I blogged (with appropriate tone) about a few hours with coding tools at http://tinyurl.com/7fuwuqm. Being a blog post, it rambles a bit. But, it does show you how to copy the steps, and repeat them. Id be interesting in some Windows programmer repating the steps, and then taking it a bit further. Where might it go?! In short, I put browserid, delivered entirely by mozilla services, into a chain of security token translation services. This technique is how we, in one part of US realty, keep our web apps insultated from token formats and websso silos. They all have to gateway to Microsoft Azure ACS gateway service, using custom translators we build as required. Assuming this takes off, and the model shown in the post is acceptable to this community, I dont see why this cannot join the openi
d connections we have to Google, Yahoo, and webid world... Its a very loosley coupled integration architecture, intended to keep silo culture and blog/cipher religions at bay - without preve
nting users picking their favorites.
> From: home_pw-***@public.gmane.org
> To: ben-i1dhdUG7r+***@public.gmane.org; dev-identity-CzyLcWPZiU5YsZ3hbOqMTti2O/***@public.gmane.org
> Subject: RE: Announcing Mozilla Persona
> Date: Fri, 24 Feb 2012 11:48:27 -0800
>
>
> I have half a day today, having finished a joomla SSO plugin (using last decade's techniques, contrasting with signed JSON).
>
>
>
> Let me give browserid a go, in that code tree - as an RP.

we know that well known identifier schemes struggle to hit the mark, since they become control points. And every vendor on the planet (and every good-faith government behind them) wants to have last-mile control (keeping the big bucks derived from the direct relationship to a real Person; everyone else in the web being reduced to a factor-role, at diminishing value as a function of distance from and control over the real Person.)



About the only useful thing I learned from my time on the webid project (and FOAF+SSL project before that) was how the web is supposed to work - when there is an absence of control[ling] points (and a release from the economic valuation model). Of course, its a bit academic (since academics/researchers dont have to worry about earning a dollar a service ...from customers.. to pay the bills).



http://linkeddata.uriburner.com/about/html/http/browserid.org/acct/home_pw-***@public.gmane.org is a real resource, about an unknown entity. It even offers translation services - that probably (and hopefully) do little or nothing. But, it does have a web presence. It is a discovery point, that can now be cited. I could now state in my blogspot profile (a vcard entity) that said profile is equivalent (in some sense) to that identified but unknown entity ... and nonsense starts to become value-adding. Of course, anyone can do that.



This is where I see webid and linked data and browserid coming together, with the former elements "adding" some value to the tokens that have been minted, wholly optionally. Of course, not everyone will do it and will certainly not do using the same providers (thats a requirement, so the control/mistrust cycle does not render itself present).



Perhaps some of us remember me (who struggles with advanced ideas) learning how to do http://linkeddata.uriburner.com/about/html/http/rapstr1.blob.core.windows.net/ods/user.ttl%01me. But, mroe than that, we also see something closer to making a page about a token - since it already has a page about a token (albeit an X.509 cert as token).



