[OpenID] cryptographics web of trust

Story Henry henry.story at bblfish.net
Tue Aug 21 16:24:23 UTC 2007 

Hi Peter,

I am working through this slowly. It looks like you are getting ahead  
nicely in both your understanding of the semantic web and moving to  
formalize the intuitions behind a web of trust.

On 17 Aug 2007, at 19:56, Peter Williams wrote:
> 		> Now, I want my OpenID-Consumer robot to merge a signed/wot FOAF
> 		> file that it _pulls_ ...with its own FOAF file (and its wot).
> 		
> 		What kind of robot would this be? Something like Baetnik
> 		http://blogs.sun.com/bblfish/entry/beatnik_change_your_mind
>
> The "agent/robot" exists the JanRain.c# OpenId-Consumer.

Let me just develop a little, hoping that by doing this we will  
increase the certainty that we are speaking about the same thing...

> My code pulls FOAF file rather than XRDS file, de-serializing it  
> into memory. Now I must perform "FOAF/wot resolution", in place of  
> XRI resolution. After than, i can bother to verify byte-level  
> signatures.
> I also de-serialize the OpenID-consumer's FOAF file (into the same  
> triple store) to "direct" the resolution process.

So you are implementing a new service such as dzone.com, but that  
would consume the foaf file linked to from the openid page entered by  
the user, in order to determine how trust worthy the information in  
the foaf file is...

You know that I the end user am associated to the openid end point,  
because I correctly passed through the authentication steps. So the  
OpenId consumer has associated a physical being, or at least a user  
agent with an openid url.

This openid url (http://openid.sun.com/bblfish in my case) points to  
a foaf file (we imagine it points to http://bblfish.net/people/card>,  
and now the openId consumer, would like to have some guidance as to  
the validity of the contents of that foaf file. After all I could be  
a liar or have recently gone insane.

To cut things really short one thing I could do is have my public key  
signed by a well known Certification Authority, and have the foaf  
file signed using my private key. That would at least identify the  
author of the foaf file, and make him liable for things he says which  
is usually good enough security.

Now we have identified two things:
   - me and my user agent as related to the openid
   - the foaf file as signed by a key know to a Certification Authority

There is still a piece missing. I could have put up a fake openid  
server and had my openid point to someone else's foaf file. But this  
is not a problem if the signed foaf file links me to the openid with  
a relation such as

  :me foaf:openid <http://openid.sun.com/bblfish> .

For the signed foaf file makes the author of it liable, the foaf file  
specifies that the openid end point is his, the user agent logs in  
via OpenId Authorization and so is identified as being the person  
spoken of in the foaf file.


> Wot resolution is thus a test: Does agent's wot "connect up" with  
> the user's wot, at some mutual "trust point". Trivally, that trust  
> point MAY be the OpenID Consumer's "trust point" URI, a signal used  
> in OpenID Auth protocol.

Can you tell me more about the trust point and how this relates to  
OpenId Auth protocol? Is the trust point the server that  
authenticates me?

> Wot-resolution should test for the "bestness" of trust points, if  
> it finds 2 or more (using DARPA/RFC1422-era confidence metrics -  
> computed using a heuristic search algorithm, now out of patent  
> control)

So I think WOT resolution is just a generalisation of the  
Certification Authority type of system. But because we are using URIs  
to point to relations we get more overlap and redundancy into the  
system.

If your service find my foaf file and it finds that I have friends  
that have foaf files that just point to mine, then I am less  
anonymous than otherwise, and so probably more trustworthy, since  
more liable. If these people also sign my public key, then it is  
easier to trust statements as coming from me, or at least if there is  
something wrong there will be a lot of consequences to it.

> Ideally, someone has a script in some RDF Query language to test  
> for person-person connectivity between two sets of friend- 
> relations. If it exists, I'll repurpose the (ideally SPARQL) query  
> script to perform the analogous wot resolution, using the 2 sets of  
> wot elements from the 2 FOAF files.

Yep. I saw how later you got closer to seeing the use of inferencing.  
I'll comment on that later.

Henry

> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list