W3C home > Mailing lists > Public > public-xg-webid@w3.org > February 2011

RE: WebID prehistory

From: Peter Williams <home_pw@msn.com>
Date: Thu, 3 Feb 2011 08:13:07 -0800
Message-ID: <SNT143-w59AAD2D0F3FCD2244D9F4F92E70@phx.gbl>
To: <henry.story@bblfish.net>, <michael.hausenblas@deri.org>
CC: <public-xg-webid@w3.org>

Concerning ldap visibility and scope, we should ask: are all https endpoints publicly accesible? No. The vast majority of wifi routers in homes are http endpoints, but the endpoint is only exposed on the LAN. The same is true for most if not all the modems, with their administration http endpoints.
We have to be fair on ldaps. Some of us cognizant of major shifts in the world of the cloud, as traditionally enterprise-centric ldap endpoints are extended beyond the LAN onto the subnets supporting the firm's cloud presence - turning the intranet ldap endpoints into extranet endpoints. For folks familar with SAML and webSSO, folks will know that ldap proxies exist to support public SAML endpoints, allowing the websso flow to leverage the semi-hidden directories as an attribute store and authentication authority. This extranet angle enable one to project private federations of ldap namespaces across the internet. This topic generalises as a wider issue, as below.
We also have a "scoping" decision to take: just like http/https is defined for use in intranets, is webid protocol to be usable in an intranet setting, using private profiles that are NEVER to be exposed to the web?
I find that question philosophical, as I include intranets in "the web" - as my web includes my private compartments, and I expect yours  to exist too (and yours, and ...). But then... I'm a security type: I think in terms of compartments. Others may want to say (in traditional W3C tone) there does exist a nether world (of un-web behaviour) that is slightly second class, called intranets and cloud hosted extranets, and those enterprise who merely span over the web/internet without "contributing".
Perhaps have a look at the world of certs to help us to see how certs (a security construct) address compartments in the unweb/web of today: If you look at the URI pointers to CRLs that are stored within certs issued by the typical LAN CA, there are probably 3: http://intranet-netbios-name/foo.crl http:/public.com/foo.crl file://c:\\domain\\certSvr\foo.crl. I.e. multiple URI, each aligned with a naming practice for scheme and authority that cooperate with the "visibility": of the compartment, and the certs use pattern.
So perhaps  we incidentially identified an issue: intranet naming (in webids) and internet naming (in webids). Does this go into the multiple URI issue bucket?
> > The authenticated directory operation in 1998 had a validity model much like FOAF+SSL had - in that the server receiving the peer entity authentication handshake would typically send the client cert in support, and the receiving server would then issue an callback operation to collect/verify that the cert was indeed in named directory entry, once located by an act of subject name de-referencing. Obviously, its critical to ensure the requesting entity is not being spoofed or misled about the agents authority to speak for that container, authoritatively. 
> Would you like to write this all up on the wiki, so that we can refer people to it? I think this could be a deliverable. I am thinking we could put this in a space where we do a series of comparison of WebID with other technologies that were very close to getting this right.
> We just need to see where the best space to put this up would be. This would be a bit like a spec, in that we would then have to go over it and edit it as a group, but it won't have to be as tightly written as the spec itself.
> The paper/note should be relatively short: 1 or max 2 pages. Perhaps we have a template for this hanging around? 

thats a good idea, I need a volunteer even at stage 1 (not Henry) - a co-author. Person should know have standard familiarity with the nature of ldap, but should be mostly rigorous as a academic writer. This will complement me. I have the know-how in the theory behind ldap (which we can call X.500), I just dont have any skills in writing in the manner of text books. (What I once had Ive lost, having written a million emails since then.)
Im happy to take the 3 notes already written and cast them into the form of writing- proably keeping about 50% of the sentences. Then I want someone to go and simply do a (vicious) rewrite, offline. Then ill go back and ensure any lost know-how is returned. We can post the page, and the wider community can then take it over , and do with it as they want when re-editing.
Received on Thursday, 3 February 2011 16:14:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:41 UTC