[foaf-protocols] TellMeShowMeAuth

Dan Brickley danbri at danbri.org
Wed Nov 16 11:38:44 CET 2011

On 16 November 2011 11:02, Melvin Carvalho <melvincarvalho at gmail.com> wrote:
> Interesting project
> https://github.com/bnoguchi/everyauth

Nice! It would be good to have WebID in there too.

Reminds of something I'm yet to write up, and maybe hard to explain.
So here's a first pass.

I'd like to see some work towards explaining the commonalities of all
these to end-users. I was thinking maybe with some slogan like
"tell me, show me".

Forezample, (and an exercise in gigantic scope creep...),

"Tell-me, Show-me is how Web sites check who you are, before letting
you do things. It can work in lots of different ways, but the
underlying principle is simple: first you have to tell them who you
are, then you have to show them that it's really you.

Sometimes you'll tell them who you are explicitly, for example by
telling them one of your email addresses, or a Web site URL that you
control. Other times you can save some typing, since you are often
already logged into other sites, so you can say "I'm the person
currently logged into Yahoo or Facebook or Twitter or whatever, talk
to my computer for the details!". So there is a natural tradeoff here:
when you're on a nice private machine you control, like your personal
laptop, you might stay logged in all the time.. So you can show who
you are with a single click, not lots of typing. Otherwise you'll
probably have to do a bit more typing (and remembering boring
information). In both cases, this is the "tell me" part: you're
expressing who you're claiming to be. It needn't be a real person; you
might want to say you're the twitter user "Father_Christmas". That's
fine, but you still have to prove it.

The next part is the "Show me" bit. Web sites are open to the entire
planet, ... and this makes them naturally suspicious. They'll want to
check that you're who you say you are. Now how they do this will vary
from case to case. A bank Web site might ask you to tell you who you
are in terms of long numbers and maybe a bit of info from your bank
card; then it might ask you to show that you're really you, by
answering some question using a physical machine you put your bank
card into. Other sites might just ask for a password. Or they might
bounce you to a linked account you have, and you'll enter passwords
there (or your browser/computer will automatically login for you).
Some sites don't care who you are, just that you're human and not a
piece of software run by spammers. So those sites will often give you
some horrible messy code to read, since people are still better at
reading bad handwriting than machines.

When you're signing up for a new site, you'll still see this
tell-me-show-me pattern too. You'll be asked what your email address
is. And then you'll be asked to prove it. Typically this involves a
site sending a special message to your mailbox, that only you could
see. By replying to it, or clicking on it, you're showing that "you're
you". Of course none of these techniques are foolproof. Bad guys could
get access to your email, or watch you type a password in a cybercafe.
Or steal your laptop or your bank pass or blackmail you or many other
awful things. But still these principles underly much of the way the
Web deals with personalisation and secrecy and control: always this
pairing. Saying stuff; showing stuff.

Say who you are; then give some evidence in support of that. Webmaster
tools for search engines also do this. You can often "claim" a site by
publishing some special page or code in the content, to prove that
you're in control of the site. The OpenID system that lets you log in
with a Web page URL is similiar; you say who you are with a simple
link to a page you control; and then you show who you are, by
demonstrating control of the account related to that page.

The 'tell me, show me' pattern is nothing new. "Halt, who goes
there?", "What's the password?" is almost timeless. Once you start
thinking of Web authentication in these terms, it can help make sense
of different technical options, and it can help you act more safely
online. Whenever there is information that would let someone else
pretend to be you, guard it closely. This could be as simple as your
Twitter or email password, since once they have that, others can use
these to show as evidence they're you on other sites.

This style of thinking should also help you be more skeptical with
social Web sites. When someone adds you on e.g. Facebook, how do you
know they're the real-world person you think they are? Sure the photo
might be right, and they might be listed as having similar friends.
But anyone can create a fake email address and trick others into
adding them. So think when someone tells you "I'm your friend Bob" (or
whoever) online, "that's nice ... but can you show it too...?". This
can be fun rather than stressful: having a quick video chat with
someone (on Skype, G+ Hangouts, whatever...) is a great way to check
that they're who they say they are. And many social sites are now
creating ways for you to keep handy lists (or groups, or circles) of
friends. So you might keep a list of friends who've passed a quick
video chat test, for example. Just as Web sites are thinking "tell me,
... then show me!" when you sign up, ...you should be thinking
similarly when people ask for access to your spaces in online sites.

While at first passwords don't seem to have much in common with video
chats, they are both ways of checking up on online claims. Any system
that allows 7 billion people to connect with each other needs some
controls and checks, and in the Web there are lots of ways to do this.
But at the end of the day it comes down to keeping a skeptical
attitude, and always asking for evidence. You do this, Web sites do
this, and those who don't, expose themselves to unnecessary risk. Once
you start thinking in this way it goes beyond logging into sites;
you'll find it can change how you think about the news you read, or
the things politicians tell you, too...


...can WebID be explained in these terms? Does it seem worth trying?



More information about the foaf-protocols mailing list