See also: IRC log
<trackbot> Date: 09 December 2009
no one is chatting bblfish
<tinkster> Nobody talking on phone.
<danbri> danbri: i propose skipping all admin and going straight to henry
<bblfish> ok :-)
<danbri> hearing no objections ...
<hhalpin> who is scribing?
i can scribe
<danbri> yes please!
<danbri> what's the script notation to say
<danbri> scribe: mischat
<hhalpin> scribe: mischat
<danbri> :)
<bblfish> ok, if people want they can download a presentation I have made recently http://bblfish.net/tmp/2009/11/
<tinkster> This will be useful, or just "if people want"?
<cperey> which one?
<bblfish> (it's 45MB, so just start now. I won't go through all of it, but it will make things easier)
<bblfish> if you don't have keynote, take the pdf
<rreck> yes
yes
<tinkster> yes
<tinkster> +1 skip
any actions which people want to talk about ?
<danbri> danbri proposing skip admin
<danbri> skipping!
<danbri> Henry Story
<danbri> ----
henry story to talk about foaf+ssl
<bblfish> http://bblfish.net/tmp/2009/11/
http://bblfish.net/tmp/2009/11/TheSocialWeb-SantaClara.pdf
henry works for Sun Mircosystems, and has been travelling around europe talking about distributed social networks
<cperey> +1
semantic web helps us solve a problem which is required to have a distributed social network
issues with single sites such as facebook, where you have to log in, and then add all your friends one by one
there are loads of social networks about
recreating your social graph on every SNS is tedious and causes problems
such issues, and the notion of ownership of data has led to the data-portablity movement
scoble had an issue where he got kicked out of his social network, after attempting to remove all of this data
users don't own the data they upload to social networks
social graph, and the issue that you only have access to your own social graph, but the service providers have a view of everyones' social graph
companies with secrets cant use existing social networks, re: data ownership problems
there is a big brother privacy issue, we may not want people to look at what you are doing on a given social networking start
<danbri> (2000 even)
danbri and libby started foaf in 2000 :)
<danbri> timbl: 1989!
foaf project enables a distributed social network
<danbri> (I have a pile of foaf slides here http://www.slideshare.net/danbri )
current social networks are really popular, and they have good working UIs, and have engaged users
<danbri> for timbl, see http://www.w3.org/History/1989/proposal.html The "Personal Skills Inventory". "Personal skills and experience are just the sort of thing which need hypertext flexibility. People can be linked to projects they have worked on, which in turn can be linked to particular machines, programming languages, etc. "
<danbri> (ie. this use case was envisaged in the original design for the Web itself)
foaf and the semantic web, allows for data to be linked together between different sites
foaf allows for people to be linked together
people get given a URI
a foaf:Person URI
<danbri> :)
these URIs give you the ability to produce a global namespace for people
semantic web, builds on logic
allows for sentences to be built about things in the world
semantic web, mathematics of merging and mapping information
in order to show how foaf works, and how the Semantic Web can work, henry built a foaf-based Address book
this address-book allows for webpages to dragged and dropped into the address book app
and it grabs your foaf file
and it then populates your address book with information about the person just added to your address
the address book makes http requests to people's foaf files, and extracts information about that person and adds this information into your address book
<danbri> (public's good and all, but not everyone wants to share everything :)
the problem people had with the Address Book was that it required that all your information be in public foaf files
foaf gives us data-ownership
people can host their own info
it doesn't solve the action creation complexity problem
it solves a bunch of problem by not touching them, i.e. privacy
henry has found that in order to support privacy
<danbri> (we had some old experiments with PGP ... http://usefulinc.com/foaf/encryptingFoafFiles ... but it was limited to the tiny subset of us who could remember their PGP / GPG passwords and how to use them :)
there was a need to implement a form of authentication
and identification
for the last 20 years we have relied on usernames and password
but imagine a distributed social network, where people host their own data, you would have to hold accounts with usernames and passwords on all of your friends servers
this just wouldn't work
then came openid
openid gave each person a global identifier or a URI
<danbri> ( slide 53 = openid )
the protocol is a tad complicated
there is a lot of back and forwarding when doing an openid login
attribute exchange of openid is not restful
which makes it hard to link to information
there are also known security issues with openid ?
openid is very much compatible with the foaf+ssl work
foaf+ssl uses the client-certificate infrastructure built into modern web-browsers
it is built on top of https
<bblfish> http://foaf.me/
you can create your own certificate and your own foaf file
<danbri> (is foaf.me down right now?)
melvster: ^^ ?
