Re: [unhosted] Re: Unhosted.org Project and WebID from Henry Story on 2011-04-11 (public-xg-webid@w3.org from April 2011)

From: Henry Story <henry.story@bblfish.net>
Date: Mon, 11 Apr 2011 23:37:57 +0200
To: Michiel de Jong <michiel@unhosted.org>
Cc: unhosted@googlegroups.com, Melvin Carvalho <melvincarvalho@gmail.com>, Kingsley Idehen <kidehen@openlinksw.com>, jeff@sayremedia.com, WebID XG <public-xg-webid@w3.org>, "@eschnou" <laurent.eschenauer@gmail.com>
Message-Id: <BAF0F45E-91E2-4836-8CD9-9E79E0B74B37@bblfish.net>

On 9 Apr 2011, at 21:12, Michiel de Jong wrote:

> Hi all!

Welcome Michael, thanks for posting. 
> 
> 
> We should definitely work together. I know WebID through Henry Story, and have always found it intriguing. Let's brainstorm about how Unhosted and WebID can be combined to unite strengths.
> 
> On Sat, Apr 9, 2011 at 6:47 PM, Melvin Carvalho <melvincarvalho@gmail.com> wrote:
> [...]
> http://www.w3.org/DesignIssues/CloudStorage.html
> 
> 
> Yes, I must have read that article when I was still working on the proof-of-concept in December, because I remember the illustration. That's probably why Unhosted ended up so similar to Tim Berners-Lee's design. :)
> 
> Let me try to explain why WebID is not part of the unhosted stack already, and then we can talk about how it can all fit together. This may sound negative, but it's really not, I'm just highlighting the parts I think we should talk about. The way i see it, WebID hooks into functionality on three levels:
> - (FOAF+SSL:) finding where your data is / who is sitting at the keyboard
> - (SSL:) storing your private key for transport-layer encryption (as opposed to payload encryption)
> - (FOAF:) define, in a machine-readable format, my interests, photo, activities, photos, microblog entries, ...
> 
> About finding where your data is / who is sitting at the keyboard: right now we have that working with webfinger and client-side oauth2, you can try logging into http://www.myfavouritesandwich.org/ using user 'demo@demo.redlibre.org' and password 'demo' to see the user experience. IMHO this ux is better than what is achieved with webid, mainly because as long as you remember your oauth password, you can use any computer, any browser. the password can even be avoided by session cookie or letting your browser remember the password. unless i'm missing something here, i think the way webid depends on you using the same browser would work best on mobile phones, and not so much on internet cafe computers. that's why for this point i would prefer to stick with webfinger+oauth, instead of introducing webid at this level.

One could very likely permit both types of logins. WebID when possible, OAuth when not. It would be interesting to see how OAuth could be tied into the foaf profile too. http://openid4.me showed how this could be done with openid. It would be surprising if nothing similar could be done with OAuth.

> About the cryptography: SSL is entirely transport-layer, the handshake is interactive. I think in a federated world, where nodes/servers/storage providers are a commodity, we should not need to trust these commodity servers. We need end-to-end encryption, or 'payload encryption'. An unhosted web app can encrypt your data in the browser before sending it to the commodity storage server, to prevent your commodity server, or your friend's commodity server, from spying, or stealing your identity. You still only trust the app. Only then, would i say, does the storage server become a commodity. 

Yes, though that makes the storage server only a storage server. It can no longer work dynamically with the content. If the server decrypts anything then it is open to being viewed by the server owner. It is true that WebID is not making that type of service its core priority.

> 
> About the linked data: i do not understand well enough how foaf and OStatus relate to each other to be able to say anything about that. Right now, we are working on the basis of the unhosted architecture, and spinning up a small eco-systems with a few unhosted account providers and a few entertaining unhosted web apps. Not all of these are primarily social, like a todo-list app, or a text editor app, etcetera. We are only 3 donations-based full-time developers, plus the people on the mailing list. So far nobody has had time to start working on "unhosted.social".

In a paper we put together for a talk on the Privacy Aware web we have a little use case where we describe how WebID can work to enable social collaboration and sharing of resouces.

http://www.w3.org/wiki/PrivacyAwareWeb

A good example is from my lion machine sawing mum [1], who makes videos of everybody she meets and cannot send that content to her friends by email of course. Making something public on youtube would work but is rude. So is asking people to become members of some video site just to watch a video they may not care about. The right thing to do is to publish it on your space, give access to all your friends - whoever they are at a point in time, and to allow the people appearing in the video to decide what access control rules they should enable. This is the kind of use case I think Web Id makes very easy to implement.

hope that helps,

Henry

> 
> CC: Laurent, you know much more about this topic than me, what's your opinion on foaf, xmpp, and OStatus? Can the three be integrated into one thing?
> 
> 
> Cheers!
> Michiel


[1] http://www.flickr.com/photos/bblfish/sets/72157626199366737/

Social Web Architect
http://bblfish.net/

Received on Monday, 11 April 2011 21:38:30 UTC