Re: WebID discussion in Debian

Hi.

Let me add a few bits to the discussion, with some common interest to
previous participants (both a younger Debian project member, aka
obergix@debian.org, and a freedombox and WebID interested person).

Jonas Smedegaard <dr@jones.dk> writes:

> Debian already has PGP-based WoT.  So question remains: how is WebID 
> relevant for *Debian*?
>

I've been among the few mentioning WebID on the Debian lists as I try and
investigate the use of Linked Data in FLOSS projects [2], and as the TLS
certs sign-on was discussed, it triggered my interest.

But I've also been advocating WebID in the context of developer
profiles, too, without a primary concern for authentication.


It seems to me that instead of reinventing some wheels with other
(hopefull standard) technologies, we could address multiple uses at once
with FOAF/WebID for developer profiles and WebID+TLS for authentication.

In order to try and test what's possible, I've already started
webid.debian.net that demonstrates the generation of FOAF profiles for
Debian participants. See for instance my profile [0]. It's work in
progress. The main use was to try and convert what's on other portals
about Debian participants in HTML to a more Linked Data compatible
format, and test that on links with package descriptions in RDF [1].


I think that the community of Debian participants is diverse and could
benefit from using WebID for participants identification, as the
profiles could be interlinked, and include/interlink both meta-data
provided (and asserted if needed) by Debian.org services and some
"manually edited" by members, for instance to interlink with profiles in
other projects they participate.


Now, looking again at the Auth aspects, this means that the Debian GPG
web of trust, which is somehow enforced by the Debian services could be
mapped somehow to some TLS certs and even signed certs, but while
allowing also some bits of personal / locally generated (self signed)
certs, which could all be interlinked to the WebID profile.


I envision a time when, ultimately, one could single-sign-on with the
same WebID+TLS (eventuall several interlinked documents), to many
communities/services which would trust different parts of the provided
meta-data depending on the trust they grant if they recognize some
particular certs.

For instance, I could have a Linked Data WebID which has 2 certs, one
personal self-signed that my FreedomBox knows, and one that is issued by
a Debian CA or which is cross-signed by other Debian developers'
(derived from the existing official Debian GPG WoT), which I could then
use to login to Debian. Thus, some Debian services and my FreedomBox
could eventually establish some kind of aknowledgement for back channel
process, who knows... ;)
I could also be recognized by my forge as a FusionForge contributor,
which would also recognize my profile, etc.
My employer's server would know me also as URI interlinked as a sameAs
with the others, of course...
This would be largely decentrilized, and me being in control of the
"master" WebID document that binds them all (preferably GPG signed).

I hope this makes sense.


I've been thinking about reusing some bits of MyProfile [3] to extend
webid.debian.net, but haven't found time/motivation yet to push this
forward. It may be something I'd investigate in the direction of my
participation to the Debian conference in August...


Comments much welcome.

Best regards,

[0] http://webid.debian.net/maintainers/obergix
[1] http://wiki.debian.org/qa.debian.org/pts/RdfInterface
[2] http://www-public.telecom-sudparis.eu/~berger_o/papier-swese2012/
    and associated bibliography
[3] http://myprofile-project.org/

-- 
Olivier BERGER 
http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)

Received on Thursday, 16 May 2013 12:59:24 UTC