[foaf-dev] Updated Wordpress OpenID trust exporter - any Wordpress/PHP experts interested?

Peter Williams pwilliams at rapattoni.com
Tue Dec 29 16:14:00 CET 2009


You leveraged the sp-centric websso flow model, with sp side account linking, and sp affiliations. It's very powerful, compared to the idp-centric trust model!

The adoption of the sp affiliation model is what is interesting - the notion that one relies if someone else also relied (and those in the relying-party-only network MAY "use" the dynamically-constructed linking name issued by a primary relier). It was built into SUNs federation protocols from an early stage, though is falling out of favor (as folks try to impose the idp-centric trust model).

But for me, you went further. While it common for N relying parties in the network to each provision and superimpose local acls for a mapping name provisioned by the primary relier of the sp affiliation network, you seem to be suggesting that its not only a mapping-name that the primary relier issue: they also issue their reasoning model of their own earlier act of reliance (on an IDP), given the particular ACCESS context they were operating under.

Thus, others in the affiliation can reuse the earlier act of reasoning, as the primary RP reveals the particular rules it used in the particular case AND its reliance context. Thus the secondary reliers in the affiliation can (a) repeat the act of reliance by dynamically importing the rules, and (b) add and subtract their own local rules of reliance.

The obviously rule base is the whitelist of IDPs maintained by the primary relying party as applied to the openid assertion, which when published to other relying parties in respsect of a particular openid mapped to a webid allows the affiliated relying parties to impose a further constraint on that whitelist, for ITS purposes.  This is obviously subtracting rules.

It also allows federated reliance, which can add rules. When the  other relying parties in the affiliation dyancmially merge the rulesets of several acts of reliance, one can access the wiki provided you have been found reliable at one or more of these n other sites (and the local whitelist is the union of all their lists, as published for THAT openid in THAT access context.

Wahts missing is the authorization model. Relying parties need to publish that the relied on the following rules, given access (at their site) to a particular class of resources. They are thus publishing for the act of reliance not only the general constraints they imposed, but the facts that constrained their own rulebase, for a class of resources that others may recognize and for which they may want to "borrow" those rules. Or, if DoD relies on Google-issued to access resource labeled as file labeled DoD-secret, then so may IBM also rely on Google (for IBM-secret, mapped to DoD-secret in the authorization logic).





-----Original Message-----
From: foaf-dev-bounces at lists.foaf-project.org [mailto:foaf-dev-bounces at lists.foaf-project.org] On Behalf Of Dan Brickley
Sent: Tuesday, December 29, 2009 6:54 AM
To: Melvin Carvalho
Cc: foaf-dev Friend of a
Subject: Re: [foaf-dev] Updated Wordpress OpenID trust exporter - any Wordpress/PHP experts interested?

On Tue, Dec 29, 2009 at 3:14 PM, Melvin Carvalho
<melvincarvalho at gmail.com> wrote:
>
>
> On Mon, Dec 28, 2009 at 5:42 PM, Dan Brickley <danbri at danbri.org> wrote:
>>
>> On Thu, Dec 24, 2009 at 10:05 AM, Dan Brickley <danbri at danbri.org> wrote:
>> > Hi folks,
>> >
>> > Following up on http://danbri.org/words/2009/10/25/504 ('Syndicating
>> > trust? Mediawiki, Wordpress and OpenID')
>> [snip]
>> ( full mail is at
>> http://lists.foaf-project.org/pipermail/foaf-dev/2009-December/009962.html
>> )
>>
>> OK, I've built this. My first wordpress plugin in 5 years, so it's a bit
>> rough.
>>
>> See http://danbri.org/words/network for its output.
>>
>> The plugin is configured (ok, hardcoded) to run only in certain
>> Wordpress pages. It assumes that whatever theme you use has been
>> suitably adjusted to declare RDFa DTD, and xmlns:foaf url. Then at the
>> page footer it emits a pretty crude list of all the OpenID URLs that
>> have been trusted in the blog commenting system.
>>
>> I'm not sure quite the best RDF idioms here. I know some folk want
>> URIs for everything, and I have tried to accomodate that while also
>> living with the potentially dynamic nature of the data: each
>> 'foaf:Agent' that holds one of these trusted OpenID URIs is listed as
>> a member of a foaf:Group, and I also generate it a local-to-my-site
>> URI by hashing the openid. Since I am declaring URIs within an RDFa
>> setting, I am experimenting here with the idiom of using '#!foo' to
>> make it clear that these are not expected to clash with names assigned
>> in HTML. I'll append the output of the 'getN3' RDFa parser
>> (http://www.w3.org/2006/07/SWD/RDFa/impl/js/) below.
>
> Looks good!  I've added openid and f2f/f2f.php to my blog.  Is there a
> snippet for /network ?

What I did initially was create a new "Page" object from within
Wordpress, called Network and with /network as its path. Unfortunately
this will show up on your menus etc. There are plugins that can
suppress this, but the real answer is to find someone who knows
wordpress properly who can suggest how the code should really expose
itself via URLs. On Ed Summers' blog, marking the page 'draft' seems
to work ok as a way of hiding it from menus; on mine it also seemed to
work but when parsing with rdflib it seemed to see 404 for some
reason.

Sorry it's a bit rough edged! Will be nice to have it on 3+ blogs for
testing. Trying to write the sparql now to find out who has commented
on both Ed and my blogs...

Dan
_______________________________________________
foaf-dev mailing list
foaf-dev at lists.foaf-project.org
http://lists.foaf-project.org/mailman/listinfo/foaf-dev


More information about the foaf-dev mailing list