W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

RE: Our paper for Federated Social Web Europe Conference

From: peter williams <home_pw@msn.com>
Date: Fri, 29 Apr 2011 13:12:12 -0700
Message-ID: <SNT143-ds112E7C9C6886E024B5D3DC929A0@phx.gbl>
CC: "'WebID Incubator Group WG'" <public-xg-webid@w3.org>
The example I saw on the URL seems to be a scheme very (VERY) similar in
concept to that which UCL-CS (and Mike Roe in particular) proposed for
discretionary access controls for groups seeking access to ATTRIBUTES, in a
named directory object (20 years ago). This was done BEFORE ISO defined a
basic access control model for a distributed information model based on
object schemas, and is quite distinct from other access control concepts
based on security labels and/or the doctrine of "mandatory" access control.
(See any elementary text book on security, for the background on these
terms, if not familiar)

The idea for attribute level access control was written up - see the
literature. And the code (in C) will still be around (look for ISODE or
Quipu tag words), being very "mathematically" motivated. The code as
implemented as a generic proof process  for rule system - a rule-based
applying deduction to access controls (as it happens). It was all pretty
classical functionally, but quite cute for the time - since it scaled so
nicely for ldap names, managed by thousands of naming authorities with
little overall coordination.

For various operations (read/write/list...), bind an access rule to the
entry (container), or to the attribute (in some object class pertinent to
the instance of the container, or a sub-instance (#me anchored graph in
semweb speak..)), or to a group (itself defined in another directory
object). Then you close the algebra, given all the rule expressions, and
test to see if there is path for the access claim presented by the user,
once determined to be a member of group.

This has nothing to do with linking public keys or discovering cert chains
(or chains of foaf cards on https endpoints, similarly) note. Its just
attribute-level access control, based on grouping. Its classified as a
Discretionary access control scheme. Let's not confuse the topics of (i)
cert discovery and cert closure (for trust path handling), with (ii)
attribute-centric discretionary access controls. Let's learn to distinguish
any and all discrectionary scheme (suited to the general link-alot "public"
web) from mandatory schemes (suited to such as office documents in web cloud
sites, doing rights management).

AS one goes further, there will be need for a rule that state the minimum
authentication requirements, to perform the algebra above. An early forms of
claims centric world, it could require that: in the directory word your
claim to be a member of group X MUST be accompanied by strong authentication
evidence (ie. certs, in signed operations). If you use websso, or basicAuth
,... the claim constraint brings ones id (with this lower "strength" of
evidence) down ...to "public" group, user "anonymous". Obviously, the
communication port in the listener fronting the server has to have allowed
websso (or basicAuth) evidence for this rule to even fire, which then
downgrade the user anon/public FOR THE PARTICULAR entry, or PARTICULAR
attribute. 


-----Original Message-----
From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of bergi
Sent: Thursday, April 28, 2011 4:23 PM
To: Dominik Tomaszuk
Cc: WebID Incubator Group WG; Martin Gaedke
Subject: Re: Our paper for Federated Social Web Europe Conference

I had already a look at the paper. I'm missing an url to the ontology, but I
think it's about the Basic Access Control ontology [1]. For my proof of
concept implementation I was also using this ontology. But I also needed
access control on the property level for my triples store or rdf document,
not only on the resource level . I was to lazy to write an rdf schema, but
here is an example [2]. There is no resource defined because the subject is
the document, which is controled, itself. The rdfac namespace contains my
extension.
Are there any plans to extend the ontology in this direction?

At the weekend I will have a closer look and give you some feedback.

[1] http://www.w3.org/ns/auth/acl#
[2]
https://www.axolotlfarm.org/svn/bergi/bergnet/rme/server/trunk/src/access.de
fault.rdf.xml

Am 28.04.2011 23:49, schrieb Dominik Tomaszuk:
> Hi all,
> 
> As you know Martin Gaedke and me writting the paper for Berlin 
> conference. It will be an honor for us to help us write and check the 
> paper.
> 
> And the actual document can be found in [1].
> 
> [1]
> https://docs.google.com/document/d/15Xs83bNMc5Hb1Eqq_JIpuzQGVCEXWkrKxY
> arrLfmP3c/edit?hl=pl&authkey=CISb5K8E
> 
> 
> Regards,
> 
> Dominik Tomaszuk
> 
> 
Received on Friday, 29 April 2011 20:12:41 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:24 UTC