SV_MEETING_TITLE -- 31 Oct 2012

<scribe> scribenick: npdoty

henry story on WebID, David Dahl on Mozilla API, Eric on @@@

hhalpin: background on identity
... lots going on, but yet to have a Working Group or a coherent forward direction
... Mozilla has its work on Persona
... what's the role of the client device?
... Crypto API came out of that
... looking for the low-hanging fruit that we can enable realistically

WebID

bblfish: philosophically, start from what identity is -- the relation from a name to a person
... on the Web we have URIs and we can name people this way
... several systems that have tried to do this
... OpenID, OAuth, OAuth2, WebID over TLS, XAML solutions
... looking to be able to identify a user in a global context
... might have a Freedom Box at home with your info and your social network
... should have a privacy-preserving way to connect when you want to
... rather than a silo'd system where you have to create new accounts/identities for each service

<betehess> raw minutes from the #webid F2F at TPAC are available at http://www.w3.org/2012/10/29-webid-minutes.html and http://www.w3.org/2012/10/30-webid-minutes.html

<richt> Scribe: richt

<scribe> scribenick: npdoty

bblfish: started off looking at TLS, which works in the browser
... good enough to do authentication globally, 10 different implementations in different languages
... at the same time hhalpin et al working on cryptography in the browser to do something very similar
... I think BrowserID is doing this without crypto in the browser
... should be able to go to a site, click a button, and link your identity there
... should be able to describe resources and have access control rules
... we have all the technologies at W3C to get this going
... need the linked data people for semantics, TLS people, crypto people for Web API
... from this we can build a distributed social web (speaking about during #social)
... WebID we've redefined with Tim's help, a dereferenceable HTTP URL with information about the user

<oberger> who's speaking ?

ekr: what WebRTC is trying to do

WebRTC

<adambe> ekr is speaking

<burn> Eric Rescorla is speaking

ekr: ability to call other users, speak peer to peer between browsers
... need ability to authenticate and trust
... know who the person you're calling is, by leveraging the browser infrastructure
... aggregating these account mechanisms, whether I'm on PokerStars or Joe's Calling Service, I should be able to authenticate to my existing social accounts
... the same way that web sites now can authenticate you with your Facebook Connect
... the basic insight is that the most difficult part is: while the browser is generic, the servers have to be programmed
... the relying party isn't on a server, but in the browser, simple to just load javascript in the browser
... the relying party and the authenticating party both load the JS from the IDP in an iframe

[scribe missed that point]

ekr: can call my friend and know that they're my Facebook friend, without having to trust the site at all

Eric Rescorla, an IETF guy, working on this for Mozilla

hhalpin: some kind of key-based authentication is going to be crucial
... some work making it more generic outside of WebRTC WG

ekr: one thing about the defined interfaces is that any identity is determined based on the IDP domain name
... well-known URL to get the JS bridge from, and the set of messages to verify assertions

<bblfish> just found the channel

<bblfish> http://webid.info/spec

<bblfish> is the TLS version of WebID

<bblfish> my home page is http://webid.info/

<bblfish> SO I mentioned the java cryptography api working group http://www.w3.org/2011/11/webcryptography-charter.html

<bblfish> the ldp Linked Data platform http://www.w3.org/2012/ldp/hg/ldp.html

<oberger> ah, finally someone's english slow enough to be understandable

mike jones, a long time contributor to OpenID

mike: we think that identity solutions have to work for more than just the browser
... chat clients, Skype clients, etc.
... building on top of OAuth we were able to make it work for rich clients as well
... in reaction to URL-based identity, lesson from 1st OpenID, most human beings are not willing to remember a URL
... one thing they may remember is their email address, if you can use something like that as an identifier more people may be willing to use it

bblfish: distinction between the URI and the identity that the user sees

<betehess> bblfish is making a very important point here

mike: gets to discovery as well

Demo from David at Mozilla

david: feedback from the crypto API
... how can we do crypto without any crypto in the DOM
... a bridge API, off of window.navigator.bridge.getCypherObject

<bblfish> yes, though WebId over TLS ( http://webid.info/spec still needs to be cleaned up on the new webid definitiion) the URL is hidden in the X509 certificate . The user only sees his name. see video on http://webid.info/

<bblfish> and it's a point and click operation for the user

david: enable extension APIs so that signed/encrypted data is passed back to the DOM
... if you don't trust the server with plain text, you might still be able to pull it off
... feedback from Google, Web Intents could play a role as well

