[foaf-protocols] wot I think we dont want...

Daniël Bos (远洋) corani at gmail.com
Mon Dec 20 13:50:56 CET 2010

I'd like to start by saying that I don't speak for the group. I've
been a long-time follower and occasional commenter on the list, but
that is where it ends. That said, I'd like to give my "common sense"
answers, until someone who actually knows his stuff chimes in ^_^

On Mon, Dec 20, 2010 at 16:24, peter williams <home_pw at msn.com> wrote:
> Several underlying topics appear in your conception:
> A. should webid work be limited to step 1 (and NOT get into the other aspects of "social experience management")

I believe that WebID should limit itself to only the following points:

1. Describe how to embed a dereferenceable URI in an SSL client certificate.
2. Describe the format for the document the URI points (at the moment
3. Describe the steps needed to verify that the bearer of the
certificate has control over the document. (Checking the public key in
this document and matching it with the information from the

> B. Once SSL has delivered the posted comment and the URI to the users (foaf) id card, should there be one or more trust mechanisms for the webid protocol that then does "graph searching" - finding keys by some means that chain to authenticate the keying in the SSL client cert?

How the receiving party would like to further authenticate the WebID
is entirely up to them. They could build a social graph and only
accept the WebID if it is within a predetermined number of steps (only
friends, or friends-of-friends). They also could require the client
certificate to be signed by a trusted party. I believe this should
however be out of the scope, at least for the core functionality.

> C. Should webid work be concerned thereafter with enabling social network IDPs to interact with the SP site.... to address profiles, activities, joinings, consent, befriending, name-linking, etc?

I believe this is completely out of scope. There are many different
standards available that could benefit from the core as mentioned
under A. If we would like to describe the broader use including
profiles, activities, etc. I think it's better to go the OStatus way,
by defining a new project which brings together various separate
standards under one umbrella.

