[Freedombox-discuss] Identity Management wiki entry

John Walsh fiftyfour at waldevin.com
Tue Aug 23 13:05:40 UTC 2011


 Hi Bert,

Sorry, I have taken so long to respond, but I found another identity/user
model at idcommons.org which aligns more with my mental model of identity.
Identity seems to be such an ambiguous term and one that we need to properly
define. Idcommons refers to our identity term as personae. The idcommons
model would also capture the fact that the owner and a local user are the
same identity. This distinction is only important to FBX users because most
people run their PC using an administrator account and like my friend only
discover this fact when their 6 year old changed the PC password and they
could no longer get into their PC :( 

Still, I think we could stick to the existing model if a "Local" and "Owner"
account exists on each new FBX. Is it possible to have the owner
(administrative) account restricted to configuration activities only, i.e.
if the user wants to send an email they can only send it from a local
account rather than an owner account?

> > So, do you agree there would be a separate 
> identity for 
> > each language that a multi-lingual person uses?
> 
> I guess it is up for the user to use it this way. One could 
> separate based on this criteria for sure. Another couldn't 
> mind to have multilingual communications using a single identity.
I was thinking of the user's audience UX would be so much better, especially
for people who only know one language - planets are restricted to English.
The user would still have a multi-lingual activity stream (inbox), although
there could be a "view" for each language. I don't really see any difference
between streaming audiences conversations based on relationship or language.
Of course, there could be an option to amalgamate the languages into one
stream, but shouldn't identity per language be the default as it offers the
best UX. What do you think now?

> 
> Depending on their situation, it might be wise for some 
> activists not to host their FBX at home, which can be the 
> first place where people would search their data. So they can 
> either host their freedombox somewhere else, or use someone else FBX.
> 
> One FBX could do this with two domains, for sure. But it has 
> to be considered that it will be public that this two domains 
> are sharing the same IP/internet access.
Thanks for confirming two domains per FBX is possible and advising me of the
risk that the domains can be linked through the same IP address. Could we
not make the activist identity anonymous like the GlobaLeak's platform?

"Basically it (GlobaLeak) is a web application, running as a Tor Hidden
Service (https://www.torproject.org/docs/hidden-services.html.en). The fact
that it runs as a Hidden Service protects the location of the server running
the software. It also adds a layer of end-to-end encryption and
authentication so any client connecting does not need to rely on legacy
technology such as SSL/TLS authentication.

Any person running a GlobaLeaks node is called the node maintainer. By
running the node as a Hidden Service he also is not required to register any
domain names or static ip address because data is being transmitted over the
Tor network; because this is a hidden service, there is no concern about
Exit Node sniffing - the entire connection is encrypted, authenticated and
anonymized. The node maintainer is has their identity protected and they do
not need to expose themselves to possible retaliation.

Usually hidden serivices are only accessible from the Tor network, but what
we have developed (based on Aaaron Swartz's Tor2web) is tor2web 2.0 that
allows people coming from the normal web to visit hidden services. This
means that a hidden service can reach a much wider audience."
  
> 
> > > > *	
> > > > Identit{y,ies}: refers to a virtual (or service) identity. 
> > > > 
> > > > Identities should be able to use several services, not
> > > always hosted
> > > > on the same  <http://wiki.debian.org/FreedomBox> 
> FreedomBox. Thus 
> > > > there should be a way to publish this information, either
> > > publicly or privately.
> > Do the different FBX's have the same owner? How does having 
> two FBX's 
> > help publishing either publicly or privately?
> 
> The two FBX could and could not have the same owners :). One 
> could consider hosting a FBX at home for non really dangerous 
> data, and another somewhere else for example.
>
If we could make the activist identity anonymous with a solution similar to
GlobaLeak then the only time you would need to use a friends FBX would be
when you are mesh-computing mode (internet down). Under these conditions of
duress, you would want to publish anonymously from your friend's (preferably
in a different country) FBX.

Although, it might be technically possible to have services running on
different FBX's, I don't think it's a realistic scenario. I think most
people would publish from their own FBX to protect their privacy and only
under duress would they think of using their friends FBX/bandwidth for
publication. What do you think?

> > > I prefer the "Identity" term over the "Username" one, because the 
> > > later is a bit confusing. It is most often used to refer 
> to account 
> > > username, or login, which is only one small part of the 
> picture this 
> > > page is trying to draw. It's reference in the glossary is 
> certainly 
> > > confusing, badly worded, and probably should be more clearly 
> > > explained. Actually the definition on the W3 webpage 
> Melvin pointed 
> > > at in his answer to your mail has an interesting 
> definition for it.
> > I like Melvin's definition too. Identity is the correct 
> term. Username 
> > is wrong.
> 
> So we should probably update the definition on the wiki.
Identity: Each User may have one or many identities. A User can delete any
compromised identity.
Profile: Each Identity may have one or many profiles. Each profile may
provide one, some or all the services of an identity.
What do you think? 

