Authentication and authorization as influences on the content ofresponses [foaf-dev]

Peter Williams pwilliams at rapattoni.com
Tue Jan 22 19:55:52 GMT 2008 

So, unlike most of the web, we in realty have a lot of experience with deploying digest auth in open environments. Tho the digest std does indeed allow for (parallel) negotiation/presentation of digest realms (each of which can attach to an appropriate set of access guards expressed in the foaf file), how many actual libraries in webservers and browsers/cwm support these features? Elemental interoperability of digest auth using parties is spotty, at best.

In the case of openid, the security context is between the ppd and the claimant: we can expect an trusted agent working with a copy of the foaf file to be enforcing the access control rules just as would henrys home server serving foaf documents. Surely we want the accesscontrol enforcement act to be based on a decision that is expressed in foaf elements, assuming a trusted full owl engine is responsible for evaluating the decision logic. If the foaf file is signed (per earlier semweb experiments) and keymanagement of the verification key provides for the separation of trusted vs untrustworthy agents, would we not have a more "semweb way" of linking authentication info to information release policies? 

-----Original Message-----
From: Etan Wexler <ewexler at stickdog.com>
Sent: Tuesday, January 22, 2008 11:30 AM
To: Friends of a Friend <foaf-dev at lists.foaf-project.org>
Subject: Authentication and authorization as influences on the content ofresponses [foaf-dev]

Henry Story (as “Story Henry”) wrote to the FOAF developers’ list (see 
<http://lists.foaf-project.org/mailman/listinfo/foaf-dev>) on 2008-01-13 
in “[foaf-dev] for more information please log in”
(<http://lists.foaf-project.org/pipermail/foaf-dev/2008-January/008793.html>):

> If a foaf file is to return different representations depending on the 
> authentication level of the person looking at it, there needs to be some 
> way for the foaf file to say that. Something like: for a larger view you 
> may want to log in there: http://...
> 
> Any thoughts on this?

A FOAF file does not return representations and so cannot return
different representations. A document that uses terms from the
Friend-of-a-Friend vocabulary and the document’s metadata can constitute
a representation. An origin server may send a response whose entity is
such a representation, in which case the entity-body is a FOAF file, if
I understand the phrase “FOAF file”.

The World Wide Web has mechanisms for authentication, authorization, and
access control. I plead the case for using what exists. I fail to see
the need for further effort and I offer the following HTTP exchanges as
illustration.

GET /people/henry/card HTTP/1.1
Host: bblfish.example

HTTP/1.1 200 OK
Date: Mon, 14 Jan 2008 02:40:20 GMT
Last-Modified: Sun, 16 Dec 2007 20:16:33 GMT
Vary: Authorization
WWW-Authenticate: Digest nonce="familial nonce 0",
  realm="Henry's stuff for Henry's family",
  domain="http://bblfish.example/people/henry/card",
  Digest nonce="friendly nonce 0",
  realm="Henry's stuff for Henry's friends",
  domain="http://bblfish.example/people/henry/card",
  Digest nonce="omniscient nonce 0",
  realm="Henry's stuff for those who see all"
  domain="http://bblfish.example/people/henry/card"
Etag: "res publica"
Content-Length: 139
Content-Type: text/rdf+n3; charset=utf-8

@prefix foaf: <http://xmlns.com/foaf/0.1/>.

<http://bblfish.example/people/henry/card#me>
  a foaf:Person;
  foaf:givenname "Henry".

GET /people/henry/card HTTP/1.1
Host: bblfish.example
Authorization: Digest username="friend",
  realm="Henry's stuff for Henry's friends",
  nonce="friendly nonce 0",
  uri="/people/henry/card",
  response="8f8b71112b1a41baec644a503ecd77c7"

HTTP/1.1 200 OK
Date: Mon, 14 Jan 2008 02:40:21 GMT
Last-Modified: Sun, 16 Dec 2007 20:16:33 GMT
Vary: Authorization
WWW-Authenticate: Digest nonce="familial nonce 1",
  realm="Henry's stuff for Henry's family",
  domain="http://bblfish.example/people/henry/card",
  Digest nonce="friendly nonce 1",
  realm="Henry's stuff for Henry's friends",
  domain="http://bblfish.example/people/henry/card",
  Digest nonce="omniscient nonce 1",
  realm="Henry's stuff for those who see all"
  domain="http://bblfish.example/people/henry/card"
Etag: "cosa nostra"
Content-Length: 197
Content-Type: text/rdf+n3; charset=utf-8

@prefix foaf: <http://xmlns.com/foaf/0.1/>.

<http://bblfish.example/people/henry/card#me>
  a foaf:Person;
  foaf:givenname "Henry";
  foaf:family_name "Story";
  foaf:name "Henry J. Story".

I welcome any corrections to the HTTP messages just given. Most of all,
I welcome explanations of deficiencies in the chosen approach.

-- 
Etan Wexler.
“Don’t misunderestimate the Internets.”

_______________________________________________
foaf-dev mailing list
foaf-dev at lists.foaf-project.org
http://lists.foaf-project.org/mailman/listinfo/foaf-dev

More information about the foaf-dev mailing list