Identity in the Browser (F2C)

Issue/Topic: dentity in the Browser (F2C)

Conference: IIW-East September 9-10, 2010 in Washington DC Complete Set of Notes

Convener: Paul Trevithick

Notes-taker(s): Charles Andres

Attendees: Phil Windley Jay Unger Barbara Trufia David Wolsey Phil Wolff Austin Fath Rainer 8 others

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

set of ID solns with lots of real world analogies to anonymous wallet etc. necessary part of constellation:
 * credentials
 * digital cash
 * addressy
 * money
 * group affil

how to shift th max power to the control of the indiv.

zero knowledge proof tech vapor trail cookie trail

active client smarter browser endless digital baptism

form fillng password

openID SAML ICF NASCAR popups
 * dif challenges - RP site - pick from

Dave Recordon of FBook FB level of consumer trust in the cecision is fairly low. a statement by your browser is highly trusted...
 * tests state that if advice that some popup would release info, open to FB?

takeaway: role of infastructure that completely control browser is the agent for the user

FB: consider the source.

selecors: AIR, etc. popups - use notice of consent tranpsarenc

2 windows become annoyance.

a barier with what we are trying to do.

the UX must become much more sophisticated.

credit card analogy -- compelling a 4 party agreement lots of protection are happening behind your back

we were naive how people interact with computer systems

you don't think about airbag technology

signals have to be simple uptake in EV signals because it is simple. green bar; simple signal, simple behavior.

radio button, checkbox is beyond simple signals and simple behavior. Google also has similar studies -- UN/PW is as complex as people can deal with.

Browser, tc. is a great place to make simple secure private work.

how to do this in an inclusive way? it has to embrace every protocol with traction the consumer don't care prtocols must disappear

How does a human login to a website across protocols?

pick an IdP. design can't be implemented tech doesn't exist.

browser is not on phones but there is a user agent

user agent determines look and feeluilt in standard response don't do it with questionable javascript identiriers are a kind of claim. 10 years ago browsers b

basic authentication came from IETF little progress since then

could start with ID Commons, but need to connect with IETF and how about W3C the ID space is so balkanized. but if there were one place --html, browsers, & ID

Jay: aftarid of constitutional monarchy

IETF more like a

if std and practice appear perhaps the IE logjam can be broken.

health care -- lot of info going into this 45K per doctor, $22B

could gov + healthcare drive this?

Federate authentication would help-

Dont forget your role as a procurement

$20M invested in ID space real customer real use case real money

best bet = Mozilla size of Firefox and IE are huge tag candy was even worse.

can we put info in the communication stack?
 * smaller certifable trustable

should we fix https at the same time?

tinest change in the broswer; do the service elsewhere.

similar to STSou what Dale did for Mac for i-cards running process in theuser space has security probs. Windiows did it outside user space or in the hardware.

yyou canif't experss simple signals without chagnig user interaction.

if the production comes from depths of comm stack, its a lot harder to screw up anti-virus software - keep me safe, don't talk to me about it.

M$, Androic, Firefox
 * devolving to open components

always have the issue of dumb environment, kiosk, school computer, etc. gotta get in and do something.

another mistake: work in a non modified airport kiosk.

red laser id scan???

openID knew a tiny bit of broswers (and tell the  RP) set the home page to the iGoogle page, and login.