[foaf-protocols] Fwd: [WRAP] RFC formatted versions of OAuth WRAP

Peter Williams home_pw at msn.com
Tue Jan 19 17:47:06 CET 2010


Concerning 2, there is an mismatch in thinking, I think. The openid "page"
found at the openid URI (which uses micro-formatted vs rdfa markup in
myopenid.com's case) is not a part of the protocol spec or the wider
concept. The mismatch is about more than mere public/not-public expression.
It goes to the heart of the "assertion" theorem.

If you (1) authorize myopenid to publish your hcard at your/it's openid page
at the openid URI (asserting your email address is home_pw at msn.com) and (2)
you also authorize myopenid via a per-RP profile configuration to release as
an sreg/ax email attributes an certain email address value tagged with a
certain name, there is NO basis in the RP logic for resolving the conflict
of which value is authoritative. Why, because the value in (1) is pulled by
the RP, and is not formally "asserted". Only the value in 2 is "asserted",
and is therefore authoritative.

This goes back to the "control plane" assumptions of SAML (and openid, which
is a mere derivative of SAML using name/value pairs for data messages).
There is an asserting "Party" in these websso schemes, and it is NOT the
user. Not the legalistic "term" Party, now introduced. Parties have
agreements, the commonest of which is the implied "practices" of the
community doing the interworking which "govern" (transparently, for the most
part).

Websso schemes are about delivering security policy services to RP networks
(e.g. privacy enforcement services), in which IDPs that are the hub of
"their"  hub/spoke trust networks are providing value to "their" RPs (not
the subscribing users). The IDP offloads from the RP the work of ensuring
the RP is in compliance with one or other sets of community norms re the
"handling" of data. A common community norm at the national head of the
inheritance is public law, of course.

So, in the semweb community (which kinda presumes ALL facts are necessarily
public property and ideally are not subject to the evils of ownerhip and
control (the whole Marxist philosophy thing)), we walk into a thinking
mismatch. Websso presumes regimes of "control", semweb does not. 

For example, websso (in openid) PRETENDS to be about what 1800s Americans
would call individual Repuplicanism (individuals are in control as reflected
in the "user centric identity" moniker). But in reality, its become  about
big business IDP's selling (trust/identity) services using traditional
corporatism - where the corporation intermediates individuals from RPs, by
forcing individuals to only ever interact with others when they are
"subscribers" of IDPs (who, given that very legal term "subscriber", are now
FORMALLY "Governed" by the security policies of the IDPs and the parties who
in turn govern financial IDPs like PayPal (i.e. US govt's various financial
agencies))


Of course, myopenid could use rdfa at their openid pages of their
"subscribers" (rather than vcards). But, an RP cannot "rely" on those facts,
as myopenid does not stand behind them. The RP can "use" (legally) the
facts, but it cannot hold myopenid accountable(i.e. legally "rely", under
any security policy.


-----Original Message-----
From: hjs at bblfish.net [mailto:hjs at bblfish.net] On Behalf Of Story Henry


	I think it would be a fun way to show how one could have a site that
could be logged into using:
  1. OpenId or foaf+ssl
  2. Where the openid page contains the public foaf, and links to protected
foaf (in rdf/xml or rdfa)





More information about the foaf-protocols mailing list