W3C home > Mailing lists > Public > public-xg-webid@w3.org > January 2011

Re: [foaf-protocols] The other side of WebID / four party auth

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 27 Jan 2011 19:56:32 +0100
Cc: WebID XG <public-xg-webid@w3.org>
Message-Id: <437FC4DD-6C39-41BE-80BF-AD6533B980DA@bblfish.net>
To: nathan@webr3.org
[dropping foaf-protocols]

On 27 Jan 2011, at 03:17, Nathan wrote:
> 
> This is the four party auth I mentioned earlier in the year,

So this would be something that should be looked at with ISSUE-4:
"Detail Authorization "protocol" using WebID"

> but never 
> mentioned in detail, roughly the protocol would be:
> 
>  client: this is my cert (key pair w/ webid) - CC
>  server: this is my cert (key pair w/ webid) - CS

Though actually this is done in one https connection,
and it happens the other way around: with the
server first proposing it's certificate, asking the 
client for its cert, which the client can then choose to
send.

>  client: take webid from CS, place in CC-webid foaf file
>  server: take webid from CC, place in CS-webid foaf file

If this is an authorisation protocol, don't we need
a place perhaps for a decision somewhere? Or at
least a signal to be sent that the client or server is
seeking to create some relationship with the
other party? There is a dialog missing in your sketch
between the two parties.

In the "Sketch of a Photo Printing Service" this
is enabled by placing a relation to an authorization end point
in the Profile Document.

http://blogs.sun.com/bblfish/entry/sketch_of_a_restful_photo

>  client: check CS-webid foaf file for CC-webid and CS-key
>  server: check CC-webid foaf file for CS-webid and CC-key

Here you seem to be checking the identity of the other party
after having added them to your profile. That seems to be the
wrong way around.

> 
> The above covers all bases, it ensures the user and the server are who 
> they say they are, still have write permission to their respective 
> webid resources, ensures HTTP+TLS in all communications, allows ACL 
> controlled responses from each webid resource to only give the (server 
> or client) access to the info it's allowed to see. And it would be 
> webid for the server too, and get rid of the traditional trust chain, 
> making room for new linked-data web of trust.
> 
> Essentially, this would replace everything from openid to oauth and 
> beyond.
> 
> thoughts? and apologies it took me so long to mention properly on list.

I would be intersted in your feedback on how you think this 
improves over the restful photo service.

Henry

> 
> Best,
> 
> Nathan
> _______________________________________________
> foaf-protocols mailing list
> foaf-protocols@lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols

Social Web Architect
http://bblfish.net/
Received on Thursday, 27 January 2011 18:57:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 27 January 2011 18:57:09 GMT