[foaf-protocols] The issue of authorising access to private resources

Stéphane Corlosquet scorlosquet at gmail.com
Tue Sep 14 15:26:40 CEST 2010


Benjamin,

That is also the reason why it makes sense for me as a newbie to be active
> in this area,

because there are actually a lot of things that need to be implemented,
> tested and documented.


It's great to have you on board! :)


However, I have to note that this is the first time that I am contributing
> to a standard,

and I am not very familiar with the kind of process or some of the
> communication tools you use.


No worries. In fact, the spec is still unofficial, and we are not attached
to any standardization body at this stage (though hopefully this will change
soon).

cheers,
Steph.

On Tue, Sep 14, 2010 at 9:18 AM, Benjamin Heitmann <
benjamin.heitmann at deri.org> wrote:

>
> On 10 Sep 2010, at 18:32, Stéphane Corlosquet wrote:
>
> > Hi Benjamin,
> >
> > Welcome to the list!
> >
> > Plenty of great ideas! As much as I like them, I think we should keep the
> > authorization side of WebID in a separate spec so that the core WebID
> spec
> > document only deals with the authentication. In the first WebID conf call
> > there was a strong consensus in keeping the first spec simple so that it
> can
> > be rolled out as quickly as possible (3 to 6 months). Adding extra
> > complexity would delay this quite considerably.
>
> Yes, this sounds very reasonable given how hot the decentralised social
> networking space is right now.
>
> > I'm also not sure the
> > authorization aspect is as mature and spec-ready as the
> > authentication. We've already split out the OpenID/OAuth from the core
> spec
> > to keep it succinct and avoid extra delays (among other things).
>
> I read Toby's email, and I fully agree that the authorisation part is not
> mature enough right now.
>
> That is also the reason why it makes sense for me as a newbie to be active
> in this area,
> because there are actually a lot of things that need to be implemented,
> tested and documented.
> And there are many details on which a consensus needs to be reached after
> exploring the solution space.
>
> > It's quite
> > easy to draw the line between authentication and authorization and the
> spec
> > documents should follow this. See also a concurring comment from Toby at
> the
> > end of this email [1].
>
> Yes again, the line between authentication and authorisation is a very
> clear line.
>
> > We have a placeholder in the current spec for authorization [2] but I
> really
> > think it should be non norminative and as short/simple as possible,
> simply
> > highlighting the kind of goodness a server can do once it know the WebID
> URI
> > of the client, but without going into any detail.
>
> Very good. This place holder can be used to communicate to
> observers/outsiders that the WebID
> community is aware of both aspects, and is not "ignoring authorisation" or
> any such thing.
>
> > This email is in no way meant to discourage Benjamin or anyone else from
> > continuing their great work in the authorization / access control aspects
> of
> > WebID! Please go ahead and collect uses cases etc.
>
> Thanks, I will try to do my best.
>
> However, I have to note that this is the first time that I am contributing
> to a standard,
> and I am not very familiar with the kind of process or some of the
> communication tools you use.
> So just remind me if I do something clumsy ;)
>
>
>
> > So far, to my mind, the
> > authentication vs. authorization are 2 different processes, but there
> might
> > be use cases where this is not true?
>
> We need to implement the authorisation part in order to find out where the
> two aspects/processes overlap,
> but I think it should be possible to separate them cleanly.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20100914/0ae6874f/attachment.htm 


More information about the foaf-protocols mailing list