[foaf-protocols] Standardising the foaf+ssl protocol to launch the Social Web

Kingsley Idehen kidehen at openlinksw.com
Tue Jul 6 23:11:16 CEST 2010 

Bruno Harbulot wrote:
>
>
> On 06/07/2010 20:23, Kingsley Idehen wrote:
>> Bruno Harbulot wrote:
>
>>> I think we need to put this 'security' in perspective. FOAF+SSL (or
>>> Secure WebIds) has the potential to offer an increased level of
>>> security compared with other similar mechanisms such as OpenID.
>>> However, with what we've achieved so far (verification by
>>> dereferencing, without any 3rd party signing or without any RDF
>>> signing), the level of security is more or less the same as that of
>>> OpenID: whoever controls the hosting of the URI also controls the
>>> identity.
>>> At least, FOAF+SSL can address this issue using public key
>>> cryptography, but that's not something we've done yet. Let's be
>>> careful in calling things "secure" without extra qualifiers.
>>>
>>> The real benefit from FOAF+SSL so far has been its linked data aspect,
>>> not so much its security aspect (although there's an in-built
>>> potential for this).
>>
>> How about the verifiability of identity courtesy of Linked Data tweak.
>>
>> Security like Privacy is much deeper when social factors come into play.
>> This is where policies come into play. Of course, you can't construct
>> meaningful data access policies without verifiable identity, courtesy of
>> the kind of authentication accorded by the WebID protocol.
>
> Sure, but gathering information about a user is worthless if we don't 
> ensure that the user behind the user-agent is indeed the legitimate 
> owner of the private/public key pair and not someone else who may have 
> gained access to the WebID service (or its response to the verifier) 
> somehow.
> This problem is my no means specific to FOAF+SSL: Google controls my 
> Google ID, my e-mail provider controls my e-mail address, etc.
> This level of assurance is sufficient for a lot of services, but not 
> for everything.

Bruno,

Here is an extremely important point re. Google, Facebook, and other 
social network oriented data silos:

They only possess fragments of data that could be inferred (with varying 
degrees of accuracy) to be associated with you.

When it comes to Identifying "You" guess what? You are the possessor of 
the "Magic Key". You are the only person that can emphatically provide 
the critical context that ties data fragments across data silos together.

The WebID Protocol is ultimately about unveiling the unique Magic of 
Being You! Its gives You the Magic Key(s).

Digest my point here: Google can make approximations about "You", but 
they can't be explicit about you.  Simple example: stating you want to 
acquire a bicycle at a certain price, explicitly is always much better 
that assuming, based on Web activity patterns, that you could most 
likely need a bicycle etc.. The explicit statement can be something you 
express in your Personal Linked Data Space which is accessible via your 
WebID (on your terms via ACLs + Data Access Policies).

>
> The improvement we can do with FOAF+SSL is to make the end-service 
> authenticate with the public key (or other sources of key information).
>
> For example, authenticating to your bank via your Google ID or OpenID 
> would be fairly weak. There's quite a lot of responsibility to 
> delegate identity management to a 3rd party, for all parties involved.
No, at some time in the near future notary organizations will grok the 
power of WebIDs. Today, I can initiate local and international wire 
transfers from bank account via my browser because my Bank actually 
issues its customers X.509 certs and uses client side TLS verification. 
All they are missing right now is an entry in Alt. Subj. Name, and they 
are on part with the real world i.e., qualified access to my purchasing 
habits and preferred vendors based on fulfillment traffic going through 
the payment processing systems.

> What a bank could do with FOAF+SSL is to give you an additional 
> challenge if the public key associated with your WebID doesn't match 
> the key you would have registered previously.
>
Yes, per above.  In addition, as a notary institutions the certs from 
banks will be high grade to boot!

> The level of assurance required will depend on the service. The Linked 
> Data tweak can solve this indeed. Some services with higher 
> requirements will just require these linked data to comprise the 
> public key from other sources (cached or 3rd party) and perhaps have 
> the data signed by the asserting party.
>
> It's all possible, we just haven't used it much yet.

The Banks are coming :-) They are in the business or market-making and 
transaction fulfillment arbitrage. We just need to make the opportunity 
costs palpable to them and others in the notary realm.

Anyway, even after banks figure this out, the WebID protocol will still 
ensure that "You" are the final arbiter of your identity. We have lots 
of credit cards in our wallets, and numerous keys on our key chains 
etc..  Nobody knows "You" better than "Yourself" .

>
>
> Best wishes,
>
> Bruno.
>


-- 

Regards,

Kingsley Idehen	      
President & CEO 
OpenLink Software     
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen

More information about the foaf-protocols mailing list