[demo]

david: write some plain text, the browser provides a "crypto console" UI
... extension authors could provide whatever UI they want
... encrypt this little passage, and then returns back a cyphertext and signature
... a JSON object with the important details
... reading/deciphering pulls the ciphertext into the browser UI
... the content doesn't have access at all
... find me if you want to talk later

npd: awesome

hhalpin: seeing different elements in different WGs that are related
... harder to phish and authentication
... do have the work of OpenID Connect, Mozilla Persona,
... what is the lowest hanging fruit that we can standardize at W3C that can move authentication on the Web into a secure space?
... could include the work of David, encrypted content into the DOM from outside

<SteveH_> @bblfish, suggest you pass the vga cable to Nick Doty in the interim

hhalpin: most of the work being done outside of W3C

<betehess> A WebID is a hash HTTP URI which denotes an Agent. You can GET an RDF model as TURTLE.

betehess: just want to talk about identity, not necessarily simultaneously solve the problem of authentication

<hhalpin> We ran a workshop last May:

betehess: regarding OpenID in particular, when we want to speak about identity on the Web, it's very different than the identity that we expose to the user

<hhalpin> http://www.w3.org/2011/identity-ws/

<hhalpin> Folks may want to look at the final report:

betehess: when we talk, define what you mean by identity on the Web

<Zakim> betehess, you wanted to ask people here what does Identity *on* the Web mean for them (when speakers are done speaking) and to

<hhalpin> http://www.w3.org/2011/identity-ws/report.html

<bblfish> relation of Openid to WebID for example: <http://bblfish.net/people/henry/card#me> foaf:openid <http://bblfish.net/> .

hta: when we say HTTP URI, URIs as identifiers is fine, but don't resolve them

timbl: the people who believe you shouldn't look things up will never go away

<hhalpin> https://openid.net/connect/

<hhalpin> The OpenID specs are linked from there:

timbl: in past discussions at IETF it was thought that it was perhaps too dangerous, like with the hotel problem

[scribe doesn't actually know what the hotel problem is]

timbl: work on building systems for looking up URIs without necessarily resolving them

<hhalpin> https://www.mozilla.org/en-US/persona/

<hhalpin> Mozilla Personae:

timbl: could have a separate group on what to do when you're in a hotel and have a captive portal when you're trying to look something up

<martin> mnot has something of a solution for this problem, it's been published

timbl: definition from the LDP WG, everything is defined by HTTP URIs and people look them up all the time

<martin> RFC 6585

timbl: the question of what you're using as an identifier
... in some cases you'll require different levels of authentication, even if the identifier is the same

<hhalpin> EKR, do you have the latest URI for your work on the WebRTC identity work?

timbl: nice clean architecture so you can plug on to it
... Henry has a way to authenticate using SSL

<betehess> the point of HTTP URIs is that you don't need to define a new service to get information about them, just use the Web (HTTP GET)

timbl: authentication protocols can be designed separately

<adambe> hhalpin: ekr is not irc

timbl: the LDP Working Group can tell you what info you'll get back when you request a URI, content negotiation and different formats, another flexibility point in the architecture

<adambe> hhalpin: http://tools.ietf.org/html/draft-ietf-rtcweb-security

ashok: follow up to betehess, wonder if what you're asking for is "verified identity", the identity that really points to a person that would be accepted by, for example, the passport office or the social security office

betehess: important to make a clear distinction between identity and authentication
... what HTTP URIs give you is the ability to name what you are speaking of
... don't need to create new protocols
... we do RDF but not saying that you need to do RDF for authentication

hhalpin: comments?
... the identity space gets caught up in a number of well-known debates
... should we use an email address, an HTTP URI or something else?
... want a system with some decent security properties (beyond username, password and cookies)
... separate the concerns from what string you want to use as an identifier, distinct from the question of better authentication
... have yet to see a coherent plan for those pieces
... right now, it's trickier than not to do key-based authentication with OpenID

mike: OpenID will use the browser, just generic browser functionality, if that's where your client is
... if it's something in an app on your phone or your desktop, it's still possible to exchange claims there
... re: comment on "verified identity", identity is really contextual, you're never going to have just one
... holding some of the plastic identity tokens -- driver's license, corporate badge, grocery store loyalty program, frequent flier card
... these different identities used in different places, some of them used in multiple places
... have different levels of verification, release different claims about me, all of which matter in context, but I couldn't cross the border with some of these

