Re: Webkeys, OpenID, WebID, OAuth etc..

On 4/22/13 5:25 PM, Dave Longley wrote:
>
> I think this lack of understanding is still true today and there is no 
> transitional technology in place to get people to adopt WebID...

How about this suggestion. Let's separated this over conflated thing we 
refer to as "WebID" into the relevant parts:

1. Identifier for denoting Agents -- a WebID
2. WebIDAuth -- RDF model based Linked Data protocol for verifying 
identities denoted by WebIDs
3. A token that holds cryptographically verifiable claims graph that 
includes a  WebID  -- e.g., an X.509 cert with a WebID in its SAN (this 
could also be some other kind of token that's holds cryptographically 
verifiable claims)
3. Profile Document -- Web Resource that bear the profile data for an 
Identity denoted using a WebID.

How does WebIDAuth work?

A WebID that's part of an cryptographically verifiable token resolves to 
a profile document comprised an RDF graph that enables the use of 
machine-readable relationship semantics to infer that:

1. a WebID is associated with an RSA or DSA public key
2. the token signature is verifiable using RSA or DSA public key in #1 
(basically, that it can verify the signature produced using the 
associated private key).


Given the above, you can implement WebIDAuth as follows:

1. enhancement to TLS -- whereby the WebIDAuth just adds to the TLS 
handshake
2. enhancement to a TLS alternative -- which is where Payswarm comes in.

All of this can happen right now. When done, everyone will fine peace 
from the satisfaction of decoupling RDF model semantics from specific 
data formats and across-the-wire protocols :-)

It will work fine .

-- 

Regards,

Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen