[OpenID] openid and acl's

Story Henry henry.story at bblfish.net
Sat Aug 4 11:27:09 UTC 2007 

On 4 Aug 2007, at 10:01, Steven Livingstone wrote:
> I like the idea of this Henry - quite simple really. The issue is  
> how to create sub-groups etc - it seems your solution works for  
> specific id's and for the provider in general as a group.


Yes, and it is easy for an openid to be part of a number of groups,  
just like a user on unix can. Just have multiple links to each of the  
providers.

>
>  The difficulty in using SAML/XACML in my view is in implementation  
> - they are quite large specs and I think OpenID has done well in  
> that it hasn't to overly complex. It's balance as i could easily  
> accomplish defining who is to access resource X, if i were to  
> simply take the URI for resource X and add one or more OpenID's to  
> it (permitting access) and sign this with my OpenID. I could store  
> this data anywhere - independently of my FOAF data.

What I am proposing is that openid gives you the equivalent of a unix  
user name (the id) and a group (the provider).
It is up to resource owners then to decide what resource to give you  
or members of your group(s) access to.

This they can do of course by relating resource to users or groups of  
users. There are a number of technolgies that can be user here  
independently. One way to do this in Semantic Web way is to create an  
ACL ontology such as this one
http://www.w3.org/2001/04/ACLS/Schema
and a way of describing groups of resources such as POWDER
http://www.w3.org/2007/powder/

I think that is how the W3C describes access control to its web pages.

> This may not be ideal in a purist view, but i could have this  
> working in two hours. Implementing SAML/XACML is quite a bit more  
> complex (in fact looking through the archives i see this has been  
> brought up before).
>
> Henry - your blog discusses something that would be simple to  
> implement which is why i like it. I can see how it could be  
> extended as i discuss above to allow (lightweight) distributed  
> access controls... in fact a third party taking two independently  
> authenticated OpenID's could verify access to a resource as a  
> service i would think.
>
> The question in doing something like this is how far do you want to  
> go. I remember back in 2000 or so many groups i worked on creating  
> Xml Schemas that covered every scenario possible and they were just  
> never adopted... a good example is the success of RSS over NewsML,  
> one is a couple of pages long in spec, the other about 50 :) I  
> personally thing lightweight authorization through OpenID would be  
> a nice start.

The nice thing about RDF is that you can build things up very  
lightly. You just need to specify a couple of relations and classes  
for my proposals I think. In RDF you can mix ontologies very easily.  
So there is no need to specify everything ahead of time. Just add the  
pieces you need as you need them.



>
> steven
> http://livz.org
>
>
>
> > From: henry.story at bblfish.net
> > Date: Sat, 4 Aug 2007 08:40:04 +0200
> > To: joseph at josephholsten.com
> > CC: scott at kveton.com; general at openid.net
> > Subject: Re: [OpenID] openid and acl's
> >
> > On 3 Aug 2007, at 19:59, Joseph Holsten wrote:
> > > Scott Kveton wrote:
> > >>> Anyone discussed the idea of using OpenID as a basis for a
> > >>> distributed ACL's
> > >>> system?
> > > One thing that's important about ACLs is grouping. You wouldn't  
> acces
> > > a firewall that requires you to type in every single IP  
> address. You
> > > wouldn't use windows permissions where you needed to specify every
> > > user's access.
> > >
> > > Has someone proposed a wildcard scheme or group identifier via  
> OpenID,
> > > because that would be awesome.
> >
> >
> > In "A Foaf File for Sun" [1] I argue that the Authorization service
> > can be thought of as a group identifier. The Authorization  
> service is
> > a group membership verifier.
> >
> > This can be used to give people access to different parts of the web
> > using RDF. An example I give is how this could be used to make  
> access
> > to the W3C just a question sending someone Sun's foaf file.
> >
> >
> > Henry
> >
> > [1] http://blogs.sun.com/bblfish/entry/a_foaf_file_for_sun
> >

More information about the general mailing list