Skip to content


First thoughts about FOAF+SSL

My last blog post caused @kidehen (Kingsley Uyi Idehen) to ask if I’d looked at FOAF+SSL for the purposes of people allowing selective access to 3rd parties to their own personal data held on our systems.

I still don’t think it’s the right tool for that job, but it is pretty cool. Here’s a quick summary.

This system allows you to authenticate that you are a person represented by a URI. To do this you cause a key pair to be generated. The private key is installed in your browser, and the public key is added to your FOAF page as a handful of extra triples.

When you attempt to view a page requiring you authenticate with a certificate, your browser asks which of those installed you want to use. You pick the one for the identity you care about. The remote site then resolves the URI (stored as part of the cert) to get the public key for your claimed identity, then does the usual library stuff to check your client really has the private complement to the public key in the FOAF for your claimed identity.

Here’s an example I knocked up using foaf.me: https://foaf.me/marvin

It can then optionally do funky stuff with RDF to decide if your identity should have view/edit rights on the resource you requested, and can also do funky stuff by resolving your depiction, name, friends etc. from your FOAF to enhance whatever it’s up to.

Applications for my closed linked data ideas

For web based services this is a bit of a non starter. The only way I can see it working is that you give the ECS profile system a list of URIs of services allowed to get at your data and at what level of detail. The second you expect a user to understand URIs vs URLs you lose 99% of your audience, but this might work if the system was very slick and hid all that from you.

It might work differently on phones, where the phone app. could more easily have access to your certificates (you wouldn’t allow a 3rd party website providing a service have access to your browser certs!)

Applications for ECS (Universities in general…)

So it occurred to me that it would be pretty easy to provide a service to allow our users to generate one or more certs and install the public part in their FOAF profile. I am not clear how well this system handles multiple certs on one FOAF profile but it seems to me that’s going to be needed. Scenario 1 is that I can quickly jump through some hoops to get a new cert each time I’m using a different browser etc. Scenario 2 is that I have to learn to copy my cert(s) around and if I don’t think anyone cares enough to deal with the hassle.

It might be quite a cute service to provide a way for our staff to easily authenticate that they are really http://id.ecs.soton.ac.uk/person/1248 although I’m not actually going to build it unless I hear some requests from members of my school (well, faculty as of the latest re-org)

The other thing this sounded useful for, at first glance, would be dealing with the huge pain of single-signon over so many different systems at the uni. This system provides a secure authentication without having to strongly couple the systems.

Problems with FOAF+SSL

…but…

Having installed my first certificate I’m not that comfortable. This cert. is possibly my password to some sites, but what it really says is “someone with the credentials of this user once used this browser”. The browser (firefox) didn’t give me any user-friendly explanation of what the hell was going on, and I don’t know what to do if I want to let someone else use a FOAF+SSL service from my laptop. It is non-trivial to remove certs and I’m not really clear of if my friend using my laptop needs to get the key from a USB stick, or to generate a new one there and then, then remember to dive deep into the settings menu to erase it afterwards.

In many ways SSL+password seems more secure as at least I don’t leave my passwords lying around on my machine, but I can’t keep the cert. in my human memory, it requires a digital copy. Maybe it can be password protected, but I wasn’t offered the option.

All in all an interesting tech. but I wouldn’t use it for our Intranet yet…

Further Reading

Here’s the links Kingsley gave in his comment. In my opinion the FOAF+SSL explanation on the first link would be clarified by making it clear that the last two bits (6. and 7.) are an interesting but entirely optional extension.

1. http://esw.w3.org/Foaf%2Bssl
2. http://www.mail-archive.com/public-lod@w3.org/msg05665.html — old post about WebID (nee. FOAF+SSL) ACL example

Posted in Intranet.

Tagged with , , .


4 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Kingsley Idehen says

    Chris,

    Nice post.

    I will convince you that the WebID protocol (nee. FOAF+SSL) will solve your problem.

    The Protocol is but one piece of the puzzle, you also need a platform that implements a solution based on the protocol. That’s what I have in “OpenLink Data Spaces”. I can share things like:

    1. Entire Calendars or Calendar Items

    2. Entire WebDAV collections or Resources in a Collection

    3. Entire AddressBooks or specific AddressBook entries

    4. Entire Bookmark Collections or specific Bookmarks

    5. Entire Blogs or specific blogs posts

    6. Entire Feed Collections or specific feeds

    7. My entire profile space or parts of my profile (e.g. home address and personal phone number etc. or what I Seek, Offer, Own, Like, DisLike, etc..

    8. Using the Data Container and Data Container Item model (a feature I added to the SIOC ontology).

    I am working on simple demonstrations of all of this stuff which (hopefully) will make WebID’s prowess much clearer on the back of real use cases.

    In the meantime (since you are more than technically savvy enough), you can watch some post-qa screencasts I knocked up a while back at:

    1. http://www.youtube.com/watch?v=gzqHVUb3qrw – Windows

    2. http://www.youtube.com/watch?v=mjgXsjd8PDE – Safari

    Much more to come.

    Kingsley

  2. Henry Story says

    Hi, nice article. Don’t let some initial problem stop you from continuing 🙂

    You can in fact easily add support for as many certificates as you wish. See the video “WebID Creation and use in 4 minutes”
    http://www.youtube.com/watch?v=S4dlMTZhUDc
    The example web service http://webid.myxwiki.org/ shows this very nicely. It just requires the web service to add more certificates to the foaf profile.

    It’s worth joining the mailing list and asking questions there, if you come up with a problem.

    Here’s a neater version of the protocol we are working on
    http://payswarm.com/webid/

  3. Henry Story says

    And of course most problems have been asked before. I tried answering all those that come up the most often here:
    http://esw.w3.org/foaf+ssl/FAQ

  4. Christopher Gutteridge says

    If I get inspired to, I might set up a SSL+FOAF service on our systems, as we already generate FOAF files for people, but I can see several big issues. One is that not all our staff want to appear on the web, and that would mean generating them a FOAF profile for their URI which contained public keys but nothing else, not even their name. Currently the URI for a member of staff or student who has not given formal permission to appear in our public directory just 404s. Most staff give permission, must students don’t.

    So that’s not really that big a hurldle, just an interesting case.

    My huge worry about the whole thing is that (trying it via FOAF.me) I really didn’t get a feeling for what was going on, especially that I was, in effect doing something akin to saving a username/password pair in the current browser.

    My current plan is to do nothing for now, as I have never once been asked for this facility. I’ll keep my ear to the ground as our staff are the early adopters of many things. I’ll keep mulling *how* we could implement it to allow our staff to create certs tying them to their ECS URI, eg. http://id.ecs.soton.ac.uk/person/1248

    A quick websearch showed up this:
    http://html5.litten.com/html5-keygen-element-and-internet-explorer/

    The fact that IE doesn’t support this system and never plans to is a big deal. Their points about user experience are pretty fair.



Some HTML is OK

or, reply to this post via trackback.