[foaf-protocols] Standardising the foaf+ssl protocol to launch the Social Web

Bruno Harbulot Bruno.Harbulot at manchester.ac.uk
Tue Jul 6 20:54:39 CEST 2010 


On 06/07/2010 20:23, Kingsley Idehen wrote:
> Bruno Harbulot wrote:

>> I think we need to put this 'security' in perspective. FOAF+SSL (or
>> Secure WebIds) has the potential to offer an increased level of
>> security compared with other similar mechanisms such as OpenID.
>> However, with what we've achieved so far (verification by
>> dereferencing, without any 3rd party signing or without any RDF
>> signing), the level of security is more or less the same as that of
>> OpenID: whoever controls the hosting of the URI also controls the
>> identity.
>> At least, FOAF+SSL can address this issue using public key
>> cryptography, but that's not something we've done yet. Let's be
>> careful in calling things "secure" without extra qualifiers.
>>
>> The real benefit from FOAF+SSL so far has been its linked data aspect,
>> not so much its security aspect (although there's an in-built
>> potential for this).
>
> How about the verifiability of identity courtesy of Linked Data tweak.
>
> Security like Privacy is much deeper when social factors come into play.
> This is where policies come into play. Of course, you can't construct
> meaningful data access policies without verifiable identity, courtesy of
> the kind of authentication accorded by the WebID protocol.

Sure, but gathering information about a user is worthless if we don't 
ensure that the user behind the user-agent is indeed the legitimate 
owner of the private/public key pair and not someone else who may have 
gained access to the WebID service (or its response to the verifier) 
somehow.
This problem is my no means specific to FOAF+SSL: Google controls my 
Google ID, my e-mail provider controls my e-mail address, etc.
This level of assurance is sufficient for a lot of services, but not for 
everything.

The improvement we can do with FOAF+SSL is to make the end-service 
authenticate with the public key (or other sources of key information).

For example, authenticating to your bank via your Google ID or OpenID 
would be fairly weak. There's quite a lot of responsibility to delegate 
identity management to a 3rd party, for all parties involved.
What a bank could do with FOAF+SSL is to give you an additional 
challenge if the public key associated with your WebID doesn't match the 
key you would have registered previously.

The level of assurance required will depend on the service. The Linked 
Data tweak can solve this indeed. Some services with higher requirements 
will just require these linked data to comprise the public key from 
other sources (cached or 3rd party) and perhaps have the data signed by 
the asserting party.

It's all possible, we just haven't used it much yet.


Best wishes,

Bruno.

More information about the foaf-protocols mailing list