[foaf-protocols] The issue of authorising access to private resources

Benjamin Heitmann benjamin.heitmann at deri.org
Tue Sep 14 14:11:47 CEST 2010

On 8 Sep 2010, at 17:59, Nathan wrote:

> Hi Benjamin,
> Benjamin Heitmann wrote:
>> If you (the community) agree that this is an issue, then I will probably go ahead and create a wiki page for the following: * test cases and use cases
>> * experience from existing and emerging implementations of the authorisation aspect
>> * a collection of the different issues which need to be standardised in a wikipage. 
> I'm unsure how familiar you are with the whole authorization/ACL side of how we currently do things, but I'd see great value in having those test/use cases outlined, especially from somebody didn't already have 'the way we do things now' engrained in them.

First, thanks for being so open to new suggestions. 

> There are quite a few areas where it's too easy to say "you can't do it like that, do this instead" and to have these test/use cases written up in the first instance without consideration for these factors would be great. Especially on the mixed private/public data side of things.

Yes, exactly my thinking. 

I know about the Web Access Control (WAC) Vocabulary and I just refreshed my memory by looking at Joe's fresh WAC links. 

From my perspective WAC currently covers two areas: 
1.) How can a server reason about the authorisation of a WebID for accessing a resource.
2.) What kind of external information which is also encoded through WAC might need to be accessed on the fly in order for the server to arrive at an inference about the authorisation. 

What WAC currently does not seem to cover is the flow of information when there are more then two parties involved. 
If you think of Henry's restful printing example, when and how do I provide the WebID of the printing service to my profile and picture storage server? 
Do I need to copy and paste it to some dialog of my profile storage service? 
If I want to print multiple files, how do I tell the printing service that he can access multiple resources? 

Which brings me to a maybe somewhat unconventional but crucial question: 
If some client wants to access a resource, does he need to be able to reason on WAC data, or does he just need to understand the result of the access attempt? 

a.) If the client needs to understand WAC data just as much as the server, then WAC is essential to the authorisation flow. 

b.) If the client only needs to understand that he can either access the resource or not, then WAC is somewhat orthogonal to the authorisation flow. The client just needs to respect his role, and implement the different hooks which the other roles of the communication flow expect. 
(e.g. follow certain redirects, or POST information to certain standard endpoints)

Nathan and Joe, would you say that one of a.) or b.) are correct? 
Or would you characterise the role of WAC in the authorisation between more then two parties differently? 

More information about the foaf-protocols mailing list