[foaf-protocols] access control issue
henry.story at gmail.com
Mon Jul 12 18:08:50 CEST 2010
Last week I visited the Technische Universitat of Münich, and in a brain storming with Georg Groh and colleagues we came across the following interesting point.
I had it as an open issue to myself to answer the question whether one would need to publish the access control policy for a resource. We found I think an addition User Interface reason for why this in many cases should be published.
The issue is quite simple. If I publish a photo that can be accessed by my foaf, and John is my friend, he may wish to republish this information in his blog. He may not be aware though that this photo is visible only to his friends and not to the world. As a result he may publish the photo as an <img src="..."> link in his blog.
If his blog is visible to his foaf, then the friends of his friends may see a broken blog without an image. If he publishes in publically, then most of the world will see a broken picture.
My suggestion here is that the HTTP response needs a ACL header that points to the access control group or policy. This could then be used by web services to help the user decide if he can re-use the URL, or what kind of restriction he will need to watch out for.
More information about the foaf-protocols