W3C home > Mailing lists > Public > public-rww@w3.org > November 2012

Re: AccessControl : update + inference

From: Henry Story <henry.story@bblfish.net>
Date: Tue, 13 Nov 2012 10:33:23 +0100
Cc: public-rww@w3.org
Message-Id: <6232AE2C-3CF4-40E2-8C70-E53CE862CE5D@bblfish.net>
To: Michiel de Jong <michiel@unhosted.org>
Hi Michiel. The LDP page is very very fresh. I just added a whole bunch
of use cases that are technologically agnostic, and more information on 
a number of authentication protocols I know about:

 http://www.w3.org/2012/ldp/wiki/AccessControl


On 13 Nov 2012, at 02:18, Michiel de Jong <michiel@unhosted.org> wrote:

> i feel the LDP page misses the point. it describes ways in which you
> can use, say, an Oracle database, to describe if certain credentials
> which the client sent are sufficient for a certain action or not. What
> they don't describe is how the client can actually send these
> credentials, and how the server can check their validity.
> 
> Let's look at the basic use case first: Alice has a website, and Bob
> is allowed to edit it.

I added a use case for giving access to collections of resources. Giving
access to a whole web site seems a bit too strong. :-)

> 
> No irrelevant things about 'Bob is within a 500m radius of a certain
> geo location' or 'Alice uses an Oracle database to run her website'.
> Imho that misses the point.

That is an interesting example of using attributes to determine access it
seems to me.


> There is a small note at the bottom of the
> LDP page saying "identity: WebID". That is what we should be looking
> at, i think:
> 
> 1) how does Bob send his credentials
> 2) how does Alice's web server check them

Well that would be up to each authentication protocol to define. 
> 
> For this, i'm aware of the following options:
> 
> - username/password (doesn't scale of course if Bob has many friends)
> - WebID (favourite of this CG!)
> - OpenID (sadly probably deprecated)
> - Persona (promising imho)
> - Dialback (same)
> - Salmon (specific for blogpost-comments, and probably deprecated by dialback?)
> 
> 
> My 2ct,
> Michiel
> 
> On Tue, Nov 13, 2012 at 7:27 AM, Kingsley Idehen <kidehen@openlinksw.com> wrote:
>> On 11/12/12 5:19 PM, Andrei SAMBRA wrote:
>> 
>> Actually, I wonder if it would be a better idea to move this wiki page (on
>> AC) to the RWW wiki, given that it is orthogonal to LDP WG's work. I'll
>> create the stub wiki page and post the link in a reply.
>> 
>> +1
>> 
>> Kingsley
>> 
>> 
>> Andrei
>> 
>> 
>> On Mon, Nov 12, 2012 at 5:16 PM, Kingsley Idehen <kidehen@openlinksw.com>
>> wrote:
>>> 
>>> On 11/12/12 4:52 PM, Jürgen Jakobitsch wrote:
>>>> 
>>>> hi,
>>>> 
>>>> since the discussion on AC is apparently taking shape, it might be a
>>>> good time for my questions.
>>>> 
>>>> until now we more or less only had examples of AC in action on the
>>>> data-retrieval side (as far as i know at least).
>>>> 
>>>> do acl-engines only really work with inference-engines when updating or
>>>> are there recommended ways of dealing with the following example?
>>>> 
>>>> prereq.: acl - denies access to resource "x" (say a skos:Concept)
>>>> 
>>>> what should happen, when i add the triple?
>>>> 
>>>> resource "y" skos:broader resource "x"?
>>>> 
>>>> 
>>>> there are several scenarios in which this could take place :
>>>> 
>>>> 1. should the update request be rejected with full inferencing, because
>>>> it becomes clear the resource "x" is touched?
>>>> 2. what happens in a non-inferencing environment? with that is created a
>>>> relation between the two resources and i could construct (sparql-wise)
>>>> whatever i want, which brings me to the idea of never trusting
>>>> application/sparql-results+*...
>>>> 
>>>> 
>>>> so the crucial point seems to be that ACLs can handle updates more
>>>> flexible, a read and write access denied for a single resource might not
>>>> be enough.
>>>> 
>>>> any pointer to the most flexible acl-ontology?
>>>> i'm thinking about something like :
>>>> 
>>>> denyWriteAccess where resource "x" is the object.
>>>> 
>>>> any pointer really appreciated..
>>> 
>>> 
>>> We we do is have SPARQL ASK as an option for determining conditions. That
>>> way, you handle all your desired scenarios as the data (resource) publisher.
>>> Basically, we offer:
>>> 
>>> 1. basic WebID lists
>>> 2. WebIDs as members of foaf:Groups
>>> 3. SPARQL ASK -- for most complex conditions and custom conditions.
>>> 
>>> As for inference, we have this loosely bound to the SPARQL processor which
>>> is why we use pragmas to enable inference context in our SPARQL
>>> implementation. I know of not other way to handle the contextual fluidity
>>> associated with this subject matter :-)
>>>> 
>>>> 
>>>> wkr turnguard
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>>> 
>>> --
>>> 
>>> Regards,
>>> 
>>> Kingsley Idehen
>>> Founder & CEO
>>> OpenLink Software
>>> Company Web: http://www.openlinksw.com
>>> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
>>> Twitter/Identi.ca handle: @kidehen
>>> Google+ Profile: https://plus.google.com/112399767740508618350/about
>>> LinkedIn Profile: http://www.linkedin.com/in/kidehen
>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>> 
>> 
>> --
>> 
>> Regards,
>> 
>> Kingsley Idehen	
>> Founder & CEO
>> OpenLink Software
>> Company Web: http://www.openlinksw.com
>> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
>> Twitter/Identi.ca handle: @kidehen
>> Google+ Profile: https://plus.google.com/112399767740508618350/about
>> LinkedIn Profile: http://www.linkedin.com/in/kidehen
>> 
>> 
>> 
>> 
> 

Social Web Architect
http://bblfish.net/



Received on Tuesday, 13 November 2012 09:34:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 13 November 2012 09:34:03 GMT