RE: distinction between authentication and identity/profile ? from Peter Williams on 2011-06-06 (public-xg-webid@w3.org from June 2011)

From: Peter Williams <home_pw@msn.com>
Date: Mon, 6 Jun 2011 10:06:35 -0700
To: <henry.story@bblfish.net>
CC: "public-xg-webid@w3.org" <public-xg-webid@w3.org>
Message-ID: <SNT143-w30FB12B8E539583994FC1D92600@phx.gbl>
the interaction with openid helps understand the distinction between identity, identifier and authentication. If one is clear, one can build on the interleaving of openid and webid semantics, to make inferences. See below!
 
We know the main purpose in webid validation of using SSL client authn mechanisms is to prove *control* over the webid identifier.
 
Similarly, we know that in the openid auth protocol, its main function is to prove control similarly over an identifier - the openid URI.
 
While using very different security techniques, we also know that the two worlds can be meshed, using the foaf:openid relation/statement. 
 
What I dont fully understand is the security claims of the dual world. I can posultate some, though, that appear reasonable. They are by no means standard, or "accepted" though.
 
Lets say the openid "identity document" is an HTML file, much like that already maintained by myopenid for those users to whom that OP authority has "issued" openid identifiers. Lets say the markup is RDFa and even some existing vcard microformats, bearing similar core profile information. The RDFa elements of the markup represents various webid-specific statements (relating webid id to a pubkey, principally), and also includes the foaf:openid statement relating a different webid URI to the openid URI. 
 
Now, assume that the user completes a run of openid auth at an openid consumer (e.g. Rupert Murdoch's foxnews.com), which chooses to de-ference the HTML file ("openid identity document", formally). From the HTML processing instruction, it learns the file is RDFa, and turns on its "webid-compatbility mode", thereby learning not only that the openid id POTENTIALLY relates to a given webid, but there is pubkey associated with that webid (and thus the openid).
 
We have to recognize that the pubkey/webid binding is not secured by the webid validation method, in this world - since no SSL occured and thus no control over the private key was proven. Or, to be more precise, the binding is asserted by the OP, alternatively, who retains exclusive control over the file contents and who hosts the file (legally). 
 
If a user was NOW to initiate a run of SSL client authn with the same relying party consumer as above, webid validation would pick up a DIFFERENT copy of the foaf card -- the one hosted at the webid URI. The statements in this one can indeed be attributed to the user (due to the security enforcing semantics of webid validation). This it course contrasts with the openid case first presented, in which the statements could only be attributed to the OP.
 
Now, I could accept a world in which a consumer checks BOTH mechanisms - in sequence. Should it learn from the 2nd webid protocol run that indeed the user under UCI vouches for the foaf:openid relation/statement, that is acknowledged by the (very similar) file recovered from the "first" openid authn protocol run, then one has an implicit trust statement: user recognizes the OP, as a source of authentication claims. However, there are limits (that fit the world of non-TTP centric webid).
 
While the authentication claims of any OP have -- under UCI doctrine -- zero value until ...there as been "confirmation" that the user recognizes the OP (and perhaps puts the OP under copyright controls, and other terms and conditions), so long as the relying party consumer makes the two runs as stated (acting to make an "initial introduction" of the putative user), I dont see why OP claims made in the AX attributes should not AT THAT POINT be treated as triples in good standing (even though they are not sourced to the identity document, or the foaf card).
 
The AX attributes would then assert such as : user says OP says timezone property has PST value. This is different to openid sans webid, which asserts, merely, OP says timezone property has PST value
 
 
 
 
 

 
> From: henry.story@bblfish.net
> Date: Mon, 6 Jun 2011 16:14:29 +0200
> CC: public-xg-webid@w3.org
> To: perpetual-tripper@wwelves.org
> Subject: Re: distinction between authentication and identity/profile ?
> 
> 
> On 6 Jun 2011, at 12:49, elf Pavlik wrote:
> 
> > Hello,
> > 
> > Great meeting some of you in Berlin!
> > 
> > Sometimes I find a bit confusing in WebID, mixing identity/profile and using client certificate for authentication. How do you see making stronger distinction between those two?
> 
> The WebIDProfile can be your foaf Profile. No issue. That is who most of us do it.
> 
> > What if someone wants to have an URI and foaf profile but for authentication would like to use other mechanizm than client certificate, OpenID for example...
> 
> That is also ok. You can use 
> 
> foaf:openid
> 
> to do that. Link your WebId to your openid and link your openid page to your profile and things are great.
> Your OpenID could also be your WebID Profile Document.
> 
> 
> > Dees plain FOAF has exactly the same potential in terms of identity and social graph?
> 
> same potential as what?
> 
> > Does WebID adds anything else to FOAF than authentication with client certificate?
> 
> yes, it is a very minimal spec. Because it uses cryptography and very well known technologies in an original way
> it needs some careful work in a standards body.
> 
> > I appreciate any comments and links which can help me with clarifying it!
> 
> Hope that helps,
> 
> Henry
> 
> 
> > 
> > Thanks!
> > =)
> > elf Pavlik
> > 
> 
> Social Web Architect
> http://bblfish.net/
> 
>
Received on Monday, 6 June 2011 17:07:04 UTC