[foaf-protocols] the logic of foaf+ssl = identity

Fri Mar 6 15:24:04 CET 2009

I'll cut up the replies into a few smaller pieces. Here on Identity.

(( Ps. The logical part this email, which I will answer to later,is  
making a lot of sense. I think we are converging. I am just answering  
this part here first because it is easy to answer and could clear up  
other issues along the awy. ))

On 6 Mar 2009, at 14:22, Bruno Harbulot wrote:

>> No I think we quite clearly get owl:sameAs equality (in n3 = is a  
>> shorthand for owl:sameAs).
>> Though showing it formally and exactly could be difficult. (And if  
>> we are dealing with identity it is not surprising that we should  
>> end up dealing a lot with owl:sameAs)
>
> Well, "sameAs" isn't such a clear concept. Similarly to OpenID, the  
> user is not really the ID, the user has write access on that ID (or  
> whoever has write access to that ID is happy to delegate usage of  
> that ID by a particular user.)

owl:sameAs is extreemly clearly defined. You can look up the details at

   http://www.w3.org/TR/owl-guide/#owl_sameAs
   http://www.w3.org/TR/owl-ref/#sameAs-def

and in other places.

> The bit we're trying to prove, (4) above, is exactly the same  
> problem as self-registration by e-mail address. We delegate  
> responsibility to that ID. We don't actually know what the user is  
> (he's outside the system), we just know that he has control over  
> this ID.

Interestingly enough on the issue of control, foaf+ssl can work  
without my controling the URI. It is quite possible to imagine that  
the government should give out crypto USB keys, which would create  
certificates for me, with my government URL on it. So I would neither  
have control over the subject alternative name, nor over the public key.

No I think we are trying to find out when the server should serve a  
given resource. We are trying to work out what reasoning it can have  
that is correct, useful and on which we can build some powerful  
distributed trust technologies.

> I'm not a URI and I'm not an e-mail address, but to anyone reading  
> this message, that's how I'm identified.
> Of course, on a mailing list, this isn't particularly secure.  
> However, when I try to register to a website that's going to ask for  
> confirmation (say java.net), I'm going to have to confirm my e-mail  
> address. All this proves to the website is that the physical  
> individual who is controlling the browser during the registration  
> also controls the e-mail address used to register that account.

You are not your name either. But that's not the point. In the  
semantic web we distinguish between the name and the thing very  
clearly. It's partly the distinction between syntax and semantics.

see the picture here http://blogs.sun.com/bblfish/resource/Syntax-Semantics-Photo.jpg

What goes between angle  brackets '<','>' is the name, what the whole  
thing including angle brackets refers to is the thing. If you want to  
speak just about the name you can use simple quotes.

<http://romeo.net/#romeo> foaf:name "Romeo";
                 xxx:webid "http://romeo.net/#romeo" .

this is saying that Romeo, has a relation foaf:name to the string  
"Romeo". The string "Romeo" identifies <http://romeo.net/#romeo>  
indirectly as his name. Same with the string "http://romeo.net/#romeo" .

Email addresses are somewhat different as they identify a mailbox. so <mailto:romeo at romeo.net 
 > would identify romeo's inbox. But not Romeo himself. That is why we  
have the foaf:mbox relation, to say

<http://romeo.net/#romeo> foaf:mbox <mailto:romeo at romeo.net> .

> The purpose of authentication is to prove that the user has the  
> relevant credentials to use the ID (and to bind this ID to the  
> subject on the system).

Well as we have discussed a lot before, I think that is part of  
identification. Authentication comes into it, especially when there is  
a CA in the loop, and you need to authentify the CA, which is the  
entity you trust and so that enables you to pass from the

the cert says { s r b }

to

s r b .

Authentication comes from 'proving authorship'. So in the  
identification step in foaf+ssl we have a very minimal version of  
that, in that we look for a self signed certificate, but in our case  
that does not enable us to do the above disquotation, because we are  
not sure we trust the agent yet.

> I just find "equality" a bit confusing. The "puppet master" analogy  
> I used w.r.t the subject wasn't quite right, but it's still a matter  
> of control, not really equality. We just prove that the user  
> controls both the private key and the URI, although this user can  
> only be identified by the URI.

This is coming along nicely,

	Henry