On 10/22/2012 02:03 PM, Kingsley Idehen wrote:
On 10/22/12 7:26 AM, Ben Laurie wrote:
On 22 October 2012 11:59, Kingsley Idehen <[email protected]>
wrote:
On 10/22/12 5:54 AM, Ben Laurie wrote:
Where we came in was me pointing out that if you disconnect your
identities by using multiple WebIDs, then you have a UI problem, and
since then the aim seems to have been to persuade us that multiple
WebIDs are not needed.
Multiple WebIDs (or any other cryptographically verifiable
identifier) are a
must.
The issue of UI is inherently subjective. It can't be used to
objectively
validate or invalidate Web-scale verifiable identifier systems such as
WebID or any other mechanism aimed at achieving the same goals.
Ultimately what matters is: do users use it correctly? This can be
tested :-)
Note that it is necessary to test the cases where the website is evil,
too - something that's often conveniently missed out of user testing.
For example, its pretty obvious that OpenID fails horribly in this
case, so it tends not to get tested.
Okay.
Anyway, Henry, I, and a few others from the WebID IG (hopefully)
are going
to knock up some demonstrations to show how this perceived UI/UX
inconvenience can be addressed.
Cool.
Okay, ball is in our court to now present a few implementations that
address the UI/UX concerns.
Quite relieved to have finally reached this point :-)
No, its not a UI/UX concern, although the UI experience of both identity
on the Web and with WebID in particular is quite terrible, I agree.
My earlier concern was an information flow concern that causes the issue
with linkability, which WebID shares to a large extent with other
server-side information-flow. As stated earlier, as long as you trust
the browser, BrowserID does ameliorate this. There is also this rather
odd conflation of "linkability" of URIs with hypertext and URI-enabled
Semantic Web data" and linkability as a privacy concern.
I do think many people agree stronger cryptographic credentials for
authentication are a good thing, and BrowserID is based on this and
OpenID Connect has (albeit not often used) options in this space. I
would again, please suggest that the WebID community take on board
comments in a polite manner and not cc mailing lists.