<tanvi> mozilla is working on a contextual identity solution - https://wiki.mozilla.org/Security/Contextual_Identity_Project

mike: while as a computer scientist I do want us to develop common infrastructure for claims about me
... need to recognize different levels of requirements

bblfish: identity is contextual, but it's also social

<oberger> has anyone discussed OpenPGP in the previous days ?

bblfish: certificates have an issuer as well, with browser developers you can massively increase trust by creating a space of an official social network
... countries having a list of shops, browser can do a lookup and verify whether it's listed in an appropriate official source
... an institutional social web
... can solve both problems simultaneously

<betehess> just wanted to say that the LDP community already has some answers to speak about the "context" that was mentioned by Mike: WebACLs. Again, this relies on a clear notion of URI-based identity and it decoupled from authentication

bblfish: when I go to a shop web site, the shop can look up a list of banks from the official government source

[demo]

bblfish: WebID with TLS, go to a website, a selector UI from the agent
... and then the site gets a nice picture of me
... browsers have had this for a long time, just need to provide more functionality about choosing a certificate and getting more information from it

ashok: agree with your goals and use cases, worried about a different set of problems, like cyberbullying, where you can make negative comments about people without being able to find out who it was that made the comment
... a fairly significant privacy problem
... possibly a different use case from what you're working on

<bblfish> cyber bullying is not something I think one can solve technically

<bblfish> but one should look into it...

<tanvi> I could say a few words.

hhalpin: is there any interest in this room trying to form WG or CG or brainstorming more about enabling better forms of authentication for web apps?

[some hands]

<betehess> worth mentioning that Ann Bassetti is proposing a session (the next one I believe) trying to organize a workshop

hhalpin: what else are we interested in working on?

bblfish: I'd like to get WebID over TLS through an official WG

<bblfish> http://webid.info/spec/

<bblfish> WebID over TLS is just using TLS and Linked Data

cullen: my observation is that we have too many identity systems, what can we do to get less of them? [xkcd reference to yet another standard]

<bblfish> so it's not really inventing anything new

hhalpin: some commonalities, key-based authentication being the most generic thing going on

cullen: a lot of application developers struggling to understand the differences between these

<bblfish> ie. TLS is in the browser available since 1998, so it's just a way of making what we have work globally

cullen: ekr proposing an abstraction over identity systems

<betehess> abstraction and standardization are two different things

<oberger> +1 ?

<hhalpin> webid list

<bblfish> List of people for WebID over TLS

<bblfish> +1

hhalpin: who wants to work on WebID?

<trueg> pro-WebID: Sebastian Trueg (OpenLink SW)

<betehess> +1

<bblfish> melvster has a +1

<timbl> Tim Berners-Lee

<develD> webid +1

<betehess> the proposal is *not* clear

jeff @@: the question is not whether I think WebID over TLS is the way to go, but what is the right forum for getting the major players to agree

<hhalpin> The proposal is a WebID Working Group charter

scribe: need a padded room for people to hammer things out

<betehess> hhalpin, WebID could be used as is by LDP (nothing about authentication)

<webr3> +1 for WebID WG charter

Mischinsky: if you don't have the major players at the table, it doesn't matter what this forum does, unless it has significant uptake

hhalpin: more generic version of the WebRTC proposal?

<oberger> what's the question ?

<adambe> fluffy: http://xkcd.com/927/

hhalpin: is anyone interested in the problem of getting data to the DOM that's encrypted? David with a proposal and others

<betehess> I mean, all these things are interesting, they don't solve the same problems

<bblfish> need to look more into crypto in app, but sounds very interesting

[a few hands]

<oberger> I still don't have a clue what this all has to do with identity... but maybe a problem of language

<bblfish> Since you can publish your public key at your WebID you can then use those keys to encrypt things

npdoty interested, hhalpin interested

hhalpin: final comments?

<hhalpin> public-identity@w3.org

we have public-identity@w3.org for further discussion

<bblfish> great thanks

<bblfish> The demo I made of WebID over TLS was this site https://my-profile.eu/

- DRAFT -

SV_MEETING_TITLE

31 Oct 2012

Attendees

Contents

WebID

WebRTC

Demo from David at Mozilla

Summary of Action Items

Scribe.perl diagnostic output