> In technical circles, these are 3 classical phases: security/crypto service, key management, security management.
> -----Original Message-----
> From: Daniël Bos (远洋) [mailto:corani at gmail.com]
> Sent: Sunday, December 19, 2010 9:10 PM
> To: peter williams
> Cc: foaf-protocols at lists.foaf-project.org
> Subject: Re: [foaf-protocols] wot I think we dont want...
> Peter,
> I totally get what you are saying. Having thought about this mess for a while, what I would like to see is something like this.
> ============
> I arrive at a Random Website, read Article XYZ, and want to comment on it. Below the article is a text box where I can enter my comment and a button "Submit using my WebID". I enter my comment, press the button and my browser asks me how I want to identify myself. I choose the option for my favorite Social Network, and the comment is published.
> Random Website pulls up my name, avatar and link to my website using the information provided by dereferencing the WebID I provided.
> What would be even better is this: after choosing my favorite Social Network, the Random Website redirects me there (or shows an overlay, or whatever) My Social Network then asks me, "you are commenting on Article XYZ on Random Website. What would you like to do":
> [x] Subscribe to Random Website and receive updates of new articles?
> [x] Follow Article XYZ and receive updates of new comments?
> [x] Share Article XYZ with your followers?
> [x] Share your comment on Article XYZ with your followers?
> After approving the options I want, my comment is posted in my private (or public) stream, and is subsequently pushed to the Random Website.
> From now on, if people reply to my comment through my Social Network, their comment will (optionally) also be pushed to the Random Website.
> ============
> Technically, as far as I can see, all of this is already possible using present day technology. Certainly the first scenario would be possible using plain WebID. Together with the OStatus stack I feel the second scenario also should be implementable.
> On Mon, Dec 20, 2010 at 11:11, peter williams <home_pw at msn.com> wrote:
>> So, trying to understand crowd-sourcing’s growth potential based on
>> the wanderings of more traditional migrants, I meandered to
>> http://www.earthtimes.org/articles/news/358585,reach-405-million-2050.
>> html
>> Thinking I might  comment, I attempt to login. Managed by “disqus”
>> comment service manager (kind of like a home loan “servicer” Ill
>> guess), I can click on brand buttons on disqus-branded popup, which
>> duly causes my browser to wander to famous other brands (such as
>> Yahoo, and Disqus). Not knowing really who or what disqus is or why it
>> exists, I opt for the other option “openid”, and duly provide my blog
>> site’s webid. (Well actually, it takes 5 attempts, but shush).
>> Without user auth, wordpress (apparently) invites me to authorize
>> release of credentials to disqus (not earthtimes). I do this, and can
>> probably now leave a comment on the migrating humans story. But, this
>> discus thing is bothering me. Who are they?
>> Now, the earthtimes site also suggests that I use Google Friend
>> Connect (presumably aswell as, or as an alternative to, Disqus and its
>> commenting functions). So, to get rid of this disqus party, I opt to
>> use google to get me from wordpress to earthtimes,. Or so think I.
>> So, up pops a google-copyright page inviting me to further select
>> google, yahoo, openid or something called twitter. Well, let’s use openid I say!
>> “Do you want to pass your http://yorkporc.wordpress.com/ identity to
>> http://*.google.com?” someone says. (it also asks about various
>> profile
>> attributes.)
>> Not really think I, seeing as I want to talk to earthtimes. And, I’m
>> getting really confused at this point. I’m just trying to use my blog
>> site credentials to logon to earthtimes.
>> Anyways I do it. And I now invited to let Google (not earthtimes, and
>> not whoever Disqus are) mediate whether or not I may release my
>> googlized profile information to earthtimes. Do I wish to “join” the
>> site (earthtimes). And, wots more, “Settings for The Earth Times -
>> www.earthtimes.org Your profile is visible to anyone”, says google!
>> To be perfectly honest, I don’t know whether my google profile is
>> visible, my hopefully (as yet) non-existent earthimes profile will be
>> visible to anyone, or if my wordpress profile is now visible to all.
>> All I want to do is logon from wordpress to earthtimes.
>> Anyways, being a sucker, I join the site. Im not sure to who or to
>> what Ive just joined or signed my life away, but what the hay. It’s the web.
>> Congratulations homepw, You are now able to post comments to
>> earthtimes,
>> says:
>> http://p7rjrrl49ose4gob99eonlvp0drmce3d-a-fc-opensocial.googleusercont
>> ent.com/ps/confirm/questions?st=e%3DAOG8GaCQcKAab19IOgVAxA...alot
>> more.
>> Oh, and before we let you go you might want to answer the query:
>> Should Israel stop settlement activity?
>> Why, who is asking? Who gets the results? Who is tracking my answer?
>> Is google protecting me, earthtimes, wordpress, Isreal? Will I now get
>> adverts for “bargain price” condos on the west bank of the Jordan?
>> Anyways, still far from commenting on a migration article, I click
>> done, at which point the google Friend Connect frame mentions my
>> handle. But at least Im looking at an earthtimes pages now.
>> So, let’s go to comment (perhaps Ill advertise to the 405M migrants
>> mentioned in the article all about my new condo).
>> Argh, all the other options enabling me to choose a login provider
>> with which to comment with a now gone. I can only comment now “as” a
>> joined-member of earthtimes (remembering the earthtimes profile I
>> never wanted is open to “all” –according to Google, or Google
>> OpenSocial, or something Googlish anyways).
>> No, say I, I want to use my yorcpork webid, so folks can come to my
>> blog and harass me back for my nasty comment about perfectly nice condos, being fair.
>> So I logout (whose button is nicely positioned close to the commenting
>> area).
>> Argh.
>> Back to disqus:
>> http://disqus.com/logout/?ctkn=9d9a886d2d9ce33190b2c43e32f98a92
>> I cannot fathom all these providers, the roles, their joinings, the
>> profiles, their privacy policies, or their logouts. I don’t know WHO
>> I’m talking to. I don’t know WHO TO SUE.
>> Its feels like the US mortgage mess….
> --
> 远洋 / Daniël Bos
> email  : corani at gmail.com
> weblog : http://blog.loadingdata.nl/
> ostatus: corani at status.loadingdata.nl

远洋 / Daniël Bos

email  : corani at gmail.com
phone  : +31-318-711063 (Dutch) / +86-18-701330735 (Chinese)
weblog : http://blog.loadingdata.nl/
ostatus: corani at status.loadingdata.nl

More information about the foaf-protocols mailing list