W3C home > Mailing lists > Public > public-xg-webid@w3.org > June 2012

Re: delegated authentication

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 21 Jun 2012 15:52:45 +0200
Cc: "public-xg-webid@w3.org XG" <public-xg-webid@w3.org>, Read-Write-Web <public-rww@w3.org>, public-webid <public-webid@w3.org>
Message-Id: <5D0AB78E-E733-44D6-B48E-158F0173C48D@bblfish.net>
To: Kingsley Idehen <kidehen@openlinksw.com>

On 21 Jun 2012, at 15:27, Kingsley Idehen wrote:

> On 6/21/12 5:47 AM, Henry Story wrote:
>>   Andrei Sambra asked a question on dig [1] just now, on how one could do delegated authentication with
>> WebID. This crosses the lines of webid, authorisation and ACLs, so I am sending it to the rww group
>> and the webid community groups.
> You mean: how http://my-profile.eu (and others) delegate WebID verification to 3rd party services? If that's the question then Andrei and look at:

Not quite. The problem is more about a server doing something on my behalf. We assume the server can authenticate correctly with WebID: it has its own public/private keys. 

So if my FreedomBox were to have only me as a user, and my FreedomBox wanted to fetch stuff for me and AS me, it could simply create a public key for me and add it to my profile, and everything would be fine there. One could think of the freedom box as an extension of me in David Chalmer's sense [1]. The FreedomBox could connect to a service and that service would not know the difference to my connecting from my browser. I don't see much of an issue here.

 If on the other hand we had a university social network, and it wanted to do some things for me, then how would we get it to do that without having to pretend to be me - which it could physically do as I explained as scenarios 1 and 2 in the original e-mail. For this we can use the proposed solution of a cert:secretary relation ( or an auth:secretary ) added in my profile pointing from me to the university server robot secretary (or perhaps an external robot secretary service), and that secretary robot could identify as itself but act for me (by adding something to the header to make that clear).

  The nice thing about this is that it is just a question of access control. We would need the auth:secretary relation to be widely used and understood, so that it could be added to access control rules.

One point I forgot to mention: if the robot secretary named <http://robosecretary.com/eu/d2#rq> logs in with that WebID to server S with a request containing the 

    Acting-on-behalf-of: <http://my-profile.eu/joe#me>

header then S needs to also dereference <http://my-profile.eu/joe> in order to check that it contains the
statement

   <http://my-profile.eu/joe#me> auth:secretary <http://robosecretary.com/eu/d2#rq> .

If it does then S knows that it can trust - to a certain extent - the robot with information destined to Joe.

    Henry


[1] http://consc.net/papers/extended.html


> 
> 1. http://id.myopenlink.net/ods/webid_verify.vsp -- WebID verification service
> 2. http://ods.openlinksw.com/wiki/ODS/ODSWebIDIdP -- usage guide (a bit verbose) .
> 
> -- 
> 
> Regards,
> 
> Kingsley Idehen	
> Founder & CEO
> OpenLink Software
> Company Web: http://www.openlinksw.com
> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
> Twitter/Identi.ca handle: @kidehen
> Google+ Profile: https://plus.google.com/112399767740508618350/about
> LinkedIn Profile: http://www.linkedin.com/in/kidehen
> 
> 
> 
> 
> 

Social Web Architect
http://bblfish.net/
Received on Thursday, 21 June 2012 13:53:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 21 June 2012 13:53:20 GMT