W3C home > Mailing lists > Public > semantic-web@w3.org > March 2008

Re: [foaf-dev] Re: privacy and open data

From: Story Henry <henry.story@bblfish.net>
Date: Wed, 26 Mar 2008 12:36:10 +0100
Cc: Julian Bond <julian_bond@voidstar.com>, foaf-dev of a Friend <foaf-dev@lists.foaf-project.org>
Message-Id: <C8D562F9-D2F3-401E-B50E-96E8BE394165@bblfish.net>
To: Story Henry <henry.story@bblfish.net>, Semantic Web <semantic-web@w3.org>

On 25 Mar 2008, at 19:04, Story Henry wrote:
> On 25 Mar 2008, at 18:59, Julian Bond wrote:
>> Benjamin Nowack <bnowack@semsol.com> Tue, 25 Mar 2008 15:51:08
>>> That's as simple and close to existing mechanisms as I could get it.
>>> Unlike OpenID and oAuth, there is no need for redirects, so  
>>> RDFAuth works
>>> for non-browser agents, which was my main requirement.
>> I feel like I'm missing something here. oAuth was built  
>> specifically to enable non-browser agents and non-UI applications  
>> to have good authentication. And it feels like you're re-inventing  
>> oAuth. And I'm not sure why.
> Well I may be reinventing it because its obvious. Which would be  
> good :-)
> Let me check it out, since it comes up again and again.

Ok, so I read the initial incomplete getting-started documentation on  
oAuth, and quickly perused the spec. There are parts that are  
interesting and may be useful, and also I may have missed some  
important bits. My initial feeling is that oAuth could be a lot better  
if it made use of Linked Data [1].

Just from reading the getting started documentation I had the  
following reservations:

  - I am not looking for one time authorisation to access resources,  
which is what oAuth provides.
  - A client such as the Beatnik Address Book is not a web client. It  
is a Semantic Web client. So the User Agent is a consumer of data, not  
of human readable content. oAuth seems to be designed for reading  
human consumable web pages. The human reading the site has a few  
things to read, then gets redirected, then enters his password in his  
old site, then gets redirected again. As a result his pictures that  
belonged to one site now appear in another web site, ...
  - I have a feeling that the oAuth protocol is a pairwise protocol.  
It seems that every site has to get into a contract with every other  
web site they want to do business with for this to work. I don't see  
this scaling as it is. Perhaps with semantic help it could.

What I am looking for is even simpler than oAuth at the first level. I  
want simply the server to be able to decide what representation to  
return to a user. The user is initially (usually) not identified. So  
the resource should know how to return a default representation, and  
let the client know that more information is available. If the user  
identifies himself then more information is made available. What the  
server decides to make available or not is not of interest here.  
Presumably the server has a notion of groups and a notion of  
information that can be made available to members of these groups.

Since the best way to identify a user is with a URI, a la foaf, we  
should use a URI identifier. Note, this need not be a person. It could  
also be a foaf:Agent. In order to help make sure that the user is who  
he says he is, he encrypts a string (eg. the uri of the requested  
resource appended with a nonce) with a pgp private key that is  
available from his identifier. (use of linked data)

I don't think one can do simpler than that.

Now on top of that I can imagine a service like oAuth being built.  So  
let us give the Beppa eco friendly printing site a foaf file


which could be encoded in rdfa in the html of the front page. [2]

then what is needed would be a way for beppa to ask to be added to a  
group which gives short term access to resources belonging to another  
agent (why not identify him via his foaf id?). This seems to be all  
that oAuth is doing. Once that is settled, we are back to our very  
simple use case described above. Beppa could then ask for the  
resources by identifying itself as beppa, and the server could then  
return the correct representations. So it seems one could build one on  
top of the other.

So from what I have read at present I think at first what is needed is  
just the very simple protocol a la RDFAuth that was mentioned  
previously. More complex services can be built on to of that.

Does that sounds right? Have I missed something important?


[1] http://blogs.sun.com/bblfish/entry/hyperdata_and_folktologies
[2] http://blogs.sun.com/bblfish/entry/a_foaf_file_for_sun

> Henry
>> -- 
>> Julian Bond  E&MSN: julian_bond at voidstar.com  M: +44 (0)77 5907  
>> 2173
>> Webmaster:          http://www.ecademy.com/      T: +44 (0)192 0412  
>> 433
>> Personal WebLog:    http://www.voidstar.com/     skype:julian.bond?chat
> _______________________________________________
> foaf-dev mailing list
> foaf-dev@lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-dev

Received on Wednesday, 26 March 2008 11:37:14 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 08:45:05 UTC