[foaf-protocols] webid-linked claim verification?

Henry Story henry.story at bblfish.net
Sat Aug 28 16:01:50 CEST 2010


On 26 Aug 2010, at 08:47, Dan Brickley wrote:

> Hi folks
> 
> Has anyone here built a webapp that shows verification of simple
> identity-relevant claims? This idea is not tightly coupled to WebID
> but would help ground WebIDs (or equally self-hosted OpenIDs) in other
> identifying information.
> 
> e.g. 1.) you go along, log in with a webid cert, and select "verify an
> email address"; it sends you some generated token by email, with a
> URL; you get that mail, follow the link, log in again with webid if
> needed [eg. the mail might arrive tommorrow], ... after which you've
> established some evidence that whoever controls that webid also
> controls (for now) that mailbox.

Here I don't think one needs a service in the longer term. With webfinger 
(or fingerpoint) deployment one could verify an email address asserted in the foaf automatically.


> e.g. 2.) you go along, log in with a webid cert, and select "verify a
> Web account", and choose a provider from a list of service providers
> who offer OpenID, OAuth and/or proprietary API ways of allowing
> someone to demonstrate control over an account. For OpenID you should
> also have the ability to type in an arbitrary OpenID-enabled URL. So
> here you might verify that you control http://twitter.com/example
> [this would use OAuth], or a Facebook account.

Again it may be interesting to see how a Relying Party could do this 
without requiring a centralised service.

So if your foaf points to your openid, and your openid to your foaf
(in a way that needs to be determined more precisely) you have a
verified identity claim.

> 
> e.g. 3.) or you login with webid again, and select "verify a Chat
> account"; selecting from MSN, Yahoo, AIM, or Jabber/XMPP. Actually
> these things are increasingly linked to general Web profiles, but at
> least Jabber/XMPP would be particularly interesting. So you'd type in
> your chat address, let's say johnsmith at gmail.com for a Google Talk
> one, but these can also be self-hosted XMPP servers eg.
> danbri at foaf.tv. The service would send a roster join request to that
> user, and if accepted, could send a click-to-verify link much as with
> the email example.

Could webfinger help here again?

> 
> e.g. 4.) More stuff! There are no natural limits to the kinds of
> claims that could be verified, or the methods applied. This is the
> charm and the burden of the Semantic  Web; it's completely general.
> But fact checking is hard, so there is value in picking off the more
> mechanisable pieces; mobile phone / SMS numbers could be a natural
> next step

Yes, an interesting project to find out how to deal with telephone numbers.

The advantage of the above method is that it is much better than a certification
service, as it works directly in a distributed way. 

But certification services could work too. One would could try to describe how it
would be done. The problem would be how can one avoid the certification services requiring
certification themselves too....

Henry




More information about the foaf-protocols mailing list