Re: [Auth]delurking with opinions

dotgnu-auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Auth]delurking with opinions

From:	Albert Scherbinsky
Subject:	Re: [Auth]delurking with opinions
Date:	Sat, 04 Aug 2001 21:15:44 -0400

"Kurt L. Sussman" wrote:
> 
> Albert Scherbinsky (address@hidden) typed this ...
> > > First, I don't want to be tied to any browser.
> >
> > My choice of Netscape as the first prototype implementation
> > was not meant to limit anybody. If you want to do
> > implementations on IE, Konqueror or Lynx go ahead, there is
> > nothing anyone will do to stop you. :)
> 
> I'm still not convinced that the browser has to become smarter for this
> to work. I do understand that putting this functionality into the
> browser opens it up to everyone, whether they can run their own server
> or not (due to firewall, policy, or other restrictions). Open access is
> a very good thing.

Again, the browser becoming smarter isn't a necessary
condition for compliance with the SIML/PIBXML/SingleLogin
standard. However, some people are going to want it in this
configuration. Some people don't want to entrust any service
provider with their personal data. Think of the possible
implementation architectures as providing a spectrum of
combinations of privacy and convenience.

> My concern is that people won't install a plugin. It's too much work for
> the average user (e.g. my mom). That's how IE got its market share; by
> being the default. Passport is the default; how do we get people to take
> one extra step to dotGNU auth?

This is a valid concern, but for those who want the highest
degree of privacy nothing other than managing their personal
information on their own computer will do. They see
installing a plugin as a very minor inconvenience. For the
very best page description format, people still install
acrobat.

> > > Second, I think the kiosk question has to be considered from the
> > > beginning.
> >
> > The current SingleLogin/SIML/PIBXML spec can work with
> > Kiosks as follows:
> > The clever folks at www.webSLAP.com (web SingleLogin
> > Application Service) decide to design an implementation
> > architecture that works by entirely hosting the Single Login
> > application as a web service. So you, from a kiosk with
> > nothing more than HTML/HTTPS support, are able to login to
> > <snip>
> > We have to start somewhere. A mozilla plugin is a good place
> > to start.
> 
> OK, a proxy service is fairly painless. How about using a proxy to fill
> in those forms? Then there are no pesky commercial software vendors to
> convince of the project's value. It's easy to set up for most browsers,
> and anyone who has a public server can host a proxy for their community.
> My company will host such a server, when it exists.

Bingo, we don't want to limit peoples ideas about how they
might implement. If convenience is your utmost concern then
implement a suitable architecture.

> As long as the spec is tight enough that any conforming implementation
> will work, I'm happy. I just like to see things like that specified.
> After all, privacy is one of the reasons we're not satisfied with
> Passport, right?

Even if we specified how the access control to PIBs worked
it still wouldn't guarantee that a particular implementation
would work and then we would get someone like you, who would
come along and say but I don't like the way you specked it.
:) The goals of the standard we are specifying are
Simplicity and User Choice. I think that this is the best we
can do. Simple designs are easier to get right than complex
designs. We're assuming that users will prefer
implementations that work over those that don't. What we are
after is guaranteeing interoperability with participating
web services. This guarantees that any implementation will
work with all participating web services. Then the user is
free to choose the implementation that works best for them.

To be sure, the access control should be specified. Just not
within the scope of the SIML/PIBXML/SingleLogin standard. It
should be specified by the implementor, and rigorously
tested.

> > We are not advocating unrestricted access, or promoting one
> > implementation architecture over another. We are not
> > specifying either of these things as part of the standard.
> > We leave these details to implementors to allow for the best
> > ideas to rise to the surface. Each user can decide what they
> > want from the available implementations.
> 
> Once there's a reference implementation for me to plagiarize, I'll try
> to build a proxy-based form-filler with access control on a per-element
> basis. Maybe it'll rise to the top... #:)

Imitation is the sincerest form of flattery. :)

Regards,
-- 
Albert Scherbinsky
Drop by at: http://members.home.net/alberts/

Convenient control of our personal information:
Single Login:
http://members.home.net/alberts/single.htm
Simple Interface Markup Language:
http://members.home.net/alberts/siml.htm
Personal Information Base XML
http://members.home.net/alberts/PIB.htm

[Prev in Thread]

Current Thread

[Next in Thread]

[Auth]delurking with opinions, Kurt L. Sussman, 2001/08/04
- Re: [Auth]delurking with opinions, Albert Scherbinsky, 2001/08/04
  - Re: [Auth]delurking with opinions, Kurt L. Sussman, 2001/08/04
    - Re: [Auth]delurking with opinions, Albert Scherbinsky <=
    - Re: [Auth]delurking with opinions, Kurt L. Sussman, 2001/08/05

Prev by Date: Re: [Auth]delurking with opinions
Next by Date: Re: [Auth]delurking with opinions
Previous by thread: Re: [Auth]delurking with opinions
Next by thread: Re: [Auth]delurking with opinions
Index(es):
- Date
- Thread