[foaf-protocols] FOAF+SSL delegation: logging in to an HTTP server

Bruno Harbulot Bruno.Harbulot at manchester.ac.uk
Tue Apr 28 16:36:55 CEST 2009 


Story Henry wrote:
> Henry Story wrote:
>  > The time it takes has no relation to whether or not something is a 
> hack. Saying of something that it is a hack is partly an aesthetic 
> judgement. [...]
> 
> Bruno Harbulot answered:
>  > The web is huge, so it is very likely that this hack or similar ones 
> will be around for a long time
> 
> Kinsley Idehen interjected:
>  > Don't know why you like to tag a innovative extension of an existing 
> protocol as a "hack".
> 
> So to get this clear:
> 
> FOAF+SSL in my thinking is *not* a hack: It works with web architecture 
> - it is RESTful in the full sense of the word. Architecturally it is 
> very sound. And it provides real value: global sign on and distributed 
> social networks.

Agreed.


> The FOAF+SSL delegation services we are building here, and that I'd like 
> to get on with, *are* hacks, because they are just simple bridges to 
> help people without the required infrastructure to get going. The value 
> delivered by these services is entirely dependent on the value of 
> FOAF+SSL. There is nothing wrong with creating such services. They are 
> useful - even essential perhaps. But they are not ends in themselves.

Agreed, but my point was that, if FOAF+SSL gets successful this way, 
what you call "hacks" here will probably be used longer than you would like.


> Furthermore these services have very very little interoperability 
> requirements. Every such "IdP" could create its own protocol to help 
> services that do not have SSL help to find a user's WebID, and there 
> would be absolutely no problem. Even the switching costs of a service 
> from one such service to another would be minimal. As a proof foaf.me 
> switched to using the foafssl.org service provider in less than 3 
> minutes, a few weeks ago.

(You meant foafssl.org IdP, I guess)

In this last sentence, you've missed a key point. foaf.me is a (good) 
work in progress, but the way it uses foafssl.org IdP is not secure in 
any way. In fact, it doesn't do any _authentication_ of the Web ID it 
gets from foafssl.org at the moment (anyone could fill in anything in 
the webid parameter). So, yes, obviously, if you skip the authentication 
part you can swap an IdP for another easily in less than 3 minutes!


Best wishes,

Bruno.

More information about the foaf-protocols mailing list