[cap-talk] Webkeys vs. the web

Rob Meijer capibara at xs4all.nl
Sat Mar 28 09:31:03 EDT 2009

On Sat, March 28, 2009 02:51, David-Sarah Hopwood wrote:
> Stiegler, Marc D wrote:
>> -- now that we understand the analogy it is time to drop the
>> pejorative terminology). It would then be interesting to see how
>> many people screw around with passwords.
> Some people use password helpers, in which case they don't have to
> remember the password themselves. Of course, if they have access to
> the helper that stores their passwords then they could have used a
> bookmark, but using the password helper allows them to get to the
> site just by typing a memorable URL, and is consistent with what
> they do for other sites.
>> I would replace, "Users expect the burden of..." with "Users are
>> resigned in their hopeless despair to the farcical yet futile
>> requirement laid upon them by ivory-tower security people of...".
> It isn't ivory-tower dwellers who are mainly responsible in this
> case.

I feel the whole use of name/password for proof of identity concept has
grown into a usability nightmare. The main reason why it persists IMO is
inertia and familiarity, and the idea of many that familiarity equates
usability. With the alternative openid and the like not really picking up,
I feel the capability community might have a bit of a shot of coming up
with a REAL solution for the problem before we end up getting stuck in yet
an other identity based nightmare like openid. That is if we can shake the
identity premises ourselves. I feel that we really need to step away a bit
from the mobility of identity and aim for mobility of authority.

In my view a smart phone or other networking enabled hand held device with
the right software could be considered the ultimate portable bookmark
tool, and the ultimate tool of delegation. And without the need to use
identity everywhere, client certificates would be a reasonable way to
reassert identity and re delegate authority, or to revoke the identity the
smart phone caries if the smart phone is lost or stolen.

To summarize, you would end up with the following:

1) From single a system that you trust with your identity that holds your
   client certificate, one proof your identity to all services and create
   relevant (powerfull) bookmarks.
2) From these bookmarks create revocable sub-authority bookmarks for
   delegation to your smart-phone, and delegate these to the smart-phone.
3) From the smart-phone create auto revoked single session membrane URI's
   and delegate these to the workstation.

There are however two important hurdles to overcome, the first, dropping
OUR own bias to mobile identity in order to start to think clearly about
the problem that needs to be resolved, and secondly, implement the above
in a way that is considerably less of a usability nightmare than having to
work with 40 or 50 seperate username/password combinations.

This second one might be more of a challenge given that many people simply
opt to use the same password and where possible the same user-name and
don't recognize a problem with that. If however we can manage to get out
of the ivory tower, and come up with a really usable interface for the
above, the result would be a tremendous step forward.


More information about the cap-talk mailing list