[foaf-dev] Re: RDFAuth: an initial sketch
Story Henry
henry.story at bblfish.net
Thu Mar 27 22:26:58 GMT 2008
Hi Valentine,
It's quite late here, and I just came back from the pub, but I'll =
nevertheless try to answer this as best as I can. :-)
I think your idea is good, and you clearly weigh the pros and cons. I =
would like to add the following in defense of the idea being proposed =
here.
First, I think your idea breaks down I think as networks of trust =
start to grow. Indeed you mention this as a point of concern. Imagine =
that Juliette's foaf server decides to trust all the friends of her =
friends up to a depth of three. This could end up being creating a =
network of over a 1000 people, that changes dynamically. In that case =
her server would have to keep regenerating the encrypted foaf file =
very regularly. The bigger the network the more often it would have to =
be encrypted...
Secondly I don't think what is proposerd here should be very difficult =
to set up to tell the truth. RDFAuth is simpler than openid - no need =
for an authentication server. My guess is that with the help of the =
Redland RDF library, it should be a few small perl scripts to implement.
But thanks for adding this point to the discussion. It was something I =
had wondered about at one point.
Others may have more knowledge of PGP and be able to shed more light =
on your thoughts.
all the best from Fontainebleau, France
One thing that is nice is that RDFAuth should spread the use of PGP, =
and the idea of decentralised networks of trust that comes with it. I =
am all for decentralized networks. So once PGP (or other similar =
public key cryptography systems) become widely used, solutions like =
the one you propose should be a lot easier to deploy :-)
Henry
On 27 Mar 2008, at 20:12, Valentin Zacharias wrote:
>
>
> Hi!
>
> All approaches I've seen discussed in this thread (some very =
> interesting!)
> break the 'web friendliness' of FOAF, with these approaches I can no =
> longer
> treat a FOAF file like an html file but need quite complex software
> mediating the access to the foaf file. This may be the way to go, =
> but we
> could also approach the problem from a totally different angle:
>
> By the time i create/change the foaf file I know who should be able to
> access it; and lets for a moment assume that these people are =
> identified by
> a foaf file that contains a public key. Then i could simply use =
> public key
> encryption and include for everyone that should be able to see =
> private data
> this data encrypted with his/her public key. Then I get a (pretty =
> large)
> file that i could treat like any foaf file and that would not need a
> software mediating access to it. Anyone authorized to see (some) =
> private
> data would have the private key to decrypt it.
>
> So, this approach has some serious drawbacks
> * the foaf file is computational expensive to create and change (but
> computers are getting faster all the time and this is even a task =
> that is
> naturally paralizable for tomorrows many core computers)
> * it could be large, but don't think this would be too large to =
> handle (at
> least not for the friends and faimily scenario) and it could be =
> split up
> into separate files easily
> * granting access to groups that are not characterised by a key pair =
> and
> that have shifting memberships is hard (impossible?)
> * If someone changes his key pair (e.g. because it has been =
> compromised) I
> will not immediately recognize this.
>
> On the plus side it saves us from lots of complexity in safeguarding =
> private
> foaf files and mediating access to parts of it.
>
> Nevertheless this could be the simplest thing that can work - or =
> what do you
> think?
>
>
> greetings from karlsruhe
>
> valentin
>
> --
> email: zacharias at fzi.de
> phone: +49-721-9654-806
> fax : +49-721-9654-807
> http://www.vzach.de/blog
>
> =3D =
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> FZI Forschungszentrum Informatik an der Universit=E4t Karlsruhe (TH)
> Haid-und-Neu-Str. 10-14, 76131 Deutschland, http://www.fzi.de
> SdbR, Az: 14-0563.1 Regierungspr=E4sidium Karlsruhe
> Vorstand: R=FCdiger Dillmann, Michael Flor, Jivka Ovtcharova, Rudi =
> Studer
> Vorsitzender des Kuratoriums: Ministerialdirigent G=FCnther Le=DFnerkraus
> =3D =
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>
> -----Original Message-----
> From: semantic-web-request at w3.org on behalf of Story Henry
> Sent: Thu 3/27/2008 1:06 PM
> To: foaf-dev of a Friend; Semantic Web
> Subject: RDFAuth: an initial sketch
>
> Hi,
>
> I would like to put the following forward as a sketch of what is
> needed to allow a resource to return different representations
> depending on the identity of the requester. We are looking for some
> security experts and others to help out here.
>
> There may be other standards that can be used, but it would help to
> see how far one can get with a very clean system to start off with. At
> least this should help understand what is needed.
>
> The idea is simple. We have 4 resources here.
>
> 1. A Semantic Web client owned by Romeo ( something like Beatnik,
> Tabulator or Knowee )
> 2. Juliette's foaf file resource controlled by a slightly intelligent
> web service (one that knows to show which parts of the graph to show
> to whom)
> 3. Romeo's foaf file (perhaps also controlled by an intelligent web
> service, but there is no need for this here)
> 4. Romeo's public key. This could be part of the foaf file, but
> assuming that it does not change that often, it would be better placed
> at a separate resource in order to be more easily cacheable
>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2429 bytes
Desc: not available
Url : http://lists.usefulinc.com/pipermail/foaf-dev/attachments/20080327/6f=
f0d8dd/smime-0001.bin
More information about the foaf-dev
mailing list