|
From: | David Sugar |
Subject: | Re: [Auth]Re: What I percieve is wrong with IDsec (was IDsec specification draft) |
Date: | Sun, 06 Jan 2002 08:56:30 -0500 |
User-agent: | Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.4) Gecko/20010914 |
Yes, IDsec does permit, even, to some degree, activily encourages the existance of "trusted" third parties to hold users personal data. This has both good and bad aspects and largely depends on who and how it is deployed. In this respect, it certainly does have risks if it came into widespread use. Certainly that same fact that commercial providers can host user profiles is both it's greatest strength for it makes it appealing to commercial entities to adopt, and it's weekness in that some of those same commercial entities will certainly try to take advantage of it and users as you suggest. Is several dozen tyrranies any better than one? In this I agree the answer is no.
If we can make it very simple for anyone to configure and self-host profiles and incorporate profile services and their configuration directly as a native part of a given desktop, like say in the gnome or kde control panel, then those risks are lessened. If it is common for small companies, communities, and other organizations to run identity services as part of an online community building process and hence becomes common for people to associate data with organizations they are affiliated with, then I do not think this aspect of IDsec is at all bad and in fact has a potential to be very useful. Perhaps I take the optimistic view on IDsec, and I think the question is very much worth debate and further discussion. I have wanted to see more discussion on IDsec and other proposals for quite some time now. Our goal is not to simply say "this is what DotGNU identity is, take it or leave it", but to arrive at the most correct and ethical solution that is technically feasable thru consensus. I happen to like IDsec because, while not perfect, it exists, it can be demonstrated, and it has potential, when used correctly, to achieve our goals. Of course, it certainly can also be abused....
David John wrote:
My language herein is a bit strong, clipped, and monofocussed. I will write answers to the other questions. David Sugar wrote:What Hans said was what my comment was going to be, which, essentially, in the IDsec model, you can always be your own profile provider, and one hopes one can trust oneself :).If "oneself" is you, Hans, or myself; then I could agree that each of us could trust "oneself". Will I say the same of 90% of the users of Passport: the so-called common consumers we are trying to offer an alternative to? No, I would be hard put to say they can trust themselves to be their own privacy admins. Think of the technical level of the target audience? Some will be like us; they will easily be able to install even a difficult package. They will easily be able to configure such a package even in the absence of a GUI. They may even eschew a GUI in favour of a CL, because they are adept. Then there is the opposite extreme: the percentage who are amazed that they can change the screen resolution in Windows! The ones who despite repeated admonitions can be socially engineered into opening worms and virusses? The possibly gullible and definitely trusting non-technical masses? They are not given privacy under IDsec and this is a weakness. We are you saying, "If you're one of the 90%, you don't deserve complete privacy?" With IDsec, either "DIY or give up your meta-information (and possibly even your information)." That's not a guarantee of freedom. That's Passport with a self-hosting option for the technical elites; and for the technical elites - a new wallet store they can access remotely. Are we providing a consumer solution for a broad market or a solution for just us? Someone please tell me where in my analysis I'm wrong? John Le'Brecage _______________________________________________ Auth mailing list address@hidden http://subscribe.dotgnu.org/mailman/listinfo/auth
[Prev in Thread] | Current Thread | [Next in Thread] |