Re: identification, authorisation, authentication from Andrei Sambra on 2012-10-31 (public-rww@w3.org from October 2012)

From: Andrei Sambra <andrei@fcns.eu>
Date: Wed, 31 Oct 2012 15:19:32 +0100
To: nathan@webr3.org
CC: public-rww@w3.org
Message-ID: <50913374.4000602@fcns.eu>

On 10/31/12 14:17, Nathan wrote:
> Hi Andrei,
>
> Perhaps this is better termed generally as an
> "authenticated-agent-identifier", within the context of auth* - and an
> "agent-identifier" when it hasn't been authenticated/verified.
>
> Or within the context of WebID-Protocol, a "WebID" (hash HTTP URI which
> denotes an Agent. Where you can GET an RDF model as TURTLE.) and an
> "Authenticated WebID" (one which has been verified/authenticated with
> WebID Protocol for WebID Authentication).
>
> Identity is separate from Authentication as you say, but an
> authenticated-agent-identifier is the product of authentication.

Yes, I fully agree with you there.

> Thus generally we have:
>
> 1) agent-identifier (a URI which denotes an agent)
> 2) authenticated-agent-identifier = Authentication->authentice(*)
>
> Or using our common webid-*,
>
> 1) WebID (a hash HTTP URI which denotes an agent, for which you can get
> an RDF model describing the agent as TURTLE)
> 2) Authenticated-WebID (a WebID which has been authenticated using
> WebID-Protocol)
>
> Does that clarify / make sense?

Yes it does. We should put this somewhere.

> Best,
>
> Nathan
>
> Andrei Sambra wrote:
>> Following a conversation we had at TPAC, I personally see
>> identification as completely separate from authentication.
>>
>> For me, identification is the way of selecting one person/agent from a
>> list of people/agents by using a unique identifier (i.e. WebID). It
>> the same as pointing a finger towards one person in a group. Another
>> example: I should not be forced to perform authentication if I just
>> want to "view" someone's FOAF card by dereferencing their WebID URI.
>> However, authentication may be required in case some parts of the FOAF
>> card are protected by access control policies.
>>
>> Given the recent change in the definition of WebID (i.e. "A WebID is a
>> hash HTTP URI which denotes an Agent. You can GET an RDF model as
>> TURTLE."), I think it becomes clear how useful it is to separate the
>> identity part from the authentication part, and being able to change
>> the authentication protocol.
>>
>> To conclude, I these three keywords as:
>>
>> Identification -> (Authentication -> Authorization)
>>
>> Andrei
>>
>>

Received on Wednesday, 31 October 2012 14:19:59 UTC