... from this we can build a distributed social web (speaking
about during #social)
... WebID we've redefined with Tim's help, a dereferenceable
HTTP URL with information about the user
<oberger> who's speaking ?
ekr: what WebRTC is trying to do
<adambe> ekr is speaking
<burn> Eric Rescorla is speaking
ekr: ability to call other users,
speak peer to peer between browsers
... need ability to authenticate and trust
... know who the person you're calling is, by leveraging the
browser infrastructure
... aggregating these account mechanisms, whether I'm on
PokerStars or Joe's Calling Service, I should be able to
authenticate to my existing social accounts
... the same way that web sites now can authenticate you with
your Facebook Connect
... the basic insight is that the most difficult part is: while
the browser is generic, the servers have to be programmed
... the relying party isn't on a server, but in the browser,
simple to just load javascript in the browser
... the relying party and the authenticating party both load
the JS from the IDP in an iframe
[scribe missed that point]
ekr: can call my friend and know that they're my Facebook friend, without having to trust the site at all
Eric Rescorla, an IETF guy, working on this for Mozilla
hhalpin: some kind of key-based
authentication is going to be crucial
... some work making it more generic outside of WebRTC WG
ekr: one thing about the defined
interfaces is that any identity is determined based on the IDP
domain name
... well-known URL to get the JS bridge from, and the set of
messages to verify assertions
<bblfish> just found the channel
<bblfish> http://webid.info/spec
<bblfish> is the TLS version of WebID
<bblfish> my home page is http://webid.info/
<bblfish> SO I mentioned the java cryptography api working group http://www.w3.org/2011/11/webcryptography-charter.html
<bblfish> the ldp Linked Data platform http://www.w3.org/2012/ldp/hg/ldp.html
<oberger> ah, finally someone's english slow enough to be understandable
mike jones, a long time contributor to OpenID
mike: we think that identity
solutions have to work for more than just the browser
... chat clients, Skype clients, etc.
... building on top of OAuth we were able to make it work for
rich clients as well
... in reaction to URL-based identity, lesson from 1st OpenID,
most human beings are not willing to remember a URL
... one thing they may remember is their email address, if you
can use something like that as an identifier more people may be
willing to use it
bblfish: distinction between the URI and the identity that the user sees
<betehess> bblfish is making a very important point here
mike: gets to discovery as well
david: feedback from the crypto
API
... how can we do crypto without any crypto in the DOM
... a bridge API, off of
window.navigator.bridge.getCypherObject
<bblfish> yes, though WebId over TLS ( http://webid.info/spec still needs to be cleaned up on the new webid definitiion) the URL is hidden in the X509 certificate . The user only sees his name. see video on http://webid.info/
<bblfish> and it's a point and click operation for the user
david: enable extension APIs so
that signed/encrypted data is passed back to the DOM
... if you don't trust the server with plain text, you might
still be able to pull it off
... feedback from Google, Web Intents could play a role as
well
[demo]
david: write some plain text, the
browser provides a "crypto console" UI
... extension authors could provide whatever UI they want
... encrypt this little passage, and then returns back a
cyphertext and signature
... a JSON object with the important details
... reading/deciphering pulls the ciphertext into the browser
UI
... the content doesn't have access at all
... find me if you want to talk later
npd: awesome
hhalpin: seeing different
elements in different WGs that are related
... harder to phish and authentication
... do have the work of OpenID Connect, Mozilla Persona,
... what is the lowest hanging fruit that we can standardize at
W3C that can move authentication on the Web into a secure
space?
