- From: Kingsley Idehen <kidehen@openlinksw.com>
- Date: Thu, 21 Jun 2012 12:42:25 -0400
- To: public-rww@w3.org
- Message-ID: <4FE34EF1.8000007@openlinksw.com>
On 6/21/12 9:52 AM, Henry Story wrote: > On 21 Jun 2012, at 15:27, Kingsley Idehen wrote: > >> On 6/21/12 5:47 AM, Henry Story wrote: >>> Andrei Sambra asked a question on dig [1] just now, on how one could do delegated authentication with >>> WebID. This crosses the lines of webid, authorisation and ACLs, so I am sending it to the rww group >>> and the webid community groups. >> You mean: how http://my-profile.eu (and others) delegate WebID verification to 3rd party services? If that's the question then Andrei and look at: > Not quite. The problem is more about a server doing something on my behalf. We assume the server can authenticate correctly with WebID: it has its own public/private keys. > > So if my FreedomBox were to have only me as a user, and my FreedomBox wanted to fetch stuff for me and AS me, it could simply create a public key for me and add it to my profile, and everything would be fine there. One could think of the freedom box as an extension of me in David Chalmer's sense [1]. The FreedomBox could connect to a service and that service would not know the difference to my connecting from my browser. I don't see much of an issue here. > > If on the other hand we had a university social network, and it wanted to do some things for me, then how would we get it to do that without having to pretend to be me - which it could physically do as I explained as scenarios 1 and 2 in the original e-mail. For this we can use the proposed solution of a cert:secretary relation ( or an auth:secretary ) added in my profile pointing from me to the university server robot secretary (or perhaps an external robot secretary service), and that secretary robot could identify as itself but act for me (by adding something to the header to make that clear). Okay, we have a software agent associated with entity: you. Said agent has been authorized by you to perform specific tasks on your behalf, and we want to express all of this in an graph. Basically, we need an Agent Authorization graph to drive this. > > The nice thing about this is that it is just a question of access control. delegation of authority + access control . > We would need the auth:secretary relation to be widely used and understood, so that it could be added to access control rules. > > One point I forgot to mention: if the robot secretary named <http://robosecretary.com/eu/d2#rq> logs in with that WebID to server S with a request containing the > > Acting-on-behalf-of: <http://my-profile.eu/joe#me> > > header then S needs to also dereference <http://my-profile.eu/joe> in order to check that it contains the > statement > > <http://my-profile.eu/joe#me> auth:secretary <http://robosecretary.com/eu/d2#rq> . Yep! > > If it does then S knows that it can trust - to a certain extent - the robot with information destined to Joe. Okay, we are now in the Web 4.0 zone re. smart agents driven by Linked Data :-) Kingsley > > Henry > > > [1] http://consc.net/papers/extended.html > > >> 1. http://id.myopenlink.net/ods/webid_verify.vsp -- WebID verification service >> 2. http://ods.openlinksw.com/wiki/ODS/ODSWebIDIdP -- usage guide (a bit verbose) . >> >> -- >> >> Regards, >> >> Kingsley Idehen >> Founder & CEO >> OpenLink Software >> Company Web: http://www.openlinksw.com >> Personal Weblog: http://www.openlinksw.com/blog/~kidehen >> Twitter/Identi.ca handle: @kidehen >> Google+ Profile: https://plus.google.com/112399767740508618350/about >> LinkedIn Profile: http://www.linkedin.com/in/kidehen >> >> >> >> >> > Social Web Architect > http://bblfish.net/ > > > -- Regards, Kingsley Idehen Founder & CEO OpenLink Software Company Web: http://www.openlinksw.com Personal Weblog: http://www.openlinksw.com/blog/~kidehen Twitter/Identi.ca handle: @kidehen Google+ Profile: https://plus.google.com/112399767740508618350/about LinkedIn Profile: http://www.linkedin.com/in/kidehen
Attachments
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Thursday, 21 June 2012 16:42:49 UTC