[foaf-protocols] webid-linked claim verification?

Dan Brickley danbri at danbri.org
Thu Aug 26 09:47:33 CEST 2010


Hi folks

Has anyone here built a webapp that shows verification of simple
identity-relevant claims? This idea is not tightly coupled to WebID
but would help ground WebIDs (or equally self-hosted OpenIDs) in other
identifying information.

e.g. 1.) you go along, log in with a webid cert, and select "verify an
email address"; it sends you some generated token by email, with a
URL; you get that mail, follow the link, log in again with webid if
needed [eg. the mail might arrive tommorrow], ... after which you've
established some evidence that whoever controls that webid also
controls (for now) that mailbox.

e.g. 2.) you go along, log in with a webid cert, and select "verify a
Web account", and choose a provider from a list of service providers
who offer OpenID, OAuth and/or proprietary API ways of allowing
someone to demonstrate control over an account. For OpenID you should
also have the ability to type in an arbitrary OpenID-enabled URL. So
here you might verify that you control http://twitter.com/example
[this would use OAuth], or a Facebook account.

e.g. 3.) or you login with webid again, and select "verify a Chat
account"; selecting from MSN, Yahoo, AIM, or Jabber/XMPP. Actually
these things are increasingly linked to general Web profiles, but at
least Jabber/XMPP would be particularly interesting. So you'd type in
your chat address, let's say johnsmith at gmail.com for a Google Talk
one, but these can also be self-hosted XMPP servers eg.
danbri at foaf.tv. The service would send a roster join request to that
user, and if accepted, could send a click-to-verify link much as with
the email example.

e.g. 4.) More stuff! There are no natural limits to the kinds of
claims that could be verified, or the methods applied. This is the
charm and the burden of the Semantic  Web; it's completely general.
But fact checking is hard, so there is value in picking off the more
mechanisable pieces; mobile phone / SMS numbers could be a natural
next step.

There are a lot of 'claim graph analytics' you can do with this sort
of data, especially when linked with other social Web data (quite
naturally in named graphs, when managed in SPARQL). This is the same
kind of machinery offered by http://code.google.com/apis/socialgraph/
... although SGAPI deals more with public crawlable assertions. If we
assume the possibility of a simple Web app that allows users to
demonstrate simultaneous control over multiple accounts, the natural
next question is re what it does with that info. Some of it could be
simply published in public (signed, date stamped etc.) or made
available over some public lookup API.

eg. it could just emit a 'verified claims' file with simple statements, ...
<http://example.com/johnsmith#me> a :Person; :account
<http://twitter.example.com/johnsmith>; :account
<http://facebook.example.com/jsmith/> ...

Such info could be used as a grounding for more trust, eg. my blog
comments system could allow webid-based commenting, and auto-accept
posts that came from people whose twitter or facebook IDs I know, even
if I've not seen their webid before. Some such tool seems to me worth
building, both to show that these service activities will still exist
in a WebID world, they're just not core duties of an identity
provider. But also to counter some of the concerns I've seen raised
about self-asserted ID. Is there anything out there like this
currently?

cheers,

Dan


More information about the foaf-protocols mailing list