[rdfweb-dev] FoaF for web forms, and FoafCheck

Ken MacLeod ken at bitsko.slc.ut.us
Fri Jun 27 15:24:51 UTC 2003 

I recently wrote Python utility called FoafCheck that takes the URI of
a FoaF instance, verifies its signature, and returns the foaf:Person
that has an rdf:seeAlso with the same URI (that last bit is a subject
of discussion, below).  This is similar to Eric Sigler's mt-foaf.php
and Ben Trott's Perl XML::FOAF (recently updated to 0.2!).

On my weblog, I modified the Blosxom writeback plugin to allow one to
enter the URI of the FoaF instance into the Homepage field (also
marked with a FoaF icon) to provide the information for the remaining
fields, and more!  (Auto-discovery from a homepage URI to come later.)

There are two primary issues with this approach:

  1) FoaF instances can describe more than one foaf:Person.  Using
     rdf:seeAlso is just a hack (another suggested hack was to use
     dc:creator as a property of the FoaF instance).

     An additional piece of unambiguous information is necessary to
     select the correct foaf:Person.  This could be an mbox, but it
     turns out we already need another piece of unambiguous
     information,

  2) A signed FoaF instance is not enough -- anyone can paste the URI
     of a signed FoaF instance.

     A way of doing authentication is necessary.  A commonly suggested
     solution is to use an MD5 password, to which I've devoted a wiki
     page on WhyNotEncryptedPasswords.

     A solution I see that seems better is to use challenge/response,
     by having the host generate a challenge (will be an option to
     FoafCheck, for example) and presenting it alongside the FoaF
     icon, the user copies this to a local utility which then signs it
     with their private key, then they paste the response into the
     Name field (conventionally), and the host passes both on to the
     FoaF library.  More details on the FoafIdentityAssurance wiki
     page.  The potential for bookmarklets and Mozilla plugins is
     there too.

     The match of the signed response with one of the public keys in
     the FoaF instance is an unambiguous property.

Besides auto-discovery and authentication, other ToDos for FoafCheck
include using more FoaF info in the weblog (photos!) and better error
reporting.  Also used in FoafCheck is a skeleton of another project
I'm working on, a "simple RDF world" using just Python structures.

Enjoy!

  -- Ken MacLeod

http://bitsko.slc.ut.us/blog/2003/06/24/foaf-check
http://esigler.2nw.net/blog/archives/000043.html
http://www.sixapart.com/log/2003/01/fun_with_foaf.shtml
http://usefulinc.com/foaf/signingFoafFiles
http://rdfweb.org/topic/WhyNotEncryptedPasswords
http://rdfweb.org/topic/FoafIdentityAssurance

More information about the foaf-dev mailing list