[foaf-protocols] The issue of authorising access to private resources
benjamin.heitmann at deri.org
Tue Sep 14 15:18:07 CEST 2010
On 10 Sep 2010, at 18:32, Stéphane Corlosquet wrote:
> Hi Benjamin,
> Welcome to the list!
> Plenty of great ideas! As much as I like them, I think we should keep the
> authorization side of WebID in a separate spec so that the core WebID spec
> document only deals with the authentication. In the first WebID conf call
> there was a strong consensus in keeping the first spec simple so that it can
> be rolled out as quickly as possible (3 to 6 months). Adding extra
> complexity would delay this quite considerably.
Yes, this sounds very reasonable given how hot the decentralised social networking space is right now.
> I'm also not sure the
> authorization aspect is as mature and spec-ready as the
> authentication. We've already split out the OpenID/OAuth from the core spec
> to keep it succinct and avoid extra delays (among other things).
I read Toby's email, and I fully agree that the authorisation part is not mature enough right now.
That is also the reason why it makes sense for me as a newbie to be active in this area,
because there are actually a lot of things that need to be implemented, tested and documented.
And there are many details on which a consensus needs to be reached after exploring the solution space.
> It's quite
> easy to draw the line between authentication and authorization and the spec
> documents should follow this. See also a concurring comment from Toby at the
> end of this email .
Yes again, the line between authentication and authorisation is a very clear line.
> We have a placeholder in the current spec for authorization  but I really
> think it should be non norminative and as short/simple as possible, simply
> highlighting the kind of goodness a server can do once it know the WebID URI
> of the client, but without going into any detail.
Very good. This place holder can be used to communicate to observers/outsiders that the WebID
community is aware of both aspects, and is not "ignoring authorisation" or any such thing.
> This email is in no way meant to discourage Benjamin or anyone else from
> continuing their great work in the authorization / access control aspects of
> WebID! Please go ahead and collect uses cases etc.
Thanks, I will try to do my best.
However, I have to note that this is the first time that I am contributing to a standard,
and I am not very familiar with the kind of process or some of the communication tools you use.
So just remind me if I do something clumsy ;)
> So far, to my mind, the
> authentication vs. authorization are 2 different processes, but there might
> be use cases where this is not true?
We need to implement the authorisation part in order to find out where the two aspects/processes overlap,
but I think it should be possible to separate them cleanly.
More information about the foaf-protocols