<petef> seems to be down for me
<melvster> sorry yes
it works in FF, opera , safari
<melvster> appears down at this second
but not IE
<danbri> fixable? :)
<melvster> im looking ...
slide 57 has a UML diagram
<tinkster> Generating keys in IE requires ActiveX and none of us have been bothered to look at that yet.
<MacTed> http://downforeveryoneorjustme.com/foaf.me
yay to links
<bblfish> here http://esw.w3.org/topic/foaf+ssl
links to most of the topics covered can be found on the esw wiki
^^
<bblfish> here the protocol description http://blogs.sun.com/bblfish/entry/foaf_ssl_adding_security_to
<petef> slide 57 = 59 = 62 ?
<tinkster> slide 61
once you have created your certificate, you can log in to a foaf+ssl enabled site by simply presenting your cert to the site
in order to attach a URI to a certificate
foaf+ssl has used a property in the X.509 header
property X?
this property should point to your foaf file
<tinkster> (And Peter Williams also said that we're using it pretty much how it should be used.)
<danbri> ' X509v3 Subject Alternative Name:'
thanks
<bblfish> here http://esw.w3.org/topic/WebId
and if foaf file has the public key of the cert in question, then the cert is said to be associated to the foaf:Person URI
<melvster> very sorry guys ... seems to be an ISP issue with foaf.me ... trying to trace the issue ...
which is now being called a WebID
so whoever owns the private key of the public key stated in the foaf file is said to be the person identified in the X.509 certificate
<caribou> WebID
danbri asks about the level of security in foaf+ssl and the robustness of the desig
<danbri> esp re first step, where you're loading a public foaf file
<danbri> ... how much of a difference do we care re https vs http URIs for the public files
http resource can be made subject to man in the middle attack
so for more security critical applications one should use an https WebId
<danbri> wondering role for xmldsig-signed markup here ...
<tinkster> Use FOAF+SSL to log into a social network, but not into a bank.
<MacTed> since foaf.me is down ... worth noting that this has all been built into Virtuoso & OpenLink Data Spaces ...
<MacTed> docs -- http://ods.openlinksw.com/wiki/ODS/VirtODSFOAFSSL -- can be followed against http://myopenlink.net/ods/ or http://my.openlinksw.com/ods/ (which servers are up and running) or you can put up your own pretty quickly.
<bblfish> dnssec
<danbri> tinkster, that's a nice first step towards getting mother maiden names, birthdays etc...
using the WOT
<bblfish> HAR
back in the day danbri was playing with the signed foaf files with pgp
but the issue was that not that many people used pgp
danbri asked if henry thought it was a good idea to revisit such things
henry started talking about signing sub-graphs in RDF
i don't understand why you would want to sign a sub-grapg
?
<tinkster> J Carroll paper mentioned by danbri - http://www.hpl.hp.com/techreports/2003/HPL-2003-142.pdf
digitally signing rdf : http://xmlns.com/wot/0.1/
<danbri> danbri: 2 scenarios ... user signs locally and pushes the result up to server (atompub etc); or else the host signs, so even if they don't use ssl everywhere, you could know livejournal/hi5 etc's pubkey and be sure the file wasn't interfered with
foaf+ssl makes it easy to have multiple certs
you can also easily invalidate a cert if you loose a machine
using pgp, if you loose your private key, you will have to ask people to re-sign your key
:)
danbri proposes a method of pushing data signed data via atom-pub or similar to a site such as facebook
<danbri> (with eg garlik as a file-signing intermediary ...)
our foaf validator, can tell you if your foaf file is signed properly
but yes, signing a foaf file for someone else does sound interesting
<danbri> (I'm not gonna hold my breath waiting for dns to be secured :)
<danbri> mischa, ... just to say 'garlik saw this, and got it from the party whose openid x checked out...' ... but not necc to vouch for its contents
<Zakim> danbri, you wanted to ask about attacks when not https
it would be nice to see if there was a method in the X.509 external where you could say only send information to a party if it is signed ?
