{"id":383,"date":"2010-09-01T14:17:50","date_gmt":"2010-09-01T14:17:50","guid":{"rendered":"http:\/\/blog.soton.ac.uk\/webteam\/?p=383"},"modified":"2010-09-01T14:37:16","modified_gmt":"2010-09-01T14:37:16","slug":"first-thoughts-about-foafssl","status":"publish","type":"post","link":"https:\/\/blog.soton.ac.uk\/webteam\/2010\/09\/01\/first-thoughts-about-foafssl\/","title":{"rendered":"First thoughts about FOAF+SSL"},"content":{"rendered":"

My last blog post caused @kidehen<\/a> (Kingsley Uyi Idehen) to ask if I’d looked at FOAF+SSL for the purposes of people allowing selective access to 3rd parties to their own personal data held on our systems.<\/p>\n

I still don’t think it’s the right tool for that job, but it is pretty cool. Here’s a quick summary.<\/p>\n

This system allows you to authenticate that you are a person represented by a URI. To do this you cause a key pair to be generated. The private key is installed in your browser, and the public key is added to your FOAF page as a handful of extra triples.<\/p>\n

When you attempt to view a page requiring you authenticate with a certificate, your browser asks which of those installed you want to use. You pick the one for the identity you care about. The remote site then resolves the URI (stored as part of the cert) to get the public key for your claimed identity, then does the usual library stuff to check your client really has the private complement to the public key in the FOAF for your claimed identity.<\/p>\n

Here’s an example I knocked up using foaf.me: https:\/\/foaf.me\/marvin<\/a><\/p>\n

It can then optionally do funky stuff with RDF to decide if your identity should have view\/edit rights on the resource you requested, and can also do funky stuff by resolving your depiction, name, friends etc. from your FOAF to enhance whatever it’s up to.<\/p>\n

Applications for my closed linked data ideas<\/h3>\n

For web based services this is a bit of a non starter. The only way I can see it working is that you give the ECS profile system a list of URIs of services allowed to get at your data and at what level of detail. The second you expect a user to understand URIs vs URLs you lose 99% of your audience, but this might work if the system was very slick and hid all that from you.<\/p>\n

It might work differently on phones, where the phone app. could more easily have access to your certificates (you wouldn’t allow a 3rd party website providing a service have access to your browser certs!)<\/p>\n

Applications for ECS (Universities in general…)<\/h3>\n

So it occurred to me that it would be pretty easy to provide a service to allow our users to generate one or more certs and install the public part in their FOAF profile. I am not clear how well this system handles multiple certs on one FOAF profile but it seems to me that’s going to be needed. Scenario 1 is that I can quickly jump through some hoops to get a new cert each time I’m using a different browser etc. Scenario 2 is that I have to learn to copy my cert(s) around and if I don’t think anyone cares enough to deal with the hassle.<\/p>\n

It might be quite a cute service to provide a way for our staff to easily authenticate that they are really http:\/\/id.ecs.soton.ac.uk\/person\/1248 although I’m not actually going to build it unless I hear some requests from members of my school (well, faculty as of the latest re-org)<\/p>\n

The other thing this sounded useful for, at first glance, would be dealing with the huge pain of single-signon over so many different systems at the uni. This system provides a secure authentication without having to strongly couple the systems.<\/p>\n

Problems with FOAF+SSL<\/h3>\n

…but…<\/p>\n

Having installed my first certificate I’m not that comfortable. This cert. is possibly my password to some sites, but what it really says is “someone with the credentials of this user once used this browser”. The browser (firefox) didn’t give me any user-friendly explanation of what the hell was going on, and I don’t know what to do if I want to let someone else use a FOAF+SSL service from my laptop. It is non-trivial to remove certs and I’m not really clear of if my friend using my laptop needs to get the key from a USB stick, or to generate a new one there and then, then remember to dive deep into the settings menu to erase it afterwards.<\/p>\n

In many ways SSL+password seems more secure as at least I don’t leave my passwords lying around on my machine, but I can’t keep the cert. in my human memory, it requires a digital copy. Maybe it can be password protected, but I wasn’t offered the option.<\/p>\n

All in all an interesting tech. but I wouldn’t use it for our Intranet yet…<\/p>\n

Further Reading<\/h3>\n

Here’s the links Kingsley gave in his comment. In my opinion the FOAF+SSL explanation on the first link would be clarified by making it clear that the last two bits (6. and 7.) are an interesting but entirely optional extension.<\/p>\n

1. http:\/\/esw.w3.org\/Foaf%2Bssl<\/a>
\n2. http:\/\/www.mail-archive.com\/public-lod@w3.org\/msg05665.html<\/a> \u2014 old post about WebID (nee. FOAF+SSL) ACL example<\/p>\n","protected":false},"excerpt":{"rendered":"

My last blog post caused @kidehen (Kingsley Uyi Idehen) to ask if I’d looked at FOAF+SSL for the purposes of people allowing selective access to 3rd parties to their own personal data held on our systems. I still don’t think it’s the right tool for that job, but it is pretty cool. Here’s a quick […]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[87],"tags":[384,383,803363],"class_list":["post-383","post","type-post","status-publish","format-standard","hentry","category-intranet","tag-authentication","tag-foafssl","tag-rdf"],"_links":{"self":[{"href":"https:\/\/blog.soton.ac.uk\/webteam\/wp-json\/wp\/v2\/posts\/383","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.soton.ac.uk\/webteam\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.soton.ac.uk\/webteam\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.soton.ac.uk\/webteam\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.soton.ac.uk\/webteam\/wp-json\/wp\/v2\/comments?post=383"}],"version-history":[{"count":3,"href":"https:\/\/blog.soton.ac.uk\/webteam\/wp-json\/wp\/v2\/posts\/383\/revisions"}],"predecessor-version":[{"id":385,"href":"https:\/\/blog.soton.ac.uk\/webteam\/wp-json\/wp\/v2\/posts\/383\/revisions\/385"}],"wp:attachment":[{"href":"https:\/\/blog.soton.ac.uk\/webteam\/wp-json\/wp\/v2\/media?parent=383"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.soton.ac.uk\/webteam\/wp-json\/wp\/v2\/categories?post=383"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.soton.ac.uk\/webteam\/wp-json\/wp\/v2\/tags?post=383"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}