- From: Kingsley Idehen <kidehen@openlinksw.com>
- Date: Sat, 20 Jul 2013 11:57:56 -0400
- To: Henry Story <henry.story@bblfish.net>
- CC: Torsten Lodderstedt <torsten@lodderstedt.net>, OpenID Specs Mailing List <specs@openid.net>, board@openid.net, public-rww <public-rww@w3.org>, public-webid@w3.org
- Message-ID: <51EAB384.4030008@openlinksw.com>
On 7/20/13 6:41 AM, Henry Story wrote: > On 19 Jul 2013, at 10:14, Torsten Lodderstedt <torsten@lodderstedt.net> wrote: > >> Hi, >> >> could you please shed some light on the use case for the User field? What entity sets the value, what entitity uses it for what purpose? > The simplest answer would have to be: the use case is the same as whatever the use case was for the > 'From' header. This is specified here: > > http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.22 > > [[ > The From request-header field, if given, SHOULD contain an Internet e-mail address for the human user who controls the requesting user agent. The address SHOULD be machine-usable, as defined by "mailbox" in RFC 822 [9] as updated by RFC 1123 [8]: > > From = "From" ":" mailbox > > An example is: > > From: webmaster@w3.org > > This header field MAY be used for logging purposes and as a means for identifying the source of invalid or unwanted requests. It SHOULD NOT be used as an insecure form of access protection. The interpretation of this field is that the request is being performed on behalf of the person given, who accepts responsibility for the method performed. In particular, robot agents SHOULD include this header so that the person responsible for running the robot can be contacted if problems occur on the receiving end. > ]] > > So if having an e-mail address is ok in the standard, then presumably having a WebID is also ok. > WebID is defined here: https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html > > I am not sure than any software makes much use of the From header. That's the most amazing thing of all, the header isn't used. Nobody has been able to provide any data to back its use in the field. > > We do have a good use case for an "On-Behalf-Of" header which would allow robots specify that > they are making their requests On-Behalf of a user. The robot would authentication using WebID > over TLS ( https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html ), and send an HTTP request > > GET /somedoc HTTP/1.1 > On-Behalf-Of: http://jane.example/u/card#me > ... > > and the WeBID profile of the user specified in the On-Behalf-Of field could then be > fetched by the server to check that it contained a relation say > > <#me> :secretary </u/robot#h2d2> . > > This would then tell the server that the robot making the request could > do so on behalf of the user. So if an access control rule for the requested > resource allowed an agent that had made the request On-Behalf-Of a user to do so, > and this could be verified, then the server could server the resource. > > As it happens the From: field covers the On-Behalf-Of use case. It says so clearly > in the spec: > "The interpretation of this field is that the request is being performed on behalf of the person given," > > Furthermore the HTTP1.1 RFC only restricts the identity used in an e-mail to a SHOULD. > Therefore it should be ok to use the FROM header, as specified above, given that > I don't think the From header is ever used. Otherwise creating a new On-Behalf-Of field > will be the other option. > > Henry That will work too. We just need a header of some sort. Right now though, "User: " is being used, so we are going to support that as a starting point. Kingsley > >> Regards, >> Torsten. >> >> >> >> Kingsley Idehen <kidehen@openlinksw.com> schrieb: >> On 7/18/13 1:38 PM, Torsten Lodderstedt wrote: >>> I fully agree with George und would like to add: why don't you just use the authorization header to send identity data/credentials/tokens to the server in order to allow for access control? >> This is already possible. The requirement here stems from the fact that "From:" is bound specifically to mailto: scheme URIs (Uniform Resource Identifiers). We are looking to "User:" to be the superClass of "From:" which is basically URI scheme agnostic. That's it. >> >> [SNIP] >> -- >> >> Regards, >> >> Kingsley Idehen >> Founder & CEO >> OpenLink Software >> Company Web: >> http://www.openlinksw.com >> >> Personal Weblog: >> http://www.openlinksw.com/blog/~kidehen >> >> Twitter/Identi.ca handle: @kidehen >> Google+ Profile: >> https://plus.google.com/112399767740508618350/about >> >> LinkedIn Profile: >> http://www.linkedin.com/in/kidehen >> >> >> >> >> >> >> _______________________________________________ >> specs mailing list >> specs@lists.openid.net >> http://lists.openid.net/mailman/listinfo/openid-specs > Social Web Architect > http://bblfish.net/ > > > -- Regards, Kingsley Idehen Founder & CEO OpenLink Software Company Web: http://www.openlinksw.com Personal Weblog: http://www.openlinksw.com/blog/~kidehen Twitter/Identi.ca handle: @kidehen Google+ Profile: https://plus.google.com/112399767740508618350/about LinkedIn Profile: http://www.linkedin.com/in/kidehen
Attachments
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Saturday, 20 July 2013 15:58:25 UTC