W3C home > Mailing lists > Public > public-rww@w3.org > November 2012

Re: AccessControl : update + inference

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Tue, 13 Nov 2012 07:06:57 -0500
Message-ID: <50A237E1.8000005@openlinksw.com>
To: public-rww@w3.org
On 11/12/12 8:18 PM, Michiel de Jong wrote:
> i feel the LDP page misses the point. it describes ways in which you
> can use, say, an Oracle database, to describe if certain credentials
> which the client sent are sufficient for a certain action or not. What
> they don't describe is how the client can actually send these
> credentials, and how the server can check their validity.

The Oracle example isn't representative. You've already picked that 
apart accurately.

>
> Let's look at the basic use case first: Alice has a website, and Bob
> is allowed to edit it.
>
> No irrelevant things about 'Bob is within a 500m radius of a certain
> geo location' or 'Alice uses an Oracle database to run her website'.
> Imho that misses the point.

Yep!

> There is a small note at the bottom of the
> LDP page saying "identity: WebID". That is what we should be looking
> at, i think:
>
> 1) how does Bob send his credentials
> 2) how does Alice's web server check them
>
> For this, i'm aware of the following options:
>
> - username/password (doesn't scale of course if Bob has many friends)
> - WebID (favourite of this CG!)
> - OpenID (sadly probably deprecated)
> - Persona (promising imho)
> - Dialback (same)
> - Salmon (specific for blogpost-comments, and probably deprecated by dialback?)

Identity, Entity Relationship Graphs, and Entity Relationship Semantics 
== the solution.

Linked Data, WebID, WebID authentication protocol, and Web Access 
Control Ontology is the natural solution.

Kingsley
>
>
> My 2ct,
> Michiel
>
> On Tue, Nov 13, 2012 at 7:27 AM, Kingsley Idehen <kidehen@openlinksw.com> wrote:
>> On 11/12/12 5:19 PM, Andrei SAMBRA wrote:
>>
>> Actually, I wonder if it would be a better idea to move this wiki page (on
>> AC) to the RWW wiki, given that it is orthogonal to LDP WG's work. I'll
>> create the stub wiki page and post the link in a reply.
>>
>> +1
>>
>> Kingsley
>>
>>
>> Andrei
>>
>>
>> On Mon, Nov 12, 2012 at 5:16 PM, Kingsley Idehen <kidehen@openlinksw.com>
>> wrote:
>>> On 11/12/12 4:52 PM, Jürgen Jakobitsch wrote:
>>>> hi,
>>>>
>>>> since the discussion on AC is apparently taking shape, it might be a
>>>> good time for my questions.
>>>>
>>>> until now we more or less only had examples of AC in action on the
>>>> data-retrieval side (as far as i know at least).
>>>>
>>>> do acl-engines only really work with inference-engines when updating or
>>>> are there recommended ways of dealing with the following example?
>>>>
>>>> prereq.: acl - denies access to resource "x" (say a skos:Concept)
>>>>
>>>> what should happen, when i add the triple?
>>>>
>>>> resource "y" skos:broader resource "x"?
>>>>
>>>>
>>>> there are several scenarios in which this could take place :
>>>>
>>>> 1. should the update request be rejected with full inferencing, because
>>>> it becomes clear the resource "x" is touched?
>>>> 2. what happens in a non-inferencing environment? with that is created a
>>>> relation between the two resources and i could construct (sparql-wise)
>>>> whatever i want, which brings me to the idea of never trusting
>>>> application/sparql-results+*...
>>>>
>>>>
>>>> so the crucial point seems to be that ACLs can handle updates more
>>>> flexible, a read and write access denied for a single resource might not
>>>> be enough.
>>>>
>>>> any pointer to the most flexible acl-ontology?
>>>> i'm thinking about something like :
>>>>
>>>> denyWriteAccess where resource "x" is the object.
>>>>
>>>> any pointer really appreciated..
>>>
>>> We we do is have SPARQL ASK as an option for determining conditions. That
>>> way, you handle all your desired scenarios as the data (resource) publisher.
>>> Basically, we offer:
>>>
>>> 1. basic WebID lists
>>> 2. WebIDs as members of foaf:Groups
>>> 3. SPARQL ASK -- for most complex conditions and custom conditions.
>>>
>>> As for inference, we have this loosely bound to the SPARQL processor which
>>> is why we use pragmas to enable inference context in our SPARQL
>>> implementation. I know of not other way to handle the contextual fluidity
>>> associated with this subject matter :-)
>>>>
>>>> wkr turnguard
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>>
>>> Regards,
>>>
>>> Kingsley Idehen
>>> Founder & CEO
>>> OpenLink Software
>>> Company Web: http://www.openlinksw.com
>>> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
>>> Twitter/Identi.ca handle: @kidehen
>>> Google+ Profile: https://plus.google.com/112399767740508618350/about
>>> LinkedIn Profile: http://www.linkedin.com/in/kidehen
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>>
>> Regards,
>>
>> Kingsley Idehen	
>> Founder & CEO
>> OpenLink Software
>> Company Web: http://www.openlinksw.com
>> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
>> Twitter/Identi.ca handle: @kidehen
>> Google+ Profile: https://plus.google.com/112399767740508618350/about
>> LinkedIn Profile: http://www.linkedin.com/in/kidehen
>>
>>
>>
>>
>
>


-- 

Regards,

Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen







Received on Tuesday, 13 November 2012 12:07:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 13 November 2012 12:07:25 GMT