Re: [saag] Liking Linkability

Henry Story <henry.story@bblfish.net> Tue, 23 October 2012 11:53 UTC

Return-Path: <henry.story@bblfish.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F4FE21F86D9 for <saag@ietfa.amsl.com>; Tue, 23 Oct 2012 04:53:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.245
X-Spam-Level:
X-Spam-Status: No, score=-3.245 tagged_above=-999 required=5 tests=[AWL=0.354, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hS2aqgXcJZUf for <saag@ietfa.amsl.com>; Tue, 23 Oct 2012 04:53:05 -0700 (PDT)
Received: from mail-ee0-f44.google.com (mail-ee0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id B4DB621F86CE for <saag@ietf.org>; Tue, 23 Oct 2012 04:53:04 -0700 (PDT)
Received: by mail-ee0-f44.google.com with SMTP id d4so1592526eek.31 for <saag@ietf.org>; Tue, 23 Oct 2012 04:53:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=npSHXF+ReBpkU1rJMKIS6Pc9gDBiLZo7Nltm57t9zJI=; b=ClME2wHmhBYaeJGKEsCjDwQy4+iDj6tX2mW2LoyAHhg1YRblRyfxJu1pjKGE0Rg8De nvJIvbX09iKXEt7PBt7G6anypjbnGaKejg8TlgQUT/FiO3bSOGmrpxeu0nTEp82G61P7 VTMXlfHWM+kc04/6qeWbxewA1a1yCigUUFEpozoSVWREMqu22kdw8im5pG8fh1HBnRqS y9FZm6bkkLaATCpvkpHCbX7q61vKMMSWJhpVv2DhVMvRy46VqyF6wjSRCD9HEIIQgbv4 E7z/d3naWhMYBxj3LapBapqhjoHsswFW/uqiJQPa5PmcV43UVWnq8RyzJW25zVPwZub2 6frw==
Received: by 10.14.178.195 with SMTP id f43mr16506330eem.44.1350993183536; Tue, 23 Oct 2012 04:53:03 -0700 (PDT)
Received: from bblfish.home (AAubervilliers-651-1-132-122.w86-198.abo.wanadoo.fr. [86.198.99.122]) by mx.google.com with ESMTPS id o47sm20501450eem.11.2012.10.23.04.52.51 (version=SSLv3 cipher=OTHER); Tue, 23 Oct 2012 04:53:01 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_96AE3CA2-5801-47FC-A377-FEC0E361081F"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Henry Story <henry.story@bblfish.net>
In-Reply-To: <CABrd9SQC-ZSzS24q93a7WpR9vs79kzM_6pPcdbynvhcKOXWNcg@mail.gmail.com>
Date: Tue, 23 Oct 2012 13:52:49 +0200
Message-Id: <212677E1-8F0E-4005-8015-B4CD1233D67F@bblfish.net>
References: <CCA5E789.2083A%Josh.Howlett@ja.net> <FB9E461D-CA62-4806-9599-054DF24C3FD9@bblfish.net> <CAG5KPzxGz+4MywjP4knfbDr2gyvqUZc1HEBXgtaDfYT+DPg5yg@mail.gmail.com> <8AB0C205-87AE-4F76-AA67-BC328E34AF5E@bblfish.net> <CABrd9SQghpi6_rVQKxYXZDtM5HwvE7Kq7SUw5zi41ZRd3y2h9A@mail.gmail.com> <4324B524-7140-49C0-8165-34830DD0F13B@bblfish.net> <CABrd9SQU1uYVaVPedokHxeYkT=759rkPFfimWK1Z8ATzo3yNFA@mail.gmail.com> <5083CCCF.2060407@webr3.org> <50842789.3080301@openlinksw.com> <50845268.4010509@webr3.org> <5084AC77.8030600@openlinksw.com> <50851512.9090803@webr3.org> <CABrd9SRNVLbWxifQAQ6iuX4qMeFmZVD6rO_q=L348G1UZzr9tg@mail.gmail.com> <50852726.9030102@openlinksw.com> <CABrd9SQ3KTqHq1hOfbLAU5hfgNyqCPK4u+ToEda+VtQ5S0utwA@mail.gmail.com> <5085360E.3080008@openlinksw.com> <50853CD8.8020005@w3.org> <5FB468E4-BDD3-4635-ACD0-A23540C08751@bblfish.net> <508562C2.1060905@w3.org> <F7EA147A-8A49-4627-8AA0-DD811CB9AC49@bblfish.net> <CAG5KPzx673VKqg4=26-cvfeXZrBfK-XbURFj8eYx_mXVkko41A@mail.gmail.co m> <508669C5.90400@webr3.org> <CABrd9SQC-ZSzS24q93a7WpR9vs79kzM_6pPcdbynvhcKOXWNcg@mail.gmail.com>
To: Ben Laurie <benl@google.com>
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQkzBWWU3+nJGEdKJhhqx3VHEqEotun1MqWX7CGqoUCCEa/FHBs/cBso7uJrT89V1Ziwq5IN
Cc: Halpin Harry <H.halplin@ed.ac.uk>, nathan@webr3.org, public-identity@w3.org, saag@ietf.org, "public-privacy@w3.org list" <public-privacy@w3.org>, public-webid@w3.org
Subject: Re: [saag] Liking Linkability
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2012 11:53:15 -0000

On 23 Oct 2012, at 12:50, Ben Laurie <benl@google.com> wrote:

> On 23 October 2012 10:56, Nathan <nathan@webr3.org> wrote:
>> Ben Laurie wrote:
>>> 
>>> b) Linkability it not, as you say, inherently bad. The problem occurs
>>> when you have (effectively) no choice about linkability.
>> 
>> 
>> .. and when people convey or infer that there is no choice about
>> linkability, when there really is scope to be as unlinkable as one likes
>> within WebID.
> 
> I have never disputed that - my point is that if I am as unlinkable as
> I like I then have a fairly horrific problem managing a large number
> of certificates and remembering which one I used where.


Yes, so browsers should in my view remember what selection you make when
you go to a web site, and resend the same certificate the next time you go
there. Mind you - they should also show you that they have done this and
allow you to change your previous choice - even if needed back to anonymous.
We argued this in a different thread on Transparency of Identity in the 
browser - and there I pointed to work by Aza Raskin as a good example of
what I meant
  http://www.azarask.in/blog/post/identity-in-the-browser-firefox/

This then leaves the issue of how to do this across browsers, and I think
there are a number of synchronisation "protocols" that could be developed there.
In my view  the only protocol needed is HTTP here + an ontology for bookmarks, 
cookies, personas, etc... You give your browser your trusted home site where
you can POST, PUT, and GET all of these ids. A good protocol for this would be
the Atom protocol or better the in development linked data protocol
  http://dvcs.w3.org/hg/ldpwg/raw-file/a3be44430b37/ldp.html

 You probably don't need here to even  save the  certificates for each site, you 
just need to know if you authenticated  there using a global id, a local certificate, 
or a password, and you could re-generate the identifiers. Well you have a more 
difficult  time it  is true for certificates bound to one site. And even saving cookies
is difficult because they may encode device type and screen size...

So that's a lot of work to get done right. I don't have anything against it being
done. It could even be helpful for WebID... But as my priority is building a 
RESTful distributed social web, and as I am not employed by browser vendors to work 
on  such a protocol, .... (I'll use it when its deployed)

In short these issues seem to be orthogonal, and can be developed in parallel.


   Henry

Social Web Architect
http://bblfish.net/