Re: [unhosted] Re: Unhosted.org Project and WebID

Hi all!


We should definitely work together. I know WebID through Henry Story, and
have always found it intriguing. Let's brainstorm about how Unhosted and
WebID can be combined to unite strengths.

On Sat, Apr 9, 2011 at 6:47 PM, Melvin Carvalho <melvincarvalho@gmail.com>wrote:

> [...]
> http://www.w3.org/DesignIssues/CloudStorage.html



Yes, I must have read that article when I was still working on the
proof-of-concept in December, because I remember the illustration. That's
probably why Unhosted ended up so similar to Tim Berners-Lee's design. :)

Let me try to explain why WebID is not part of the unhosted stack already,
and then we can talk about how it can all fit together. This may sound
negative, but it's really not, I'm just highlighting the parts I think we
should talk about. The way i see it, WebID hooks into functionality on three
levels:
- (FOAF+SSL:) finding where your data is / who is sitting at the keyboard
- (SSL:) storing your private key for transport-layer encryption (as opposed
to payload encryption)
- (FOAF:) define, in a machine-readable format, my interests, photo,
activities, photos, microblog entries, ...

About finding where your data is / who is sitting at the keyboard: right now
we have that working with webfinger and client-side oauth2, you can try
logging into http://www.myfavouritesandwich.org/ using user '
demo@demo.redlibre.org' and password 'demo' to see the user experience. IMHO
this ux is better than what is achieved with webid, mainly because as long
as you remember your oauth password, you can use any computer, any browser.
the password can even be avoided by session cookie or letting your browser
remember the password. unless i'm missing something here, i think the way
webid depends on you using the same browser would work best on mobile
phones, and not so much on internet cafe computers. that's why for this
point i would prefer to stick with webfinger+oauth, instead of introducing
webid at this level.

About the cryptography: SSL is entirely transport-layer, the handshake is
interactive. I think in a federated world, where nodes/servers/storage
providers are a commodity, we should not need to trust these commodity
servers. We need end-to-end encryption, or 'payload encryption'. An unhosted
web app can encrypt your data in the browser before sending it to the
commodity storage server, to prevent your commodity server, or your friend's
commodity server, from spying, or stealing your identity. You still only
trust the app. Only then, would i say, does the storage server become a
commodity.

About the linked data: i do not understand well enough how foaf and OStatus
relate to each other to be able to say anything about that. Right now, we
are working on the basis of the unhosted architecture, and spinning up a
small eco-systems with a few unhosted account providers and a few
entertaining unhosted web apps. Not all of these are primarily social, like
a todo-list app, or a text editor app, etcetera. We are only 3
donations-based full-time developers, plus the people on the mailing list.
So far nobody has had time to start working on "unhosted.social".

CC: Laurent, you know much more about this topic than me, what's your
opinion on foaf, xmpp, and OStatus? Can the three be integrated into one
thing?


Cheers!
Michiel

Received on Monday, 11 April 2011 20:47:21 UTC