- From: Story Henry <henry.story@bblfish.net>
- Date: Mon, 31 Mar 2008 17:54:55 +0200
- To: bnowack@semsol.com
- Cc: foaf-dev of a Friend <foaf-dev@lists.foaf-project.org>, Semantic Web <semantic-web@w3.org>
- Message-Id: <5FD22783-4572-4052-8911-97839F5F41D9@bblfish.net>
Ok Benjamin, sorry for taking time to answer to this one. I was having some difficulty understanding what a token server was. Here it is clear that we are very close in our understanding of the problem. On 27 Mar 2008, at 17:44, Benjamin Nowack wrote: > Hi, just some clarifications: > RDFAuth doesn't use public/private key encryption, but simple > token servers. Thanks to RDF, eRDFa, MFs, and GRDDL, it also > doesn't need AX, sREG, or anything like that for data exchange > and discovery. > > Long-term-ish, this mechanism should be partly replaced by whatever > oAuth offers WRT server-side token generation, but the main > motivation right now is to build something very easy that works > for basic use cases and which can then be extended once we have > prototypes. > > > So, the idea is more or less: > > Prerequisites: > The [user] of the [client app] maintains a public RDF profile great! > that contains a [personal identifier] (foaf:homepage, foaf:openid, > a personal URI, xfn:me, whatever) and an rdfauth:tokenServer > triple pointing at the personal [token server]. or a pointer to a public key in an asymmetric encryption algorithm like PGP. > The identifier is ideally a personal URI directly related to the > profile to > simplify "follow your nose" discovery, maybe we should make that > mandatory to simplify things, not sure. Yes, of course. The interest is to build up on the network effect of LinkedData. By having a URL as a personal Identifier this helps the [resource server] find more information on which it can base its decision to trust or not the [client app]. It also means that the information is available RESTfully, and so could even be edited RESTfully by another client app. It all then works very nicely with other HTTP standards. > Scenario A > > 1. The [client app] knows/assumes that there is private info > available at the [resource server] > 2. The [client app] creates a [token] at the [user]'s [token > server] (identical to openID, the "how" is not part of the spec) ok > > 3. The [client app] requests a resource from the [resource server], > via standard HTTP, plus an "Authorization" header that contains > the [token], and the [user]'s [personal identifier] > 4. The [resource server] detects the "Authorization" header, > extracts the [token] and the [personal identifier] and tries to > identify the [user]'s [token server]. ...by GETing information from the user's identifier. (this could of course be generalized by relativizing on protocol, but of course it is easier to stick with http which is well understood) > 5. The [resource server] validates the [token] via the [token server] Now I think the only thing I worry about here is whether this means you are going to specify how a token server works, and this seems complicated and full of the same types of authentication problems we are trying to solve here. > > 6. Based on the available data (named/trusted graphs, a list of > trusted token serves, etc.) and app logic, the [resource server] > decides whether it accepts/trusts the [personal identifier] and > which information to serve to the [client app]. It may additionally > create and send a [session token] which might be used for later > requests. When or how this session token expires is up to the > [resource server]. yes, using a session token would be very useful to reduce future communication costs. Is this where SSL comes in useful? [snip] > > Now, the sent [token] could indeed contain a portion that is generated > using PGP-encrypted information. In that case the personal [token > server] > could be a PGP verifier. This would be transparent to the [resource > server] > and the RDFAuth protocol, though. The token will have a certain > structure > to make sure that it can only be used for one [user] and one [resource > server]. It seems to me that we are really very close on how we understand the problem. The notion of a token server is what makes me uncomfortable, as mentioned before, because it looks like it will be a lot of work to specify something like that properly, and because it may not be needed. Now the anonymous reader of my previous response pointed out to me that > Normal HTTPS would only provide you with confidentiality of information > over the session, and authentication of the server to the client, not > the client to the server. You can use it for mutual authentication if > you like, using client certificates. This would probably do everything > that you're after - mutual authentication, confidentiality, secure > sessions, standard protocols. Not many people use mutual SSL though > - don't know how well it works in practice. Might be worth exploring, > rather than designing your own public key protocol. What I think we're after is something like client certificates, but discoverable ones available via URL and linked into the mesh of LinkedData. Henry > > > Cheers, > Benji > > -- > Benjamin Nowack > http://bnode.org/ > >
Attachments
- application/pkcs7-signature attachment: smime.p7s
Received on Monday, 31 March 2008 15:55:45 UTC