[foaf-dev] quick notes re Online Account Re: [foaf-protocols] creating a cert service

Story Henry henry.story at bblfish.net
Tue Jan 27 18:15:38 CET 2009


On 27 Jan 2009, at 17:13, Dan Brickley wrote:

>
> +cc: foaf-dev
>
> On 27/1/09 17:01, Story Henry wrote:
>> Danbri had a great idea, and that is to use foaf:OnlineAccount as the
>> type of the thing I am creating. [...snip]
>
> Something I also forgot to write down yet: ...
>
> I have an idea that we can tie together many kinds of 'online  
> accounts' via the notion that they are each something which their  
> owner can 'prove' control of, with varying degrees of formality.

I go into that in detail with openid and foaf+ssl in "foaf+ssl:  
creating a web of trust without key signing parties"

http://blogs.sun.com/bblfish/entry/more_on_authorization_in_foaf


> For example, some sites ask you to 'prove' you control your alleged  
> phone number. Or a web page / domain by inserting certain markup  
> into a page (Google for domains does this, also some blog  
> aggregators). OpenID is machinery for proving you control some page.  
> IM/XMPP interactions can be used to prove you control some chat  
> account; and of course millions of emailed codes / links are sent  
> daily to prove that you control (have read access to read) some  
> mailbox. I think PGP/GPG and digital certs can also be considered in  
> this way, although with PGP there's not so much a notion of a  
> service provider as with most other kinds of 'account'.
>
> Does that make sense as kind of high level narrative? How it shakes  
> out in the spec, I'm not sure...

yes.

> Once we have the idea that people can prove control of an account,  
> we can associate RDF/data "from" that account with its owner/ 
> controller. Which brings me to another under-documented problem,  
> that of dis-entangling statements / claims from the service provider  
> from those of the account holder. I made some notes on that here - http://svn.foaf-project.org/foaftown/2009/headstream/readme.txt 
>  - but haven't made time to write it up properly yet. Short version:  
> a SPARQL CONSTRUCT for some service can be used to take a pile of  
> RDF/RDFa and separate out the data streams from provider and from  
> account holder. For example, the parts that the service has checked  
> (eg. that the holder controls some openid, or email, or phone); this  
> is important since we want to know who-said-what...

I think we are in the space of speech acts here. Every representation  
is a speech act. It is said by someone. We can get some idea of who it  
is, if the agent making the act writes

<> a foaf:Document;
    dc:creator <http://bblfish.net/people/henry/card#me>;
    foaf:primarytopic :you .

:you a foaf:Person .

Of course since anyone can write this stuff in a page it would help if  
the page was signed by
<http://bblfish.net/people/henry/card#me>

If <http://bblfish.net/people/henry/card#me> publishes his public key  
at that location, then it would be easy to verify. The signature,  
using xml-sig or something, would mean that one could add the  
following to a graph store:

{ <> foaf:primaryTopic :you .
   :you a foaf:Person } dc:creator <http://bblfish.net/people/henry/card#me 
 > .

since one could be sure of the creator.

The agent publishing the statements should as much as possible only  
publish what it believes to be true. And reference as much as possible  
what others say. That is why in Academia, one references prior works  
on which one bases one's work. One does that both for reasons of  
honesty, but also as a way of grounding what one says.

Just thinking out loud here too.

Henry

>
>
> thinking out loud on the run,
>
> Dan
>
> --
> http://danbri.org/
>



More information about the foaf-dev mailing list