W3C home > Mailing lists > Public > public-rww@w3.org > June 2012

Re: delegated authentication

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Thu, 21 Jun 2012 12:42:25 -0400
Message-ID: <4FE34EF1.8000007@openlinksw.com>
To: public-rww@w3.org
On 6/21/12 9:52 AM, Henry Story wrote:
> On 21 Jun 2012, at 15:27, Kingsley Idehen wrote:
>
>> On 6/21/12 5:47 AM, Henry Story wrote:
>>>    Andrei Sambra asked a question on dig [1] just now, on how one could do delegated authentication with
>>> WebID. This crosses the lines of webid, authorisation and ACLs, so I am sending it to the rww group
>>> and the webid community groups.
>> You mean: how http://my-profile.eu (and others) delegate WebID verification to 3rd party services? If that's the question then Andrei and look at:
> Not quite. The problem is more about a server doing something on my behalf. We assume the server can authenticate correctly with WebID: it has its own public/private keys.
>
> So if my FreedomBox were to have only me as a user, and my FreedomBox wanted to fetch stuff for me and AS me, it could simply create a public key for me and add it to my profile, and everything would be fine there. One could think of the freedom box as an extension of me in David Chalmer's sense [1]. The FreedomBox could connect to a service and that service would not know the difference to my connecting from my browser. I don't see much of an issue here.
>
>   If on the other hand we had a university social network, and it wanted to do some things for me, then how would we get it to do that without having to pretend to be me - which it could physically do as I explained as scenarios 1 and 2 in the original e-mail. For this we can use the proposed solution of a cert:secretary relation ( or an auth:secretary ) added in my profile pointing from me to the university server robot secretary (or perhaps an external robot secretary service), and that secretary robot could identify as itself but act for me (by adding something to the header to make that clear).

Okay, we have a software agent associated with entity: you. Said agent 
has been authorized by you to perform specific tasks on your behalf, and 
we want to express all of this in an graph. Basically, we need an Agent 
Authorization graph to drive this.
>
>    The nice thing about this is that it is just a question of access control.

delegation of authority + access control .

>   We would need the auth:secretary relation to be widely used and understood, so that it could be added to access control rules.
>
> One point I forgot to mention: if the robot secretary named <http://robosecretary.com/eu/d2#rq> logs in with that WebID to server S with a request containing the
>
>      Acting-on-behalf-of: <http://my-profile.eu/joe#me>
>
> header then S needs to also dereference <http://my-profile.eu/joe> in order to check that it contains the
> statement
>
>     <http://my-profile.eu/joe#me> auth:secretary <http://robosecretary.com/eu/d2#rq> .

Yep!

>
> If it does then S knows that it can trust - to a certain extent - the robot with information destined to Joe.

Okay, we are now in the Web 4.0 zone re. smart agents driven by Linked 
Data :-)

Kingsley
>
>      Henry
>
>
> [1] http://consc.net/papers/extended.html
>
>
>> 1. http://id.myopenlink.net/ods/webid_verify.vsp -- WebID verification service
>> 2. http://ods.openlinksw.com/wiki/ODS/ODSWebIDIdP -- usage guide (a bit verbose) .
>>
>> -- 
>>
>> Regards,
>>
>> Kingsley Idehen	
>> Founder & CEO
>> OpenLink Software
>> Company Web: http://www.openlinksw.com
>> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
>> Twitter/Identi.ca handle: @kidehen
>> Google+ Profile: https://plus.google.com/112399767740508618350/about
>> LinkedIn Profile: http://www.linkedin.com/in/kidehen
>>
>>
>>
>>
>>
> Social Web Architect
> http://bblfish.net/
>
>
>


-- 

Regards,

Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen







Received on Thursday, 21 June 2012 16:42:49 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:39:58 UTC