<div dir="ltr">Thanks for reaching out and the clarification. <div><br></div><div style>I gather that you envision some kind of user interface on the browser so that the user can store the user identifier in the URI form (which happen to be OpenID 1.0 concept, btw). </div>
<div style><br></div><div style>Then, the web sites asks for the header when they want, and the user encounters a dialogue whether or not to give it. </div><div style><br></div><div style>Is that the use case? </div><div style>
<br></div><div style>IMHO, there are two problems with it. </div><div style><br></div><div style>1. Re: privacy: People will be trained to click Yes, turning the Internet Dog into Pavlov's Dog. </div><div style>2. Re: security: Web sites will make mistakes to assume that is an authenticated identifier. It is not. </div>
<div style> It is easy to spoof. It will cause user's accounts being hijacked, etc. </div><div style>3. Re: fraud: Users has no protection layer between the malicious site and the web browser. </div><div style> It is a common attack by the fraudulent sites to ask for money when they get hold of user's identifier. </div>
<div style> In the IdP model, IdPs can block and filter the RP request for the user identifier protecting the user. </div><div style> It has been a big issue in Japan, at least, since Mobile browsers of the feature phones actually </div>
<div style> sent the user identifier as hint. </div><div style><br></div><div style>Even if we say "it is just a hint" in the specification, people will not read it and make mistakes. </div><div style>It is the duty of us protocol designers to consider these "human factors" into account and consider the public safety issues. </div>
<div style><br></div><div style>I would probably be ok to send the IdP's address as a hint, as it cannot be mistaken as a user identifier then by the sites. It poses less privacy issues as well, and users has more protection. </div>
<div style><br></div><div style>Best, </div><div style><br></div><div style>Nat</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/7/18 Melvin Carvalho <span dir="ltr"><<a href="mailto:melvincarvalho@gmail.com" target="_blank">melvincarvalho@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote"><div class="im">On 18 July 2013 01:06, Nat Sakimura <span dir="ltr"><<a href="mailto:sakimura@gmail.com" target="_blank">sakimura@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi. <div><br></div><div>I am forwarding the mail in the identity commons list. </div>
<div><br></div><div>Apparently, there is an initiative at W3C proposing a new "identity" header, which I believe is actually harmful for the general public. Simple web sites are going to take it as authenticated identity and thus will cause identity theft of their users. </div>
<div><br></div><div>Their proposal is to include </div><div><br></div><div> User: <a href="http://this.is.the/user/identifier" target="_blank">http://this.is.the/user/identifier</a></div><div><br></div><div>in the HTTP header. </div>
<div>
<br></div><div>Could those of you active in W3C reach out to them? </div><div><br></div><div>As I have written below, if it were to just include the IdP address as a hint, I am kind of fine. </div></div></blockquote><div>
<br></div></div><div>Thanks for sharing this. Since this was my proposal, I hope I can shed a bit of light light. <br><br></div><div>Firstly, it's not the W3C, simply a group of people brainstorming in the a W3C hosted forum (aka community groups). The proposal has no official standing, but if there are no objections, the idea is to try and push the idea upstream.<br>
<br>Yes, the idea is that it is just a hint. Note the text:<br></div><div><div class="im"><br>"The client SHOULD NOT send the User header field without
the user's approval, as it might conflict with the user's
privacy interests or their site's security policy. It is
strongly recommended that the user be able to disable,
enable, and modify the value of this field at any time
prior to a request."<br><br></div>We asked the IETF if we could use the "From" header for this, but the feedback is that "From" is restricted to email, and this would be difficult to change. The suggestion was to come up with a new header. Very happy to have feedback, I've followed IIW work for many years.<br>
</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="h5"><div dir="ltr"><div><br></div><div>Best, </div>
<div><br></div><div>Nat</div><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Kaliya "Identity Woman"</b> <span dir="ltr"><<a href="mailto:kaliya-lists@identitywoman.net" target="_blank">kaliya-lists@identitywoman.net</a>></span><br>
Date: 2013/7/18<br>Subject: Re: [community] from W3C….Fwd: Proposal: "User" header field<br>To: Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank">sakimura@gmail.com</a>><br>Cc: "<a href="mailto:community@lists.idcommons.net" target="_blank">community@lists.idcommons.net</a>" <<a href="mailto:community@lists.idcommons.net" target="_blank">community@lists.idcommons.net</a>><br>
<br><br><div style="word-wrap:break-word">Yes Nat, Thats sort of what I got from reading it. <div><div><br></div><div>Who among us is very active in the W3C world?</div><div><br></div><div>If no one should we be figuring out who should be?</div>
<div><br></div><div>Should we write them a letter asking them to send "identitish" proposals to IIW? or other forums for good input?</div><div><br></div><div>Maybe we should write something that is like understanding identity basics for technical specification folks across a range of standards bodies?</div>
<span><font color="#888888"><div><br></div><div>- Kaliya</div></font></span><div><div><div><br><div><div>On Jul 17, 2013, at 3:32 AM, Nat Sakimura wrote:</div><br><blockquote type="cite"><div dir="auto">
<div>Whoa, what's that?!</div><div><br></div><div>That's not only useless but actually harmful. </div><div><br>
</div><div>I can kind of see some utility in sending the IdP address, but not the user. <br><br>=nat via iPhone</div><div><br>On Jul 16, 2013, at 7:39, "Kaliya \"Identity Woman\"" <<a href="mailto:kaliya-lists@identitywoman.net" target="_blank">kaliya-lists@identitywoman.net</a>> wrote:<br>
<br></div><blockquote type="cite"><div>Hi folks, <div> Apparently the W3C wants to send "user" names along in HTTP headers. </div><div> I thought some folks who know about identity and how it does/could/should work might be up for chiming in over there. </div>
<div> It seems like Authentication of identity might be a good thing rather then just assertion. </div><div> - Kaliya</div><div> <br><div><br><div>Begin forwarded message:</div><br><blockquote type="cite">
<div style="margin:0px"><span style="font-size:medium;font-family:Helvetica"><b>From: </b></span><span style="font-family:Helvetica;font-size:medium">Christine </span></div>
</blockquote><br><blockquote type="cite"><div bgcolor="#FFFFFF" text="#000099">
As you know, I'm a big proponent of open standards. For this reason
I monitor many groups. You might be interested in the W3C Read Write
Web community group: <a href="http://www.w3.org/community/rww/" target="_blank">http://www.w3.org/community/rww/</a><br>
<br>
I sent you a message a few weeks ago about Tabulator. <br>
<br>
See below messages about User header field. If you are not already a
member, I recommend you join and contribute!<br>
<br>
Christine<br>
<div><br>
<br>
-------- Original Message --------
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<th align="RIGHT" nowrap valign="BASELINE">Subject:
</th>
<td>Re: Proposal: "User" header field</td>
</tr>
<tr>
<th align="RIGHT" nowrap valign="BASELINE">Resent-Date:
</th>
<td>Sat, 13 Jul 2013 16:19:02 +0000</td>
</tr>
<tr>
<th align="RIGHT" nowrap valign="BASELINE">Resent-From:
</th>
<td><a href="mailto:public-rww@w3.org" target="_blank">public-rww@w3.org</a></td>
</tr>
<tr>
<th align="RIGHT" nowrap valign="BASELINE">Date: </th>
<td>Sat, 13 Jul 2013 12:08:37 -0400</td>
</tr>
<tr>
<th align="RIGHT" nowrap valign="BASELINE">From: </th>
<td>Joe <a href="mailto:presbrey@gmail.com" target="_blank"><presbrey@gmail.com></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap valign="BASELINE">To: </th>
<td>Melvin Carvalho <a href="mailto:melvincarvalho@gmail.com" target="_blank"><melvincarvalho@gmail.com></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap valign="BASELINE">CC: </th>
<td>public-rww <a href="mailto:public-rww@w3.org" target="_blank"><public-rww@w3.org></a></td>
</tr>
</tbody>
</table>
<br>
<br>
<div>Great job Melvin!</div>
<div><br>
</div>
<div>Data.fm sends the User header already :)</div>
<div><br>
</div>
<div><br>
<br>
</div>
<div><br>
On Jul 13, 2013, at 10:55 AM, Melvin Carvalho <<a href="mailto:melvincarvalho@gmail.com" target="_blank">melvincarvalho@gmail.com</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<div dir="ltr">I would be nice to be able to identify a user
in HTTP, especially with read/write protocols and access
control, it can be important to know who is trying to change
something.<br>
<div><br>
There has been some discussion on whether the "From"
header can be used to identify a user in HTTP, and my from
most people is that this would be a good candidate to send
a user, but for historical reasons it's limited to email,
and changing this would perhaps get some pushback from the
IETF.<br>
<br>
The suggestion has been to choose another header, so I
thought that "User" might be a good candidate, since we
have User Agent arleady.<br>
<br>
</div>
<div>Here's the proposed text:<br>
<br>
[[<br>
<h3><a>User<br>
</a></h3><p> The User request-header field, if given, SHOULD
contain an identifier for the human user who controls
the requesting user agent. The address SHOULD be
machine-usable, as defined by the "URI General Syntax"
RFC 3986<br>
</p>
<pre> User = "User" ":" URI
</pre><p> An example is:
</p>
<pre> User: <a href="http://www.w3.org/People/Berners-Lee/card#i" target="_blank">http://www.w3.org/People/Berners-Lee/card#i</a>
</pre><p> This header field MAY be used for logging purposes and
as a means for identifying the source of invalid or
unwanted requests. It SHOULD NOT be used as an insecure
form of access protection. The interpretation of this
field is that the request is being performed on behalf
of the person given, who accepts responsibility for the
method performed. In particular, robot agents SHOULD
include this header so that the person responsible for
running the robot can be contacted if problems occur on
the receiving end.
</p><div> <br></div>
The client SHOULD NOT send the User header field without
the user's approval, as it might conflict with the user's
privacy interests or their site's security policy. It is
strongly recommended that the user be able to disable,
enable, and modify the value of this field at any time
prior to a request. <br>
<br>
]]<br>
<br>
</div>
<div>Feedback welcome!<br>
</div>
<div><br>
</div>
</div>
</div>
</blockquote>
<br>
</div>
<br>
</div>
</blockquote></div><br>
<br></div></div></blockquote><blockquote type="cite"><div><span>____________________________________________________________</span><br><span>You received this message as a subscriber on the list:</span><br><span> <a href="mailto:community@lists.idcommons.net" target="_blank">community@lists.idcommons.net</a></span><br>
<span>To be removed from the list, send any message to:</span><br><span> <a href="mailto:community-unsubscribe@lists.idcommons.net" target="_blank">community-unsubscribe@lists.idcommons.net</a></span><br><span></span><br>
<span>For all list information and functions, see:</span><br>
<span> <a href="http://lists.idcommons.net/lists/info/community" target="_blank">http://lists.idcommons.net/lists/info/community</a></span><span><font color="#888888"><br></font></span></div></blockquote></div>
<span><font color="#888888">
</font></span></blockquote></div><span><font color="#888888"><br></font></span></div></div></div></div></div></div><span><font color="#888888"><br><br clear="all"><div><br></div>-- <br>Nat Sakimura (=nat)<div>
Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en</div>
</font></span></div>
<br></div></div>_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
<br></blockquote></div><br></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div>
</div>