- From: Henry Story <henry.story@bblfish.net>
- Date: Wed, 18 Jul 2012 23:00:38 +0200
- To: Kingsley Idehen <kidehen@openlinksw.com>
- Cc: public-webid@w3.org
On 18 Jul 2012, at 22:04, Kingsley Idehen wrote:
> On 7/18/12 3:21 PM, Melvin Carvalho wrote:
>> Access-Control-Allow-Origin: *
>
> Means CORS is COARSE. Nuff said, re. fine-grained controls for any kind of federated network.
>
> Henry: I suggest we crack on over here with a fine-grained CORS enhancement based on WebID and its identity verification protocol.
>
> It should ultimately be a modern header such as:
>
> Access-Control-Allow-Origin-Identity: {WebID} .
>
> or
>
> Access-Control-Allow-Origin: {WebID}
>
> or
>
> Access-Control-Allow-AgentID: {WebID} .
The reason of my interest in CORS is that
1. we need to understand it if we want to write javascript apps that consume linked data such as the demo address book.
2. It is a very good precedent for the work we were doing in Delegation with the On-behalf-Of relation
http://www.w3.org/wiki/WebID/Authorization_Delegation
CORS could be more fine grained, but that is really something that is up to the vendors in large part. We can't affect that much, other than by for example helping servers know by publishing in a WebID profile what Origins a user trusts... Something worth thinking about.
The Origin thinking in CORS and that has been specified in rfc6454 is important and is something we could use perhaps to create something even more un-controversial than "On-behalf-Of". It had been mentioned before on the list here. The thinking is the following:
(a) A web server serving files (even secured with https) (i.e. an Origin) has full control of the content of the files - that is it could alter them at its whim whenever it wishes.
(b) When one is communicating with a web server one is therefore making something similar to a speech act - an HTTP act - to the agent which that server is. Whenever we GET a resource, we should also think of it in terms of asking that Origin server for a resource. ( whose identity we have perhaps verified through a CA )
(c) given that in a webid verification we rely on the origin server on what is written in a WebID profile, we have to agree that the origin server has a special role with regards to the contents it servers: there is no way a webid verifier for example can tell if the origin server is lying or not. In fact for all URLs in its domain the origin server is one could even argue necessarily right ( analytically right, perhaps )
=> so when an origin server makes a request On-Behalf-Of any of the users whose WebID profile it serves, then there is perhaps no need even for a server to verify that the Origin server is really acting On-behalf of the users - because it is already serving their profile, and so acting on behalf of them.
Henry
[1] http://tools.ietf.org/html/rfc6454 "The Web Origin Concept"
>
> --
>
> Regards,
>
> Kingsley Idehen
> Founder & CEO
> OpenLink Software
> Company Web: http://www.openlinksw.com
> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
> Twitter/Identi.ca handle: @kidehen
> Google+ Profile: https://plus.google.com/112399767740508618350/about
> LinkedIn Profile: http://www.linkedin.com/in/kidehen
>
>
>
>
>
Social Web Architect
http://bblfish.net/
Received on Wednesday, 18 July 2012 21:01:15 UTC