... could include the work of David, encrypted content into the
DOM from outside
<SteveH_> @bblfish, suggest you pass the vga cable to Nick Doty in the interim
hhalpin: most of the work being done outside of W3C
<betehess> A WebID is a hash HTTP URI which denotes an Agent. You can GET an RDF model as TURTLE.
betehess: just want to talk about identity, not necessarily simultaneously solve the problem of authentication
<hhalpin> We ran a workshop last May:
betehess: regarding OpenID in particular, when we want to speak about identity on the Web, it's very different than the identity that we expose to the user
<hhalpin> http://www.w3.org/2011/identity-ws/
<hhalpin> Folks may want to look at the final report:
betehess: when we talk, define what you mean by identity on the Web
<Zakim> betehess, you wanted to ask people here what does Identity *on* the Web mean for them (when speakers are done speaking) and to
<hhalpin> http://www.w3.org/2011/identity-ws/report.html
<bblfish> relation of Openid to WebID for example: <http://bblfish.net/people/henry/card#me> foaf:openid <http://bblfish.net/> .
hta: when we say HTTP URI, URIs as identifiers is fine, but don't resolve them
timbl: the people who believe you shouldn't look things up will never go away
<hhalpin> https://openid.net/connect/
<hhalpin> The OpenID specs are linked from there:
timbl: in past discussions at IETF it was thought that it was perhaps too dangerous, like with the hotel problem
[scribe doesn't actually know what the hotel problem is]
timbl: work on building systems for looking up URIs without necessarily resolving them
<hhalpin> https://www.mozilla.org/en-US/persona/
<hhalpin> Mozilla Personae:
timbl: could have a separate group on what to do when you're in a hotel and have a captive portal when you're trying to look something up
<martin> mnot has something of a solution for this problem, it's been published
timbl: definition from the LDP WG, everything is defined by HTTP URIs and people look them up all the time
<martin> RFC 6585
timbl: the question of what
you're using as an identifier
... in some cases you'll require different levels of
authentication, even if the identifier is the same
<hhalpin> EKR, do you have the latest URI for your work on the WebRTC identity work?
timbl: nice clean architecture so
you can plug on to it
... Henry has a way to authenticate using SSL
<betehess> the point of HTTP URIs is that you don't need to define a new service to get information about them, just use the Web (HTTP GET)
timbl: authentication protocols can be designed separately
<adambe> hhalpin: ekr is not irc
timbl: the LDP Working Group can tell you what info you'll get back when you request a URI, content negotiation and different formats, another flexibility point in the architecture
<adambe> hhalpin: http://tools.ietf.org/html/draft-ietf-rtcweb-security
ashok: follow up to betehess, wonder if what you're asking for is "verified identity", the identity that really points to a person that would be accepted by, for example, the passport office or the social security office
betehess: important to make a
clear distinction between identity and authentication
... what HTTP URIs give you is the ability to name what you are
speaking of
... don't need to create new protocols
... we do RDF but not saying that you need to do RDF for
authentication
hhalpin: comments?
... the identity space gets caught up in a number of well-known
debates
... should we use an email address, an HTTP URI or something
else?
... want a system with some decent security properties (beyond
username, password and cookies)
... separate the concerns from what string you want to use as
an identifier, distinct from the question of better
authentication
... have yet to see a coherent plan for those pieces
... right now, it's trickier than not to do key-based
authentication with OpenID
mike: OpenID will use the
browser, just generic browser functionality, if that's where
your client is
... if it's something in an app on your phone or your desktop,
it's still possible to exchange claims there
... re: comment on "verified identity", identity is really
contextual, you're never going to have just one
... holding some of the plastic identity tokens -- driver's
license, corporate badge, grocery store loyalty program,
frequent flier card
... these different identities used in different places, some
of them used in multiple places
... have different levels of verification, release different
claims about me, all of which matter in context, but I couldn't
cross the border with some of these
<tanvi> mozilla is working on a contextual identity solution - https://wiki.mozilla.org/Security/Contextual_Identity_Project
mike: while as a computer
scientist I do want us to develop common infrastructure for
claims about me
... need to recognize different levels of requirements
bblfish: identity is contextual, but it's also social
<oberger> has anyone discussed OpenPGP in the previous days ?
