Re: Web ID as passwordless authentication for debian web services
Russ Allbery <rra@debian.org> writes:
> Jonas Smedegaard <dr@jones.dk> writes:
>> Quoting Russ Allbery (2013-05-16 18:37:06)
>
>>> but it's not clear to me why we'd bother as opposed to just issuing
>>> client X.509 certificates with the metadata already included.
>
>> Because the very separation of identifiers from the identified makes the
>> identifiers usable to reliably semantically express Web of Data.
>
>> http://linkeddata.org/
>
> Could you explain this in more concrete terms? I'm at a loss to
> understand what this means, and the web site wasn't horribly helpful.
>
Linked Data makes use of URIs to identify meta-data / properties of an
entity. Hence, it is quite distributed: these URIs can be fragments of
URLs inside documents, which can themselves be located on servers where
you (try to) exercice some form of personal control, and where you may
sign these documents.
Dereferencing these URLs, the servers consuming RDF documents (like a
FOAF profile) may then try and verify their signatures (GPG ones?) and
hence trust some of the linked data discovered in there (as long as the
documents speak about themselves and don't try to declare meta-data for
third party entities).
Let me take an example, so that things are more concrete, providing that
you have vague notion of how to parse RDF (triples, etc.). Note that you
may use 'rapper -o turtle URL' to wisualize the RDF/XML documents in a
more human readable version, if they're not natively in Turtle format,
below.
My (work) FOAF profile at
http://www-public.telecom-sudparis.eu/~berger_o/foaf.rdf declares that
<http://www-public.it-sudparis.eu/~berger_o/foaf.rdf#me> is a person
(me), and is signed by my GPG key if you check
http://www-public.telecom-sudparis.eu/~berger_o/foaf.rdf.asc
That person's SSL cert's public key declared in
<http://www-public.it-sudparis.eu/~berger_o/foaf.rdf#me>'s properties is
<http://www-public.it-sudparis.eu/~berger_o/foaf.rdf#mecert> which has a
certain modulus (may or not be under my control, and/or signed by a CA).
Then I declare that <http://www.olivierberger.org/foaf.rdf#me> is me too
(Linked) which in turn declares that I'm also
<http://people.debian.org/~obergix/foaf.rdf#obergix>, which may also
link to <http://webid.debian.net/maintainers/obergix#agent>>.
This is all Linked Data. Following these links may or not be performed
by Linked Data applications (caching, DOS, etc.).
These 3/4 FOAF profiles of mine can provide bits of meta-data from
different sources, which may then be trusted, depending on whether they
are signed, or available on HTTPS on a "trusted" server, etc.
Maybe I'll have a single SSL cert which is only pointing to my "most
personal" WebID/FOAF at <http://www.olivierberger.org/foaf.rdf#me>, so
whether I can use this one to login to work's servers or to Debian's is
to be disputed, depending on the level of indirection these are willing
to perform, following the sameAs documents.
The fact that my "identity" being described by different documents
depending on the context, which are under my personal control and or
under the control of organizations I work or collaborate with, can faily
well describe the reality, and allows partial trusting of different
aspects of "me", depending on the application context.
I guess this is the best solution we have at the moment for putting
identification aspects under the control of people. Hence the interest
of WebID.
I haven't discussed the auth aspects here, as they involved other
concepts, but for Identification, I guess WebID is much better than any
alternative (where your profile more or less lives under control of a
(social) profile keeper).
I hope this makes it a bit clearer.
Best regards,
--
Olivier BERGER
http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)
Reply to: