Back in December I briefly mentioned an upcoming W3C workshop, whose official name is (deep breath) Toward a More Secure Web – W3C Workshop on Usability and Transparency of Web Authentication. I’ll be heading out tomorrow to go to the workshop, and I very much look forward to meeting and talking with other attendees. The program looks really strong.
I’m not presenting, but here’s my position paper. (There’s a sort of Easter egg in there…and no, I don’t mean the appearance of the word “promiscuous”!)
And lo, Ceasar decreed that the whole world be blogged. And everyone started one, well everyone Phill knows anyway which is quite a few people when you get down to it. Only most of them managed to keep up with it rather longer than he has in the past although to be fair he was writing a book at the time.
“Ensure that creating a new user account is a signal event rather than a daily one.” Did you mean “single”? If not, does “signal event” mean something special in this context or is a figure of speech for “exceptional event”?
Is anyone looking at bot identity? I work on the Ultraseek search engine, and in order to index something, we need to access it. What kind of person is a search spider? The web authentication architecture needs to allow for search or it just won’t work.
Hello Walter– I did mean “signal”, in its adjectival sense of “distinguished from the ordinary” (here’s one online definition for it). If you’re forced to create a new identity every day — as I seem to be doing lately! — it seems hard to believe that there’s anything user-centric about it, no matter how good the tools for managing them all may become.
I should mention that some of my colleagues who reviewed my paper didn’t agree with me on this point, but I thought it was worth exploring. I certainly don’t believe we all should be forced down to a single identity, since that’s just another way of saying centralization. But as consumers of web services, we’ve become used to assigning these things low value because they’re littering the floor…even though my credit card information is redundantly (and promiscuously) stored in quite a few of them.
Using the chunking principle, we could probably keep 5 to 9 sources of our own identity information straight in our heads. And I doubt more than a few people have more than that many personae (um, used here in the English sense, to avoid fistfights).
To your point about bot identity: Given that access-controlled web resources are also often personalized for each identity to whom/which they’ve granted access, what would it mean for a generic bot to index a resource that’s normally extremely customized? (E.g., my bank statement.) Or do you mean that a human should be able to have a bot to which they can delegate access-for-indexing on their behalf? Or something else?