Re: [community] from W3C….Fwd: Proposal: "User" header field

Nat Sakimura sakimura at gmail.com
Wed Jul 17 23:56:25 UTC 2013


Thanks for reaching out and the clarification.

I gather that you envision some kind of user interface on the browser so
that the user can store the user identifier in the URI form (which happen
to be OpenID 1.0 concept, btw).

Then, the web sites asks for the header when they want, and the user
encounters a dialogue whether or not to give it.

Is that the use case?

IMHO, there are two problems with it.

1. Re: privacy: People will be trained to click Yes, turning the Internet
Dog into Pavlov's Dog.
2. Re: security: Web sites will make mistakes to assume that is an
authenticated identifier. It is not.
    It is easy to spoof. It will cause user's accounts being hijacked, etc.
3. Re: fraud: Users has no protection layer between the malicious site and
the web browser.
    It is a common attack by the fraudulent sites to ask for money when
they get hold of user's identifier.
    In the IdP model, IdPs can block and filter the RP request for the user
identifier protecting the user.
    It has been a big issue in Japan, at least, since Mobile browsers of
the feature phones actually
    sent the user identifier as hint.

Even if we say "it is just a hint" in the specification, people will not
read it and make mistakes.
It is the duty of us protocol designers to consider these "human factors"
into account and consider the public safety issues.

I would probably be ok to send the IdP's address as a hint, as it cannot be
mistaken as a user identifier then by the sites. It poses less  privacy
issues as well, and users has more protection.

