Identity in the Browser-IIW-East

Identity in the Browser (F2C)

Convener: Paul Trevithick Notes-taker(s): Charles Andres attendees: Phil Windley Jay Unger Barbara Trufia David Wolsey Phil Wolff Austin Fath Rainer 8 others

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:  set of ID solns with lots of real world analogies to anonymous wallet - credentials - digital cash etc. necessary part of constellation: - addressy -money - group affil how to shift th max power to the control of the indiv. zero knowledge proof tech vapor trail cookie trail  active client smarter browser endless digital baptism  form fillng password  openID SAML ICF - dif challenges - RP site - pick from  NASCAR popups  Dave Recordon of FBook - tests state that if advice that some popup would release info, open to FB? FB level of consumer trust in the cecision is fairly low. a statement by your browser is highly trusted... takeaway: role of infastructure that completely control browser is the agent for the user FB: consider the source. selecors: AIR, etc. popups - use notice of consent tranpsarenc 2 windows become annoyance. a barier with what we are trying to do. the UX must become much more sophisticated. credit card analogy -- compelling a 4 party agreement lots of protection are happening behind your back  we were naive how people interact with computer systems  you don't think about airbag technology  signals have to be simple uptake in EV signals because it is simple. green bar; simple signal, simple behavior. radio button, checkbox is beyond simple signals and simple behavior. Google also has similar studies -- UN/PW is as complex as people can deal with. Browser, tc. is a great place to make simple secure private work. how to do this in an inclusive way? it has to embrace every protocol with traction the consumer don't care prtocols must disappear How does a human login to a website across protocols? pick an IdP. design can't be implemented tech doesn't exist. browser is not on phones but there is a user agent  user agent determines look and feeluilt in standard response don't do it with questionable javascript identiriers are a kind of claim. 10 years ago browsers b  basic authentication came from IETF little progress since then  could start with ID Commons, but need to connect with IETF and how about W3C the ID space is so balkanized. but if there were one place --html, browsers, & ID  Jay: aftarid of constitutional monarchy  IETF more like a if std and practice appear perhaps the IE logjam can be broken. health care -- lot of info going into this 45K per doctor, $22B could gov + healthcare drive this? Federate authentication would help-  Dont forget your role as a procurement  $20M invested in ID space  real customer real use case real money  best bet = Mozilla size of Firefox and IE are huge tag candy was even worse. can we put info in the communication stack? - smaller certifable trustable should we fix https at the same time? tinest change in the broswer; do the service elsewhere. similar to STSou what Dale did for Mac for i-cards running process in theuser space has security probs. Windiows did it outside user space or in the hardware. yyou canif't experss simple signals without chagnig user interaction. if the production comes from depths of comm stack, its a lot harder to screw up anti-virus software - keep me safe, don't talk to me about it. M$, Androic, Firefox - devolving to open components always have the issue of dumb environment, kiosk, school computer, etc. gotta get in and do something. another mistake: work in a non modified airport kiosk. red laser id scan??? openID knew a tiny bit of broswers (and tell the  RP) set the home page to the iGoogle page, and login.