[foaf-protocols] KiWi and foaf-ssl

Stephanie Stroka stephanie.stroka at salzburgresearch.at
Tue Jun 23 13:36:08 CEST 2009


Hello everyone,

I'm new to this mailinglist, so I'm going to introduce myself before I
come to the more interesting part of discussing the integration of foaf
+ssl into our social semantic web platform 'KiWi' in a way that it
serves as a CA.

So, my name is Stephanie Stroka and I'm part of the core developer team
of KiWi (http://www.kiwi-project.eu). I've heard about foaf+ssl from
Henry Story, who is also (at least intended to be :) ) part of the
project. KiWi suits very well as a candidate for authorization via foaf
+ssl, as it is a platform for extensions like Wikis, Blogs and also
Social Networks, where data is stored in RDF. As I'm personally also
very interested in identity management, I thought the idea of
intergrating the foaf+ssl authentication very useful, and that's what
I've done last week:

I used the following link to get my webid from the certificate and to
redirect to a webservice that imports the data of my foaf-file into the
KiWi system.
https://foafssl.org/srv/idp?authreqissuer=http://localhost:8080/KiWi/seam/resource/restv1/FOAFSSLAuthentication

As you can probably think of, the FOAFSSLAuthentication webservice is
not very secure, as everyone can access it with an arbitrary webid in
the HTTP GET parameter, and may therefore be able to thieve ones
identity. That's the first problem that we are currently facing.

Another one is that KiWi is build on JBoss Seam, a very powerful (but
sometimes also annoyingly intransparent) framework based on Java EE 5.
Before we integrated foaf+ssl we were using Seam`s identity management
services, which take away a lot of implementation work for applications
that want to use basic username-password authentication. Seam also
provides services for LDAP and openid authentications (I personally
never tried it). As we do want to use the normal user/password
authentication as well, we have to provide an alternative authentication
mechanism that does not check for the username and password if a foaf
certificate is available. Currently, I simply registered a method that
is called when a user logs into the system with foaf+ssl. This method
simply returns true, as we already externally ensured that the user is
authenticated by getting redirected to the webservice. You would agree
that this is hacking, not programming and that it probably opens up a
lot of security wholes. So my intention is to integrate the
authentication protocol of foaf+ssl into KiWi and use KiWi as a CA. 

Do you think this will work or is foaf+ssl intended to be used as a
centralised service. If it would work, how difficult is it to integrate
the foaf+ssl service in another system, or maybe to use foaf+ssl as a
Seam authentication module (which I'd prefer, because then every
application that is build with Seam could easily use it). 

Furthermore, we have the problem that we also want to modify the foaf
files that identify a person. And we want it not to be done on a
centralised place, which means that I, as a KiWi user, would not like to
go to my foafbuilder-website to add another KiWi user as a friend, but
rather to add him as a friend on KiWi and get the foaf file
automatically modified. How is that possible? Do we have to provide our
own foaf builder?

best regards, Stephanie



More information about the foaf-protocols mailing list