http://linkeddata.uriburner.com/about/html/data/application/x-x509-user-cert;base64,MIIFHDCCBIWgAwIBAgIKJQnepAAAAAAAIzANBgkqhkiG9w0BAQUFADA2MRMwEQYKCZImiZPyLGQBGRYDY29tMRIwEAYKCZImiZPyLGQBGRYCcHcxCzAJBgNVBAMTAmNhMB4XDTExMTIyMjE2MzExOFoXDTEyMTIyMTE2MzExOFowADCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuUaSFIlprrGI1U63W4sUeCvbbLQrwyTo6fLhJo1lSoDEoDA3gGftFzCLTkmCsP4PMiU9OAcPWFWgIeJxrVwRUai8BJV31/2C8THm3pxUHUjB3Z1A1MT7E0G1htJveiQuN72oCo4F5r8Q9kT5E7WGJjvqI8n/ijXxfBZd+gNSayUCAwEAAaOCA2UwggNhMDsGCSsGAQQBgjcVBwQuMCwGJCsGAQQBgjcVCP/GWIaLOIWJjSmGuNUphNz9WECH1OFghaezIAIBZwIBBzBfBgNVHSUBAf8EVTBTBgorBgEEAYI3FAICBiUrBgEEAYI3FQj/xliGiziFiY0phrjVKYTc/VhAhO/0JYeF0FYBBggrBgEFBQcDAgYIKwYBBQUHAwQGCisGAQQBgjcKAwQwDgYDVR0PAQH/BAQDAgWgMBYGA1Ud%20IAEB/wQMMAowCAYGBACORgEBMG8GCSsGAQQBgjcVCgEB/wRfMF0wDAYKKwYBBAGCNxQCAjAnB
iUrBgEEAYI3FQj/xliGiziFiY0phrjVKYTc/VhAhO/0JYeF0FYBMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMEMAwGCisGAQQBgjcKAwQwRAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsOAwIHMAoGCCqGSIb
3DQMHMB0GA1UdDgQWBBSdMcIM7BdnzGrx8SSpp9jLU9aFqTCCAWsGA1UdEQEB/wSCAV8wggFbhjhodHRwczovL3JhcHN0cjEuYmxvYi5jb3JlLndpbmRvd3MubmV0L29kcy95b3JrcG9yYy5odG0vI4Y3aHR0cHM6Ly9yYXBzdHIxLmJsb2IuY29yZS53aW5kb3dzLm5ldC9vZHMveW9ya3BvcmMuaHRtI4Y6aHR0cHM6Ly9yYXBzdHIxLmJsb2IuY29yZS53aW5kb3dzLm5ldC9vZHMveW9ya3BvcmMuaHRtLyNtZYY5aHR0cHM6Ly9yYXBzdHIxLmJsb2IuY29yZS53aW5kb3dzLm5ldC9vZHMveW9ya3BvcmMuaHRtI21lhjZodHRwczovL3JhcHN0cjEuYmxvYi5jb3JlLndpbmRvd3MubmV0L29kcy95b3JrcG9yYy5odG2GN2h0dHBzOi8vcmFwc3RyMS5ibG9iLmNvcmUud2luZG93cy5uZXQvb2RzL3lvcmtwb3JjLmh0bS8wHwYDVR0jBBgwFoAUGRUg5dtzBstKNWkCKJwEytiYGZswMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NhLnB3LmNvbS9DZXJ0%20RW5yb2xsL2NhLmNybDANBgkqhkiG9w0BAQUFAAOBgQBHa5SD8Q9jtPKP5R6jUijPAY3BSsMkt7bGkNW+iZklehEBsl+zV7MGMPOsWDknUA3QI6ayoDCD1Wbw2/ibVYfZgZskrJnFNSLzsy5s/OSjmN2CaKhIlTMWVAZ
c3UMK6m1hkCACWEbucU5Fp+tbjaJiE34mDNVWaYyh+6Rk+dICpw== is apparently a "thing" entity, vs the wholly "unknown" entity assigned to my browserid token. And, services can already be delivered ab
out it (not that the the particular linked data site has the slightest relationship to the CA that issued that blob).



Perhaps the test of browserid as a "web technology" is: does it WANT to cooperate with such value adding parties? (using these technologies or others)? Does it EXPECT such parties to add such value (without much coordination)? Does it OBJECT to their existance? do they "dilute the BrowserID brand" (and BrowserID starts issing cease and desist notices to parties "adding value" to its tokens, to keep up its "trustworthiness", as a public brand)? Are such folks like to occup the last mile (access to the protected resources), and does that inherently diminish the value of BrowserID? Is the issue that everyone fears being "dis-intermediated"?





I think its fine for the term "BrowserID" to be a free range hen, whereas Persona is a factory farmed hen - where the free range is more expensive and the factory farmed variant is not only cheaper but its "more controlled" - in a brand protection sense - to preserve a minimal assuranace level. this is just like in the certs world, where anyone can be a CA issuing X.509 certs, but only a network of CAs tied to a given assurance framework (the VeriSign CPS) could claim to be delivering "DigitalIDs" (a trademarked line in the sand, optionally bought into).



So long as BrowserID has a huge free range version, I think "Persona" is fine (and good step in assurance delivery). If such a Persona were to become hijacked and start to market itself as the now-baseline for the public space, than I have no doubt it will feel the full fury of the public backlash. I wonder of mozilla has any institutional history of when the Netscape firm in its browser did NOT allow one to load one's own cert roots (and the backlash that erupted over that!)



I get the impression Mozilla folks, whose culture Im meeting for the first time in 15 years of web work, have their heads set right. They (unlike PayPal, say, over the wikileaks case) do grasp what not to do, in identity management for the public trust.