Identity in the Browser-IIW-East

Identity in the Browser (F2C)

Convener: Paul Trevithick Notes-taker(s): Charles Andres attendees: Phil Windley
Jay Unger
Barbara Trufia
David Wolsey
Phil Wolff
Austin Fath
Rainer
8 others

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

set of ID solns with lots of real world analogies to anonymous wallet
- credentials
- digital cash 
etc.
necessary part of constellation:
- addressy
-money
- group affil

how to shift th max power to the control of the indiv.

zero knowledge proof tech
vapor trail
cookie trail

active client
smarter browser
endless digital baptism

form fillng
password

openID
SAML
ICF
- dif challenges - RP site - pick from 
NASCAR popups

Dave Recordon of FBook
- tests state that if advice that some popup would release info, open to FB?
FB level of consumer trust in the cecision is fairly low. 
a statement by your browser is highly trusted...

takeaway: role of infastructure that completely control
browser is the agent for the user

FB: consider the source.

selecors: AIR, etc.
popups - use notice of consent tranpsarenc

2 windows become annoyance.

a barier with what we are trying to do.

the UX must become much more sophisticated.

credit card analogy -- compelling
a 4 party agreement
lots of protection are happening behind your back

we were naive how people interact with computer systems

you don't think about airbag technology

signals have to be simple
uptake in EV signals because it is simple.
green bar; 
simple signal, simple behavior.

radio button, checkbox is beyond simple signals and simple behavior.
Google also has similar studies -- UN/PW is as complex as people can deal with.

Browser, tc. is a great place to make simple secure private work.

how to do this in an inclusive way?
it has to embrace every protocol with traction
the consumer don't care
prtocols must disappear

How does a human login to a website across protocols?

pick an IdP.
design can't be implemented tech doesn't exist.

browser is not on phones but there is a user agent

user agent determines look and feeluilt in standard response
don't do it with questionable javascript
identiriers are a kind of claim.
10 years ago browsers b

basic authentication came from IETF
little progress since then

could start with ID Commons, but need to connect with IETF
and how about W3C 
the ID space is so balkanized. but if there were one place --html, browsers, & ID

Jay: aftarid of constitutional monarchy

IETF more like a 

if std and practice appear perhaps the IE logjam can be broken.

health care -- lot of info going into this 45K per doctor, $22B

could gov + healthcare drive this?

Federate authentication would help-

Dont forget your role as a procurement

$20M invested in ID space 
real customer
real use case
real money

best bet = Mozilla
size of Firefox and IE are huge
tag candy was even worse.

 can we put info in the communication stack?
- smaller certifable trustable 

should we fix https at the same time?

tinest change in the broswer; do the service elsewhere.

similar to STSou what Dale did for Mac for i-cards
running process in theuser space has security probs.
Windiows did it outside user space
or in the hardware.

yyou canif't experss simple signals without chagnig user interaction.

if the production comes from depths of comm stack, its a lot harder to screw up
anti-virus software - keep me safe, don't talk to me about it.

M$, Androic, Firefox
- devolving to open components

always have the issue of dumb environment, kiosk, school computer, etc. 
gotta get in and do something.

another mistake: work in a non modified airport kiosk.

red laser id scan???

openID knew a tiny bit of broswers (and tell the  RP) 
set the home page to the iGoogle page, and login.