Re: ACL from Dan Brickley on 2011-01-25 (public-xg-webid@w3.org from January 2011)

From: Dan Brickley <danbri@danbri.org>
Date: Tue, 25 Jan 2011 21:36:25 +0100
To: Henry Story <henry.story@bblfish.net>
Cc: Stéphane Corlosquet <scorlosquet@gmail.com>, Alexandre Passant <alexandre.passant@deri.org>, nathan@webr3.org, WebID XG <public-xg-webid@w3.org>
Message-ID: <AANLkTi=LBkc0_9wCyfakSF1L9nS1cPd_8ShxPne7=O2A@mail.gmail.com>

[interesting discussion snipped]

A quick comment re ACLs from a FOAF-ish perspect:

Most RDF linked data work has tended not to use OWL, except for
owl:sameAs statements for expressing numerical identity
(one-and-the-same-thing-ness).

However OWL is very powerful for describing rules for picking out
classes of things in terms of their properties. This has some natural
application to expression of ACLs. In many ways this is orthogonal
from the details of the core WebID protocol, which just (like OpenID,
some uses of OAuth) lets people prove that they control some online
account / document. So I think there is a case for working out some
OWL-based approaches to expressing ACLs in terms of RDF and OWL and
OWL rules, in a way that works with *any* technique for demonstrating
evidence of who someone is. Once done, this could of course be
exploited in WebID-based interactions with a site, something along the
'proof carrying authorization' direction eg.
http://www.ece.cmu.edu/~lbauer/papers/pcaprototr.pdf

So I'd really encourage folk to revisit the OWL tools, especially OWL2
which allows some convenient idioms. See
http://lists.foaf-project.org/pipermail/foaf-dev/2010-November/010488.html
for examples that model FOAF Group as [via punning] simultaneously a
class, and as an individual. The earlier FOAF idioms used separate
entities for those, linked by foaf:membershipClass. But that idiom
didn't get much use.

What I'm thinking is we should investigate a kind of nice gui for
talking about (sub-) classes of Person, Organization etc., not a
general purpose ontology editor but one biased towards these
particular kinds of object, and with more focus on
provenance/truth/evidence for claims.

So for example (in a made up language),

Let gsent = persons I sent mail to, more than twice on most weeks,
according to my gmail account danbrickley@gmail.com
Let blogok = persons whose comments I accepted on my blog
http://danbri.org/words/
Let dopplr = persons who i share my locations with on dopplr
[more complicated stuff that would map down to OWL could go here, but
keeping a simple example for now]
Let group1 = gsent + blogok + dopplr

...ie. to be able to use some UI (or domain specific language)  to
characterise groups of people/agents, typically by ref to some
authority or service
...then to compose those (with OWL's building blocks), ... and use the
result to express ACL rules.

So I could tell a Wiki to give "edit" privileges to 'group1'. Whether
this is a static compiled snapshot of group1, or whether it accepts
anyone who can prove they match that group's rules, ... is very much
open to debate. I can see value in both.

(let me know when it's time to switch lists :)

cheers,

Dan

ps. and congrats on launching the group!

Received on Tuesday, 25 January 2011 20:37:00 UTC