- From: Henry Story <henry.story@bblfish.net>
- Date: Thu, 27 Jan 2011 19:56:32 +0100
- To: nathan@webr3.org
- Cc: WebID XG <public-xg-webid@w3.org>
[dropping foaf-protocols] On 27 Jan 2011, at 03:17, Nathan wrote: > > This is the four party auth I mentioned earlier in the year, So this would be something that should be looked at with ISSUE-4: "Detail Authorization "protocol" using WebID" > but never > mentioned in detail, roughly the protocol would be: > > client: this is my cert (key pair w/ webid) - CC > server: this is my cert (key pair w/ webid) - CS Though actually this is done in one https connection, and it happens the other way around: with the server first proposing it's certificate, asking the client for its cert, which the client can then choose to send. > client: take webid from CS, place in CC-webid foaf file > server: take webid from CC, place in CS-webid foaf file If this is an authorisation protocol, don't we need a place perhaps for a decision somewhere? Or at least a signal to be sent that the client or server is seeking to create some relationship with the other party? There is a dialog missing in your sketch between the two parties. In the "Sketch of a Photo Printing Service" this is enabled by placing a relation to an authorization end point in the Profile Document. http://blogs.sun.com/bblfish/entry/sketch_of_a_restful_photo > client: check CS-webid foaf file for CC-webid and CS-key > server: check CC-webid foaf file for CS-webid and CC-key Here you seem to be checking the identity of the other party after having added them to your profile. That seems to be the wrong way around. > > The above covers all bases, it ensures the user and the server are who > they say they are, still have write permission to their respective > webid resources, ensures HTTP+TLS in all communications, allows ACL > controlled responses from each webid resource to only give the (server > or client) access to the info it's allowed to see. And it would be > webid for the server too, and get rid of the traditional trust chain, > making room for new linked-data web of trust. > > Essentially, this would replace everything from openid to oauth and > beyond. > > thoughts? and apologies it took me so long to mention properly on list. I would be intersted in your feedback on how you think this improves over the restful photo service. Henry > > Best, > > Nathan > _______________________________________________ > foaf-protocols mailing list > foaf-protocols@lists.foaf-project.org > http://lists.foaf-project.org/mailman/listinfo/foaf-protocols Social Web Architect http://bblfish.net/
Received on Thursday, 27 January 2011 18:57:08 UTC