Re: [foaf-protocols] Standardising the foaf+ssl protocol to launch the Social Web

On Tue, 6 Jul 2010 10:23:03 +0200
Henry Story <henry.story@gmail.com> wrote:

>> They dynamic is that you go through an authentication process and
>> that verifies that you own a WebID.
> 
> I would rather say that you are identified by a WebID, or that the
> Web ID refers to you, that is is a name for you. Talk of ownership
> brings in more than is required.

Indeed. A WebID is a URI after all, and the "I" in that stands for
"identifier". 

The "ID" in "WebID" also stands for "identifier". It is one of my pet
peeves that the "D" is typically capitalised not just in "WebID" but in
general use of the abbreviation "ID" - after all, it does not stand for
anything. Perhaps we could call the proposed standard "Web Identity
Discovery (WebID)"? Not just an acronym, but an ambigonym too! :-)

>> The question is, as part of standardization will we:
>> 
>> 1. Consider only TLS
>> 2. Consider TLS but in a modular way, while mentioning other
>> profiles, out of scope of the document
>> 3. Consider multiple authentication profiles e.g. TLS & OpenID
> 
> That is a good question. 

I think we should try to restrict our scope. Big specs take too long
and risk becoming irrelevant. Keep WebID a small, simple protocol:

	1. client establishes a TLS-secured connection with server
	2. server discovers claimed WebID from client certificate
	3. server dereferences WebID, parses to find RDF graph
	4. server queries RDF graph to verify WebID
	5. server now knows the agent operating the client.

#1 is already specified by TLS. #2 we need to specify (subjectAltName).
#3 we need to specify (for HTTP/HTTPS - we can leave other URI schemes
undefined for now). #4 we need to specify (a sample SPARQL will do,
plus a note that any mechanism that yields equivalent results is OK
too, as not all implementations will have a full SPARQL implementation
to build on). #5 is just a statement of fact - what the server does
with this information is up to it.

-- 
Toby A Inkster
<mailto:mail@tobyinkster.co.uk>
<http://tobyinkster.co.uk>

Received on Tuesday, 6 July 2010 12:03:20 UTC