Best,

Nat


2013/7/18 Melvin Carvalho <melvincarvalho at gmail.com>

>
>
>
> On 18 July 2013 01:06, Nat Sakimura <sakimura at gmail.com> wrote:
>
>> Hi.
>>
>> I am forwarding the mail in the identity commons list.
>>
>> Apparently, there is an initiative at W3C proposing a new "identity"
>> header, which I believe is actually harmful for the general public. Simple
>> web sites are going to take it as authenticated identity and thus will
>> cause identity theft of their users.
>>
>> Their proposal is to include
>>
>>   User: http://this.is.the/user/identifier
>>
>> in the HTTP header.
>>
>> Could those of you active in W3C reach out to them?
>>
>> As I have written below, if it were to just include the IdP address as a
>> hint, I am kind of fine.
>>
>
> Thanks for sharing this.  Since this was my proposal, I hope I can shed a
> bit of light light.
>
> Firstly, it's not the W3C, simply a group of people brainstorming in the a
> W3C hosted forum (aka community groups).  The proposal has no official
> standing, but if there are no objections, the idea is to try and push the
> idea upstream.
>
> Yes, the idea is that it is just a hint.  Note the text:
>
> "The client SHOULD NOT send the User header field without the user's
> approval, as it might conflict with the user's privacy interests or their
> site's security policy. It is strongly recommended that the user be able to
> disable, enable, and modify the value of this field at any time prior to a
> request."
>
> We asked the IETF if we could use the "From" header for this, but the
> feedback is that "From" is restricted to email, and this would be difficult
> to change.  The suggestion was to come up with a new header.  Very happy to
> have feedback, I've followed IIW work for many years.
>
>
>>
>> Best,
>>
>> Nat
>>
>> ---------- Forwarded message ----------
>> From: Kaliya "Identity Woman" <kaliya-lists at identitywoman.net>
>> Date: 2013/7/18
>> Subject: Re: [community] from W3C….Fwd: Proposal: "User" header field
>> To: Nat Sakimura <sakimura at gmail.com>
>> Cc: "community at lists.idcommons.net" <community at lists.idcommons.net>
>>
>>
>> Yes Nat,  Thats sort of what I got from reading it.
>>
>> Who among us is very active in the W3C world?
>>
>> If no one should we be figuring out who should be?
>>
>> Should we write them a letter asking them to send "identitish" proposals
>> to IIW? or other forums for good input?
>>
>> Maybe we should write something that is like understanding identity
>> basics for technical specification folks across a range of standards bodies?
>>
>> - Kaliya
>>
>> On Jul 17, 2013, at 3:32 AM, Nat Sakimura wrote:
>>
>> Whoa, what's that?!
>>
>> That's not only useless but actually harmful.
>>
>> I can kind of see some utility in sending the IdP address, but not the
>> user.
>>
>> =nat via iPhone
>>
>> On Jul 16, 2013, at 7:39, "Kaliya \"Identity Woman\"" <
>> kaliya-lists at identitywoman.net> wrote:
>>
>> Hi folks,
>>  Apparently the W3C wants to send "user" names along in HTTP headers.
>>   I thought some folks who know about identity and how it
>> does/could/should work might be up for chiming in over there.
>>   It seems like Authentication of identity might be a good thing rather
>> then just assertion.
>>  - Kaliya
>>
>>
>> Begin forwarded message:
>>
>> *From: *Christine
>>
>>
>> As you know, I'm a big proponent of open standards. For this reason I
>> monitor many groups. You might be interested in the W3C Read Write Web
>> community group: http://www.w3.org/community/rww/
>>
>> I sent you a message a few weeks ago about Tabulator.
>>
>> See below messages about User header field. If you are not already a
>> member, I recommend you join and contribute!
>>
>> Christine
>>
>>
>> -------- Original Message --------  Subject: Re: Proposal: "User" header
>> field  Resent-Date: Sat, 13 Jul 2013 16:19:02 +0000  Resent-From:
>> public-rww at w3.org  Date: Sat, 13 Jul 2013 12:08:37 -0400  From: Joe
>> <presbrey at gmail.com> <presbrey at gmail.com>  To: Melvin Carvalho
>> <melvincarvalho at gmail.com> <melvincarvalho at gmail.com>  CC: public-rww
>> <public-rww at w3.org> <public-rww at w3.org>
>>
>> Great job Melvin!
>>
>>  Data.fm sends the User header already :)
>>
>>
>>
>>
>> On Jul 13, 2013, at 10:55 AM, Melvin Carvalho <melvincarvalho at gmail.com>
>> wrote:
>>
>>   I would be nice to be able to identify a user in HTTP, especially with
>> read/write protocols and access control, it can be important to know who is
>> trying to change something.
>>
>> There has been some discussion on whether the "From" header can be used
>> to identify a user in HTTP, and my from most people is that this would be a
>> good candidate to send a user, but for historical reasons it's limited to
>> email, and changing this would perhaps get some pushback from the IETF.
>>
>> The suggestion has been to choose another header, so I thought that
>> "User" might be a good candidate, since we have User Agent arleady.
>>
>>  Here's the proposed text:
>>
>> [[
>> User
>>
>> The User request-header field, if given, SHOULD contain an identifier for
>> the human user who controls the requesting user agent. The address SHOULD
>> be machine-usable, as defined by the "URI General Syntax" RFC 3986
>>
>>        User   = "User" ":" URI
>>
>> An example is:
>>
>>        User: http://www.w3.org/People/Berners-Lee/card#i
>>
>> This header field MAY be used for logging purposes and as a means for
>> identifying the source of invalid or unwanted requests. It SHOULD NOT be
>> used as an insecure form of access protection. The interpretation of this
>> field is that the request is being performed on behalf of the person given,
>> who accepts responsibility for the method performed. In particular, robot
>> agents SHOULD include this header so that the person responsible for
>> running the robot can be contacted if problems occur on the receiving end.
>>
>> The client SHOULD NOT send the User header field without the user's
>> approval, as it might conflict with the user's privacy interests or their
>> site's security policy. It is strongly recommended that the user be able to
>> disable, enable, and modify the value of this field at any time prior to a
>> request.
>>
>> ]]
>>
>>  Feedback welcome!
>>
>>
>>
>>
>>
>> ____________________________________________________________
>> You received this message as a subscriber on the list:
>>     community at lists.idcommons.net
>> To be removed from the list, send any message to:
>>     community-unsubscribe at lists.idcommons.net
>>
>> For all list information and functions, see:
>>      http://lists.idcommons.net/lists/info/community
>>
>>
>>
>>
>>
>> --
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>>
>> _______________________________________________
>> specs mailing list
>> specs at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs
>>
>>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20130718/09978044/attachment.html>


More information about the specs mailing list