Re: [unhosted] Re: Unhosted.org Project and WebID

Today I can use my webid at many sites, being at heart a client cert. Most of the sites dont bother with the foaf card lookup (but let's hope that changes).

What I don't want is any 3rd party site to become a gatekeeper to those n sites. Assume that this 3rd party has governance rules, that I break. I have no objection to being suspended from them. But
I cannot accept that this site's decisions disconnect me from the other n sites, still happy with me. If suspension means I cannot now authenticate





On Apr 9, 2011, at 12:12 PM, Michiel de Jong <michiel@unhosted.org> wrote:

> Hi all!
> 
> 
> We should definitely work together. I know WebID through Henry Story, and have always found it intriguing. Let's brainstorm about how Unhosted and WebID can be combined to unite strengths.
> 
> On Sat, Apr 9, 2011 at 6:47 PM, Melvin Carvalho <melvincarvalho@gmail.com> wrote:
> [...]
> http://www.w3.org/DesignIssues/CloudStorage.html
> 
> 
> Yes, I must have read that article when I was still working on the proof-of-concept in December, because I remember the illustration. That's probably why Unhosted ended up so similar to Tim Berners-Lee's design. :)
> 
> Let me try to explain why WebID is not part of the unhosted stack already, and then we can talk about how it can all fit together. This may sound negative, but it's really not, I'm just highlighting the parts I think we should talk about. The way i see it, WebID hooks into functionality on three levels:
> - (FOAF+SSL:) finding where your data is / who is sitting at the keyboard
> - (SSL:) storing your private key for transport-layer encryption (as opposed to payload encryption)
> - (FOAF:) define, in a machine-readable format, my interests, photo, activities, photos, microblog entries, ...
> 
> About finding where your data is / who is sitting at the keyboard: right now we have that working with webfinger and client-side oauth2, you can try logging into http://www.myfavouritesandwich.org/ using user 'demo@demo.redlibre.org' and password 'demo' to see the user experience. IMHO this ux is better than what is achieved with webid, mainly because as long as you remember your oauth password, you can use any computer, any browser. the password can even be avoided by session cookie or letting your browser remember the password. unless i'm missing something here, i think the way webid depends on you using the same browser would work best on mobile phones, and not so much on internet cafe computers. that's why for this point i would prefer to stick with webfinger+oauth, instead of introducing webid at this level.
> 
> About the cryptography: SSL is entirely transport-layer, the handshake is interactive. I think in a federated world, where nodes/servers/storage providers are a commodity, we should not need to trust these commodity servers. We need end-to-end encryption, or 'payload encryption'. An unhosted web app can encrypt your data in the browser before sending it to the commodity storage server, to prevent your commodity server, or your friend's commodity server, from spying, or stealing your identity. You still only trust the app. Only then, would i say, does the storage server become a commodity. 
> 
> About the linked data: i do not understand well enough how foaf and OStatus relate to each other to be able to say anything about that. Right now, we are working on the basis of the unhosted architecture, and spinning up a small eco-systems with a few unhosted account providers and a few entertaining unhosted web apps. Not all of these are primarily social, like a todo-list app, or a text editor app, etcetera. We are only 3 donations-based full-time developers, plus the people on the mailing list. So far nobody has had time to start working on "unhosted.social".
> 
> CC: Laurent, you know much more about this topic than me, what's your opinion on foaf, xmpp, and OStatus? Can the three be integrated into one thing?
> 
> 
> Cheers!
> Michiel