Re: delegated authentication from Kingsley Idehen on 2012-06-21 (public-rww@w3.org from June 2012)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Thu, 21 Jun 2012 12:46:17 -0400
To: public-rww@w3.org
Message-ID: <4FE34FD9.6060509@openlinksw.com>

On 6/21/12 9:52 AM, Andrei Sambra wrote:
> On 06/21/2012 03:27 PM, Kingsley Idehen wrote:
>> On 6/21/12 5:47 AM, Henry Story wrote:
>>> Andrei Sambra asked a question on dig [1] just now, on how one could
>>> do delegated authentication with
>>> WebID. This crosses the lines of webid, authorisation and ACLs, so I
>>> am sending it to the rww group
>>> and the webid community groups.
>> You mean: how http://my-profile.eu (and others) delegate WebID
>> verification to 3rd party services? If that's the question then Andrei
>> and look at:
>>
>> 1. http://id.myopenlink.net/ods/webid_verify.vsp -- WebID verification
>> service
>> 2. http://ods.openlinksw.com/wiki/ODS/ODSWebIDIdP -- usage guide (a bit
>> verbose) .
>>
>
> That's exactly what my current test version does. It takes an optional 
> IdP uri (for delegated authentication), and the certificate of the 
> person in whose name the server is making the request. However, this 
> means that each user will have to share his/her certificate with the 
> server (problem).
>
> Now, what Henry said in 3) is to create a trust relation between the 
> user and the robot performing the request (server A). I've been 
> thinking about this and I think it's quite easy to implement, even 
> without a dedicated HTTP header option, by passing the identity of the 
> real user as a GET parameter 
> (http://example.com/foaf.rdf?id=<.../andrei/card#me> during the 
> robot's authentication process.
>
> Then the server of the requested resource (server B) can check if the 
> graph found at <.../andrei/card#me> contains a <webid:robot> or 
> <webid:secretary> resource pointing to the robot's WebID (which he 
> used to authenticate in the first place). If it does find this 
> resource, it means that Andrei explicitly trusts the robot to fetch 
> data in his behalf.
>
> The beauty of it is that server B will not necessarily give access to 
> the robot, even though it's acting on behalf of a trusted user.
>
> Andrei
>
>
Yes, as per my response to Henry. We are upping the ante, in a good way. 
This is what the whole intelligent agent realm is supposed to be about. 
Thus, we need a delegation-of-authority vocab (what is taking shape) to 
drive this. We might even have a nice moniker: Delegation Of Authority 
Vocab (DOAV) :-)

-- 

Regards,

Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Thursday, 21 June 2012 16:46:40 UTC