[foaf-protocols] Consensus on Web Identity presentation to W3C

Joe Presbrey presbrey at csail.mit.edu
Wed Aug 25 22:53:40 CEST 2010


So glad to see this straightened out. Thanks to everyone for their
hard work on clearing up the intent and substance of the presentation
this week. I have a few more comments on this discussion and propose a
revision to slide 6 below.

It seems that the essence of this debate was confusion about whether
this presentation is of the WebID *protocol* (FOAF+SSL) or a
particular/envisioned WebID *application* (eg. user-experience) and
the distinction (if any) there is between them?

IMO, there is definitely a distinction and one that is quite dangerous
to misrepresent. WebID extends far beyond IE, Firefox, Safari, other
browsers, or any other user-agents. I think this _advantage_ might
still be missing/downplayed in the presentation and it would be a
shame for us or the W3C to miss this boat.

For example, the email I just sent about SVN+WebID -- WebID
authentication with your JS/Flash WebID is incompatible with a full
roll-out of the WebID *protocol* across all HTTP/TLS/REST-based
applications and therefore serves as an insufficient example of the
full gravity of the advantages of WebID as a standardized *protocol*.

In another example, Melvin and I conjecture using WebID to
authenticate our foaf:friends and authorize them to listen to our
Shoutcast/MP3 streams in VLC/mplayer/etc.

Is there anything close to this kind of powerful, decentralized,
extensibile, interoperable, and yet secure authentication provided by
OpenID, WebFinger, etc?  I think no.

=Slide 6=
If we're presenting the *protocol*, strike at least 'Inability to
logout'. This is an application-specific limitation (as is
user-interface and browser-anything). See:
http://tabulator.org/wiki/webID-required/
for an example of WebID Login+Logout in my *application*.

PS: I'm presenting the latest developments of the above
WebID-authenticated, Linked Data (space, Kingsley :) URI to
DIG at W3C/MIT on August 31st.

PPS: I see frequent confusion on this list of the authn/authz
terminology. As I understand it:
Authentication (authn) allows a user-agent to act on behalf of a given
security principal according to some mapping (eg.
X509/subjectAltName=>WebID).
Authorization (authz) determines which actions an authenticated
security principal may perform (WebID => GET/POST/PUT/DELETE).

Best wishes,

--
Joe Presbrey


More information about the foaf-protocols mailing list