[foaf-protocols] OpenID2 Server: openid4.me

Peter Williams home_pw at msn.com
Mon Nov 2 19:36:10 CET 2009


The FOAF file will need a PersonalProfileDocument with a PrimaryTopic entry
which matches the URI in the X.509 Client Certificate.

[Peter Williams] This sounds like the condition the OP will enforce, before
considering the user authenticated (using foaf+ssl). Only then would it
considering releasing a positive assertion. Whether the assertion makes a
representation that the openid identity is a verified webid - or whether an
sreg/ax attribute conveys the same - is a detail. Ideally, it will be an
attribute, so openid and foaf+ssl stay wholly independent (but

Does the condition need to be stronger?

Should the OP (when validating the claims and facts from the various
foaf+ssl principals) consider what data source _domain_ was certified by the
https channel/cert it uses when _retrieving_ the foaf file's graph?

Take a case that stresses the above question. If the resource server
providing the foaf file was to do a 302 redirect to the OP pointing at
another https domain (which does actually deliver the rdf stream), would the
OP still be willing validated the user as controlling the webid - and thus
be deemed "authenticated"?

Let's say that after the domain of the streaming server, post 30x redirect,
no longer matches the domain of the (absolute) URI of the users's personal
profile doc.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20091102/397841cf/attachment.htm 

More information about the foaf-protocols mailing list