bblfish: certificates have an
issuer as well, with browser developers you can massively
increase trust by creating a space of an official social
network
... countries having a list of shops, browser can do a lookup
and verify whether it's listed in an appropriate official
source
... an institutional social web
... can solve both problems simultaneously
<betehess> just wanted to say that the LDP community already has some answers to speak about the "context" that was mentioned by Mike: WebACLs. Again, this relies on a clear notion of URI-based identity and it decoupled from authentication
bblfish: when I go to a shop web site, the shop can look up a list of banks from the official government source
[demo]
bblfish: WebID with TLS, go to a
website, a selector UI from the agent
... and then the site gets a nice picture of me
... browsers have had this for a long time, just need to
provide more functionality about choosing a certificate and
getting more information from it
ashok: agree with your goals and
use cases, worried about a different set of problems, like
cyberbullying, where you can make negative comments about
people without being able to find out who it was that made the
comment
... a fairly significant privacy problem
... possibly a different use case from what you're working
on
<bblfish> cyber bullying is not something I think one can solve technically
<bblfish> but one should look into it...
<tanvi> I could say a few words.
hhalpin: is there any interest in this room trying to form WG or CG or brainstorming more about enabling better forms of authentication for web apps?
[some hands]
<betehess> worth mentioning that Ann Bassetti is proposing a session (the next one I believe) trying to organize a workshop
hhalpin: what else are we interested in working on?
bblfish: I'd like to get WebID over TLS through an official WG
<bblfish> http://webid.info/spec/
<bblfish> WebID over TLS is just using TLS and Linked Data
cullen: my observation is that we have too many identity systems, what can we do to get less of them? [xkcd reference to yet another standard]
<bblfish> so it's not really inventing anything new
hhalpin: some commonalities, key-based authentication being the most generic thing going on
cullen: a lot of application developers struggling to understand the differences between these
<bblfish> ie. TLS is in the browser available since 1998, so it's just a way of making what we have work globally
cullen: ekr proposing an abstraction over identity systems
<betehess> abstraction and standardization are two different things
<oberger> +1 ?
<hhalpin> webid list
<bblfish> List of people for WebID over TLS
<bblfish> +1
hhalpin: who wants to work on WebID?
<trueg> pro-WebID: Sebastian Trueg (OpenLink SW)
<betehess> +1
<bblfish> melvster has a +1
<timbl> Tim Berners-Lee
<develD> webid +1
<betehess> the proposal is *not* clear
jeff @@: the question is not whether I think WebID over TLS is the way to go, but what is the right forum for getting the major players to agree
<hhalpin> The proposal is a WebID Working Group charter
scribe: need a padded room for people to hammer things out
<betehess> hhalpin, WebID could be used as is by LDP (nothing about authentication)
<webr3> +1 for WebID WG charter
Mischinsky: if you don't have the major players at the table, it doesn't matter what this forum does, unless it has significant uptake
hhalpin: more generic version of the WebRTC proposal?
<oberger> what's the question ?
<adambe> fluffy: http://xkcd.com/927/
hhalpin: is anyone interested in the problem of getting data to the DOM that's encrypted? David with a proposal and others
<betehess> I mean, all these things are interesting, they don't solve the same problems
<bblfish> need to look more into crypto in app, but sounds very interesting
[a few hands]
<oberger> I still don't have a clue what this all has to do with identity... but maybe a problem of language
<bblfish> Since you can publish your public key at your WebID you can then use those keys to encrypt things
npdoty interested, hhalpin interested
hhalpin: final comments?
<hhalpin> public-identity@w3.org
we have public-identity@w3.org for further discussion
<bblfish> great thanks
<bblfish> The demo I made of WebID over TLS was this site https://my-profile.eu/
This is scribe.perl Revision: 1.137 of Date: 2012/09/20 20:19:01 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/@@/ekr/ Succeeded: s/contributor to LDP/contributor to OpenID/ Succeeded: s/Linked Data Working/LDP Working/ Succeeded: s/@@/Mischinsky/ Found ScribeNick: npdoty Found Scribe: richt Found ScribeNick: npdoty Present: Henry S. Thompson Alexandre Bertails WARNING: No meeting title found! You should specify the meeting title like this: <dbooth> Meeting: Weekly Baking Club Meeting WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Got date from IRC log name: 31 Oct 2012 Guessing minutes URL: http://www.w3.org/2012/10/31-identity-minutes.html People with action items:[End of scribe.perl diagnostic output]