[foaf-dev] for more information please log in
Peter Williams
pwilliams at rapattoni.com
Sat Jan 19 20:00:02 GMT 2008
Attribute exchange is a crude re-implementation of the SAML AttributeQuery protocol, if anything. Its different from SAML however, which has a connectionless security model. Attribute exchange in openid normally occurs in the context of openid flow, which creates a "association" (or "connection") that defines the privacy expecations of the cooperating parties as well as the protective countermeasures to be applied.
In some sense, both the SAML and OpenID variants of attribute lookup are an ultra-crude version of the practices that FOAF users today apply - when performing a SPARQL-based query against a FOAF document. It would be trivial to have an AX server initiated a SPARQL query against a FOAF file, acting as a data source for the attributes. I'm not sure, but I may even have done that exactly when prototyping the interaction of openid and foaf, last year - based on Henry's observations about how the two worlds might combine.
But, I dont think that "crudeness" is the right criterion, however: as neither FOAF nor RDF are perceived as protocols. Rather, they beg support from protocols such as SPARQL and http(s). As Henry suggested, the security contexts created by those protocols' sessions (after an protocol-specific authentication handshake, of some design or other) allows authorization rules in the FOAF stream to guard the release of information by the query engine. I know the SPARQL server I use exhibits a advanced security model for controlling information release for interchange, lookup and inference use cases - controls that are non-standard, however, and have poor modeling pedigree in academic literature (as far as I can tell). The trick is presumably now to standardize a model and authorization ruleset that (a) works, (b) is logically modelled, AND (c) fits the privacy/relationship web currents that the FOAF community is trying to tap into. I think FOAF is the right place to start (rather than RDF), as its clear mission already gives clear direction to the designers of an appropriate security model. With this constraint in place, the security plan will not get too grandiose.
________________________________
From: Danny Ayers [mailto:danny.ayers at gmail.com]
Sent: Sat 1/19/2008 11:12 AM
To: Story Henry
Cc: Peter Williams; foaf-dev
Subject: Re: [foaf-dev] for more information please log in
Something that may be worth investigating is OpenID Attribute Exchange:
http://openid.net/specs/openid-attribute-exchange-1_0.html
I've not looked closely, but as far as I can tell it seems to be a
(rather crude) reinvention of RDF, but when used in conjunction with
the protocol stuff elsewhere around OpenID can offer granular access
control. (Not sure whether this stuff is in line with WebArch, quite
possibly not).
This blog post is helpful:
http://blogs.gnome.org/jamesh/2007/11/26/openid-ax/
Cheers,
Danny.
--
http://dannyayers.com <http://dannyayers.com/>
More information about the foaf-dev
mailing list