[foaf-protocols] Some basic questions prior to development ?

Bruno Harbulot Bruno.Harbulot at manchester.ac.uk
Fri May 14 18:47:23 CEST 2010


Hi Seth,


On 14/05/10 16:54, Seth Russell wrote:
> I would like to ask some basic questions  before i invest a lot of time
> in trying to develop foaf+ssl  as an option for my customer login .
>
>     * How do my customers transfer their identity certificates from one
>       browser to another and one computer to another?  Right now it
>       appears to me that my identity is locked to my firefox browser on
>       my desktop.  When, if ever, should i practically expect that a
>       person's identity will be certified as the same across  all of
>       their devises whether they be desktop, home or work, laptop or
>       handheld?

You can export the private key and the certificate from the browser, 
usually in a PKCS#12 file (.p12).

In Firefox, if you go in Preferences -> Advanced -> Encryption -> View 
Certificates and choose one of your certificates, you should be able to 
click on 'Backup...'. This will produce a password-protected p12 file 
which you can then import on other browsers/machines. It can be imported 
for Internet Explorer, Opera, Safari/KeyChain, or used directly by Java 
applications, for example, without specific add-ons.

Alternatively (and I'm not sure how far the various libraries support 
this at this stage), there is a possibility to associate multiple public 
keys to the same WebID, so as to be able to have a key per device.

>     * As a developer what string should i store on my server to re
>       identify my customer?  Is it the cert#hex, the cert#decimal, both
>       or neither?  And will that be the same information when my
>       customer re-identifies themselves on another devise?

To some extent, the main focus of FOAF+SSL aren't really FOAF or SSL, 
but rather the concept of a WebID (which you can link to and from using 
semantic web descriptions). FOAF+SSL is then the mechanism that allows 
you to verify that ID (via a public key, FOAF and SSL).


>     * As a user how do i add information to my public profile - assuming
>       that i don't know how to write RDF?

It depends on the service that provides the user with their FOAF files. 
There may be some cool interfaces that let you write information with a 
good interface. <http://foaf.me> is a good example, but you might still 
need to know a bit of FOAF/RDF at this stage.

>     * As a developer how do i retrieve that information?

This is done via RDF libraries and associated queries (usually SPARQL or 
similar). You'd need some understanding of RDF there.


>     * As a business owner, assuming a best case scenario, when can i
>       expect that there will be a substantial number of people with
>       certificates in their browsers?

Hard to say, sorry. I guess it depends on the user perception regarding 
the use of certificates. They often consider it complicated in 
full-blown PKIs in my experience. However, FOAF+SSL simplifies the 
registration process (which I think is the heavy administrative part 
with CAs).

I guess it's also going to be a question of added-value to complexity 
ratio. It will probably depend on having a cool service that lets you do 
certain things because you have a WebID and a FOAF+SSL certificate.

Currently, I think most users are quite happy to be tied to their 
Facebook or Google account to provide their identity. Privacy is barely 
a concern for a number users (or at least it's a concept that people are 
interested in, but don't really know what to do about it).
Things might change for example when Facebook make public more and more 
information that was meant to be private in the first place.

I think it also depends on what your range of users your business is 
targeting. It might get more success for services that are offered as 
part of partnerships between companies, for example, where a user from 
one company would be able to get access to services in other companies 
using the WebID as the global authentication system, while retaining 
independence with respect to the identity provider.


>     * Are any of the Titans of the industry indicating that they will
>       support this; Micorsoft, Google, Facebook, Twitter, Apple?

Not yet, as far as I know.


Best wishes,

Bruno.


More information about the foaf-protocols mailing list