Re: LDP with Access Control, or future LDPS(ecure)?

On 11/12/12 12:04 AM, Andrei SAMBRA wrote:
> Dear all,
>
> I would like to start by admitting that I might be asking a question 
> that has already been answered. I have tried looking for this topic on 
> the mailing list archive, but I was unable to find any relevant 
> information.
>
> I have recently begun implementing the current LDP spec, and I find 
> myself at the point where I need to add access control to LDP 
> operations and resources/containers. However, there is no mention in 
> the current spec draft about any kind of access control. While I 
> understand why some of you may be against discussing AC at this point, 
> I can't stop asking myself why there is no effort of adding it by 
> design, instead of a future feature.
>
> I know that mentioning access control at this point in the spec 
> implies opening the Pandora's box with all its issues (not the least 
> being the lack of a proper definition for identity in general). I 
> suppose my _personal_ point here is that access control should be a 
> fundamental part of LDP, unless LDP will only be used in the public 
> domain.
>
> I believe some (many?) of you are probably familiar with WebID. As an 
> active member of the WebID CG, I hope that we can find common ground 
> between LDP and WebID, leading to a proposal on how access control can 
> be achieved in LDP. The reason I mentioned WebID is that following 
> recent discussions at TPAC, we have come to agree on a WebID 
> definition that decouples the identity part from the authentication 
> part, potentially leading to WebID over (TLS, OpenID, BrowserID, 
> etc..). By abstracting the authentication part, LDP can instantly take 
> advantage of WebID's _identity_ part.
>
> I am sure that access control is far from being the main priority of 
> the LDP WG at this point, so I would like to propose that those of us 
> interested in access control could at least try to build a wiki page 
> that would serve as a basis for future work.
>
> Please accept my apologies if this subject has been discussed already, 
> as well as for the length of this email. I have recently started 
> getting involved in LDP, and I haven't had the time to go over the 
> minutes for all the previous teleconfs, though I am catching up with 
> the mailing list discussions.
>
> Best wishes,
> Andrei Sambra (MyProfile)
Andrei,

This is 100% relevant and ultimately critical. We can't continue to the 
Internet and Web legacy of deferring resource access control . Prior to 
the Web it was unthinkable to have system that offered CRUD patterns 
modulo access control functionality.

I think we put these puzzle pieces together (across community groups as 
follows):

1. WebID - deals with the identity and authentication issues
2. RWW - deals with authorization i.e., RWW-0
3. RWW becomes to the segue to LDP since RWW-0 can be used as a 
temporary enhanced showcase for LDP -- this eliminates protracted 
debates dominated by speculation, since this would be a concrete usecase 
implementation.

Others: RWW-0 is a basic interop test for those implementing WebID 
protocol based authentication combined with Web Access Control ontology 
based authorization.

-- 

Regards,

Kingsley Idehen 
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen