[OpenID] foaf and openid
Peter Williams
pwilliams at rapattoni.com
Sun Sep 9 17:03:29 UTC 2007
Let me go through this one, slowly (Peter speed). I'm yet still catching
up.
An RDF resource (foaf file) is the consumer of an OpenID.
Upon nominally receiving the openid AND actually receiving an
immediate/unsolicited Auth validating the openid value as a claimed_id,
the RDF/XML serialization handler would impose access controls - once
its validated the Auth by intelligent or dumb means.
Depending on the authorization claims in the Auth msg, the serialization
function would constrain which graphs or elements of an RDF file will be
serialized and communicated.
If the Auth msg contains an RSA public key, the serialization function
can perform signature and encryption of the graph, using
XML-DSIG/XMl-ENC.
---------------
This scheme is - of course - almost identical to presenting a digital
certificate to a website, today, via https, and getting a SAML-assertion
(xmldig'd/xmlenc'd per SAML2) wrapper around the RDF XML stream back.
AS TLS proposed extensions now allow the "certificate" to be in
non-X.509 formats, however, there is NO reason why the certificate
messages in the SSL handshake of the future cannot dump the X.509 cert
format and just use the unsolicited Auth msg format in the same
role&function.
IN the era before those TLS extensions are actually widelyavailable, to
interworking in practice with today's systems one just creates a minimal
self-signed cert wrapper using X.509 formats and signing rules, putting
the OpenID Auth value as the only extension that the consumer is
actually interested in using. As systems evolve, one dumps the
meaningless X.509 wrapper.
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net]
On
> Behalf Of Boris Erdmann
> Sent: Friday, July 20, 2007 7:59 AM
> To: Story Henry
> Cc: general at openid.net
> Subject: Re: [OpenID] foaf and openid
>
> Well,
>
> if we made
>
> http://mydoma.in/myfoaf.rdf
>
> an OpenID2.0 consumer it could be accessed via
>
> http://mydoma.in/myfoaf.rdf?openid_identifier=your.open.id
>
> and it would know how much foaf-data to reveal towards the requesting
> identity. Not much protocol needed here to start with. (Thinking
> further, this might be one of the first widely adopted use cases for
> immediate Auth requests)
>
> One would need to think about discovery (but see the sun article you
> quoted, as this is the "officially" proposed method
> http://www.foaf-project.org/2004/11/join.html). In an ideal world my
> FOAF URL could be my OpenID, because every browser understands XSLT
> and could render the foaf data into XHTML (but this would break simple
> HTML discovery for OpenID). Or it could be done using Yadis.
>
> Just a few thoughts... Is this approach too simple?
>
> Boris
>
>
>
> On 7/20/07, Story Henry <Henry.story at bblfish.net> wrote:
> > Hi,
> >
> > It occurred to me recently that there was a nice and simple use of
> > foaf and openid, where the two could be made to mesh very nicely and
> > improove the user experience.
> >
> > http://blogs.sun.com/bblfish/entry/foaf_openid
> >
> > The idea is simply to add a foaf link to the html representations of
> > the openid resource, so that servers could use that information to
> > present more information to the client.
> >
> > Now a little more advanced question would be to specify for each
> > service what type of depth of access one may want to give them to
> > one's foaf file. This is where a little protocol tricks could come
in
> > useful.
> >
> > Henry
> >
> >
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
> >
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
More information about the general
mailing list