> 
> > Bert, I was trying to document all the different roles people would 
> > have on the FBX, while at the same time using labels people would 
> > understand from existing experiences. I was concerned you weren't 
> > documenting all the roles, but I realise now you were 
> deliberating narrowing your scope to identities.
> > 
> > *Going Forward*
> > In a thread the other day I learnt that the network protocols have 
> > separate layers. I was thinking we could have a *user/people model* 
> > (what do you think of the name?) that would have separate 
> levels such 
> > as User, Identity, Privacy, Directory, Application. Each level 
> > builds/references the previous level.
> > 
> > At the User level you would describe the different "login" accounts 
> > such as "owner", "local", "guest", "group member", 
> "subscriber" to the FBX.
> 
> What are "subscriber" and "group member" referring to? Having 
> an optional guest login might be an interesting feature.
I think the guest login is essential to FBX users who do not want to "share"
their data with social networks or with friends who are not on a social
network. The guest account allows you to invite via email, both types of
friends to access your content using their email and a randomly generated
password to login.

A group member is a member of a forum (AKA Google/Yahoo Groups) hosted on
your FBX. A subscriber is a "follower" of your public microblog. I just want
to document all the possible "players" of an FBX, even if that means they
are only placeholders for FBX 1.0. As placeholders they still have value
ensuring the future flexibility of the FBX. 

> 
> > At the Identity level, for each "local" user the FBX could 
> > automatically generate a different identity for each (different) 
> > language, etc. At the identity level you would also need to 
> cater for 
> > the "personal" and "activist" persona's which will overlap with 
> > languages. Identities need to be linked to domains/FBX's 
> too. Username 
> > would be an attribute of an identity. Lots to discuss in this space.
> 
> Yep. I'm not sure identities should be created automatically 
> thought, should rather be up to the user to create them, and 
> after that attach service accounts to it.
There was a time I agreed with that opinion, but nowadays I think we should
make those decisions in the interest of FBX users. Sometimes too much
choice/flexibility is a bad thing. Facebook automatically sets up users core
services and the default privacy policies for a better UX. People don't care
what their messaging/wall/photo/video account numbers are as along as they
are connected to their friends. The same is true for telephone numbers, bank
numbers, tax numbers. People care about number portability, but they don't
care about the actual number. 

IMHO, the FBX should automatically generate the accounts for each service,
while offering the user through a "settings" an option to change the
"display name" of the account, which would initially be the account number.
This would make setting up services so much easier for developers and users.
This is what Facebook does so the FBX would have to at least do the same ;(

> 
> > At the Privacy level you would have to manage the release 
> of personal 
> > identifiable/ personal information through relationships (sibling, 
> > sweetheart etc.) and user actions (like) as indicated in 
> Melvin's document.
> > There would be different profiles for each identity/language.
> >
> > At the Directory level you would have contacts and circles views 
> > depending on chosen identity. The identity directory view would 
> > interact with all applications e.g. email, calendar, social network 
> > app etc. The directory level could also interact with the "social 
> > applications" described in Melvin's document
> 
> This interaction could be very hard to implement, it might 
> mean modifying the chosen applications to be able to 
> understand the system that would be chosen to manage 
> users/identities in the freedombox.
> At this level I was only thinking to something really basic, 
> which would only be verifying others identities ownership, 
> managing a trustdb. This would be done using GnuPG, and with 
> the help of monkeysphere could help in securing the 
> communications in the application level. This is in my 
> opinion the "easiest" way to go.
Is it possible to automatically generate these services/accounts using
existing "service wizards"? Could these wizards be run under the hood based
on the users criteria (preferred languages, personal/activist domain)?

I am sorry if my idea of using existing service wizards is too simplistic,
but IMHO I think the FBX needs to generate these settings/services to
protect people's privacy ;(
> 
> > At the Application level, you only define the FBX applications that 
> > introduce new people models or you define what people 
> models each app uses.
> 
> If by "Application level" you mean the services 
> (microblogging, email, social network applications) I was 
> referring to earlier in this mail, then as I said previously 
> in this level more interaction would happen. In fact a part 
> of the actions you put in the "Directory level" would happen 
> there (the most social network part of it), because otherwise 
> it seems we'd put a lot of energy to do in the Directory 
> level what the Application level is already able to do, and 
> what it is done for.
For each identity, I would just like to see each application use the same
contacts/circles directory. On my desktop, I have to populate my Outlook
with contacts, my Yate with contacts, my Skype with contacts. Please stop
this insanity! Each time you add an app to Facebook, the app uses your
existing directory - you don't have to create a new directory.

I don't really know the implementation details of how all applications would
manage a "central directory". However, I think it's important to tell a user
there is a directory level for their email, VOIP and social network,
although I probably need to leave a note on the wiki that this is not
necessarily the implementation method. Do you think the FBX will have a
"central people's directory" for all applications like Facebook?

> 
> It is ambitious for sure. I only begin to understand what you 
> are thinking about. You should maybe start to write down all 
> that and organize it on the wiki, so that we can start to 
> draft and note things there.
I really didn't think the implementation would be that ambitious using
automatically generated settings ;)

> Probably the data here would reside on the FBX where the 
> service is running in the scenario we are discussing. There 
> might exist ways to put them all in one place though. Maybe 
> this Locker application I pointed out in a mail some days ago 
> might help to achieve this.
I like the portability of the locker although the details about the
identity/privacy management is quite vague, e.g. will your data be leaked to
Facebook?

If we resolve these remaining issues then I'll jump in to update the wiki
and then we can start all over again ;)

Bert, I look forward to your response and I welcome any and all feedback
from people reading this list. It's a conversation for everybody!!

-- fiftyfour




More information about the Freedombox-discuss mailing list