[rdfweb-dev] Foaf-for-Dean

Julian Bond julian_bond at voidstar.com
Mon Oct 13 20:18:39 UTC 2003


Parker Thompson <parkert at uclink.berkeley.edu> wrote:
>I have concerns about the Drupal model of sigle sign on with respect to
>the security model.

>With respet to authentication, I myself am partial to the Liberty Alliance
>model (federated autentication)

Marc Canter <marc at broadbandmechanics.com> wrote:
>We're planning on using PingID's open source implementation - called
>"SourceID" for single sign-on authentication and FOAF.

Liberty & PingID (and I guess Passport) work on the basis that there is 
a prior, strong agreement between sites with some sort of shared secret. 
This also introduces a strong trust and reputation link between the 
sites. This lets you do strong authentication with industrial strength 
security. If you want it. The problem is the need for the prior 
arrangement. This works against the individual and introduces all sorts 
of roadblocks. Unfortunately protocols built round this sort of approach 
also seem to attract complexity as participants try and solve every 
possible scenario. One possible exception to this is
http://php.weblogs.com/universal which is a simple xmlrpc system for 
federated identity but using a push approach.

The Drupal (and SEA) pull approach starts at the opposite end of the 
spectrum. It effectively says that anyone can provide an authentication 
service with no prior setup. All that's needed is an agreed protocol. 
The issue here is not security because that's just a question of how 
much effort you put into the protocol. The issue is how much you trust 
an authentication service you've never used before. My view is that 
there are many, many situations now where we don't actually care. And 
secondly that it's an interesting problem in de-centralization.

Bring this back to FOAF. FOAF actually has similar issues. How much do 
we trust the data contained in it? How much do we trust the Foaf data 
from a particular source?

-- 
Julian Bond Email&MSM: julian.bond at voidstar.com
Webmaster:              http://www.ecademy.com/
Personal WebLog:       http://www.voidstar.com/
M: +44 (0)77 5907 2173   T: +44 (0)192 0412 433



More information about the foaf-dev mailing list