[foaf-protocols] The issue of authorising access to private resources

Tue Sep 14 15:18:07 CEST 2010

On 10 Sep 2010, at 18:32, Stéphane Corlosquet wrote:

> Hi Benjamin,
> 
> Welcome to the list!
> 
> Plenty of great ideas! As much as I like them, I think we should keep the
> authorization side of WebID in a separate spec so that the core WebID spec
> document only deals with the authentication. In the first WebID conf call
> there was a strong consensus in keeping the first spec simple so that it can
> be rolled out as quickly as possible (3 to 6 months). Adding extra
> complexity would delay this quite considerably.

Yes, this sounds very reasonable given how hot the decentralised social networking space is right now.

> I'm also not sure the
> authorization aspect is as mature and spec-ready as the
> authentication. We've already split out the OpenID/OAuth from the core spec
> to keep it succinct and avoid extra delays (among other things).

I read Toby's email, and I fully agree that the authorisation part is not mature enough right now. 

That is also the reason why it makes sense for me as a newbie to be active in this area, 
because there are actually a lot of things that need to be implemented, tested and documented. 
And there are many details on which a consensus needs to be reached after exploring the solution space. 

> It's quite
> easy to draw the line between authentication and authorization and the spec
> documents should follow this. See also a concurring comment from Toby at the
> end of this email [1].

Yes again, the line between authentication and authorisation is a very clear line. 

> We have a placeholder in the current spec for authorization [2] but I really
> think it should be non norminative and as short/simple as possible, simply
> highlighting the kind of goodness a server can do once it know the WebID URI
> of the client, but without going into any detail.

Very good. This place holder can be used to communicate to observers/outsiders that the WebID 
community is aware of both aspects, and is not "ignoring authorisation" or any such thing. 

> This email is in no way meant to discourage Benjamin or anyone else from
> continuing their great work in the authorization / access control aspects of
> WebID! Please go ahead and collect uses cases etc.

Thanks, I will try to do my best. 

However, I have to note that this is the first time that I am contributing to a standard,
and I am not very familiar with the kind of process or some of the communication tools you use. 
So just remind me if I do something clumsy ;) 

> So far, to my mind, the
> authentication vs. authorization are 2 different processes, but there might
> be use cases where this is not true?

We need to implement the authorisation part in order to find out where the two aspects/processes overlap, 
but I think it should be possible to separate them cleanly. 