Identity in the Browser (F2C)
Issue/Topic: dentity in the Browser (F2C)
Conference: IIW-East September 9-10, 2010 in Washington DC Complete Set of Notes
Convener: Paul Trevithick
Notes-taker(s): Charles Andres
Attendees: Phil Windley Jay Unger Barbara Trufia David Wolsey Phil Wolff Austin Fath Rainer 8 others
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
set of ID solns with lots of real world analogies to anonymous wallet
- credentials
- digital cash
etc. necessary part of constellation:
- addressy
- money
- group affil
how to shift th max power to the control of the indiv.
zero knowledge proof tech vapor trail cookie trail
active client smarter browser endless digital baptism
form fillng password
openID SAML ICF
- dif challenges - RP site - pick from
NASCAR popups
Dave Recordon of FBook
- tests state that if advice that some popup would release info, open to FB?
FB level of consumer trust in the cecision is fairly low. a statement by your browser is highly trusted...
takeaway: role of infastructure that completely control browser is the agent for the user
FB: consider the source.
selecors: AIR, etc. popups - use notice of consent tranpsarenc
2 windows become annoyance.
a barier with what we are trying to do.
the UX must become much more sophisticated.
credit card analogy -- compelling a 4 party agreement lots of protection are happening behind your back
we were naive how people interact with computer systems
you don't think about airbag technology
signals have to be simple uptake in EV signals because it is simple. green bar; simple signal, simple behavior.
radio button, checkbox is beyond simple signals and simple behavior. Google also has similar studies -- UN/PW is as complex as people can deal with.
Browser, tc. is a great place to make simple secure private work.
how to do this in an inclusive way? it has to embrace every protocol with traction the consumer don't care prtocols must disappear
How does a human login to a website across protocols?
pick an IdP. design can't be implemented tech doesn't exist.
browser is not on phones but there is a user agent
user agent determines look and feeluilt in standard response don't do it with questionable javascript identiriers are a kind of claim. 10 years ago browsers b
basic authentication came from IETF little progress since then
could start with ID Commons, but need to connect with IETF and how about W3C the ID space is so balkanized. but if there were one place --html, browsers, & ID
Jay: aftarid of constitutional monarchy
IETF more like a
if std and practice appear perhaps the IE logjam can be broken.
health care -- lot of info going into this 45K per doctor, $22B
could gov + healthcare drive this?
Federate authentication would help-
Dont forget your role as a procurement
$20M invested in ID space real customer real use case real money
best bet = Mozilla size of Firefox and IE are huge tag candy was even worse.
can we put info in the communication stack?
- smaller certifable trustable
should we fix https at the same time?
tinest change in the broswer; do the service elsewhere.
similar to STSou what Dale did for Mac for i-cards running process in theuser space has security probs. Windiows did it outside user space or in the hardware.
yyou canif't experss simple signals without chagnig user interaction.
if the production comes from depths of comm stack, its a lot harder to screw up anti-virus software - keep me safe, don't talk to me about it.
M$, Androic, Firefox
- devolving to open components
always have the issue of dumb environment, kiosk, school computer, etc. gotta get in and do something.
another mistake: work in a non modified airport kiosk.
red laser id scan???
openID knew a tiny bit of broswers (and tell the RP) set the home page to the iGoogle page, and login.