<tinkster> http://openid4.me
<danbri> http://openid4.me/
<danbri> also http://github.com/akbarhossain/openid4me
understood danbri
openid4.me allows you to use an openid login form
<danbri> (garlik or other biz-s could also fact check specific claims, like workplaceHomepage ... )
<melvster> AX: not yet programmed
<melvster> sreg works
openid4.me allows you to use your WebID, and your foaf+ssl cert to log in openid providers
one important piece which is yet to be solved, that is content negotiation on foaf files
so in openid you can decide which bits of personal information you want to send to a service provider
there is no solution as of yet in the foaf+ssl world
<melvster> http://foaf.me appears to be back ... ?
yup it is melvster
<bblfish> openid http://openid4.me
<bblfish> http://blogs.sun.com/bblfish/entry/sketch_of_a_restful_photo
this is a restful implementation of how you may want to interact with a restful web service using your foaf+ssl WebID
isn't this a similar example as presented in the openid spec
ah
yes
you are right
<danbri> oauth use photo sites as their intro use case
<melvster> it's actually closer to oauth WRAP (the newer version) than oauth
i recall the oauth example in the spec uses the photo service
foaf+ssl wants to be make us of linked data, semantic web, RDF.
in the future we can imagine a world where every user has their own website
<danbri> sounds like http://unite.opera.com/ :)
:)
or mac.com user pages
<danbri> see also http://mail.jabber.org/pipermail/social/2009-June/000540.html
<bblfish> http://ladistribution.net
<danbri> anyone have questions for henry?
ack?
<bblfish> http://blogs.sun.com/bblfish/entry/identity_in_the_browser_firefox
<danbri> anyone with questions, use "q+ to ask about blahblah" here please
<danbri> see http://lists.foaf-project.org/pipermail/foaf-protocols/
<bblfish> here http://lists.foaf-project.org/pipermail/foaf-protocols/
people should join the foaf-protocol mailing list
<cperey> me too, bye
<danbri> mischa: with foaf+ssl you need something inside your browser ...
<danbri> ... do you think we're moving to a world where ppl carry their browser around with them
<danbri> ... or they use machines from anywhere, unless you brin your cert
<danbri> bblfish: i was a bit worried initially re signing others' foaf files with my pubkey
<danbri> ppl can selfsign their certs, ... very easy to create new certs, ...
<danbri> foaf.me should let you get a list of certs you have, ... click on them and cancel, ... to create one for 10 mins (eg. a net cafe), ...
<danbri> ... also another tech, USB cards, which can be linked with firefox so you can put your key on usb card, they'll do the encryption
<danbri> without privkey being shared anywhere
<danbri> (missed detail)
<danbri> bblfish: by basing on tls/ssl, we build on existing expertise
<danbri> ... they relied a bit too much on ldap data structures
<danbri> so too much pre-web design
<danbri> lacking web-style flexibility/ namespaces
<danbri> ldap doesn't allow you to have a global directory
<tinkster> Also, too much emphasis on top-down certificate signing, rather than self-signed.
<danbri> (x500 did, kinda? -danbri)
<danbri> bblfish: so we're supplying a missing piece to make the most of ssl
<Zakim> danbri, you wanted to ask about feedback you've had, in your tours/talks
<petef> have to duck out now, thanks Henry.
danbri askes about the feedback on your tour, and your priorities for the upcoming months
<danbri> bblfish: similar questions come up
mainly security based questions
<danbri> re security, ... was pleased that specialists seemed relatively untroubled by the design
services such as foaf.me
<danbri> (foaf.me is back btw :)
and openid4.me have really helped when trying to see foaf+ssl
foaf+ssl is seen as a practical way of showing the semantic web working
in a real world context that is a social networking application
drupal dev's found it an easy way into Semantic web tech
henry thinks we need more use cases for such technology
<tinkster> bblfish, ARC2's SPARQL is pretty good in my experience, but can only operate on in-database (MySQL-only in fact) triple stores; not in-memory.
we need to have people using it, so that we can identify issues with the foaf+ssl proposition
ack?
the european tour was very useful, giving talks about the work really helped. Most talks at barcamps, and non-traditional conferences, i.e. not that academic
webfinger
henry would love the swxg to support foaf+ssl
?ack
?q
<danbri> I logged into Jyte: * Signed in as openid4.me/http://foaf.me/danbri2%23me
<tinkster> RDF vCard would be nearly as useful.
no offense to danbri
<danbri> yeah, it's a fair question
<danbri> foaf was designed to be optional!
<danbri> original name was rdfweb ... foaf was just the 'utility vocab'
<danbri> <- http://www.foaf-project.org/original-intro
question regarding whether foaf was necessary in the foaf+ssl
<tinkster> DNA checksum will be useful when we create FOAF+Blood authentication.
semantic web tech allows you to add more namespaces
<danbri> 'please spit on the screen'
<danbri> 'no, down a bit...'
allowing you add more information to your foaf file, as ontologies come about
<MacTed> GoodRelations - what do you need, what do you have...
danbri asked which properties you need to implement a foaf+ssl
login
<danbri> danbri: exactly which properties (and classes) are needed when implementing a foaf+ssl system
<tinkster> cert:identity, rsa:public_exponent, rsa:modulus, cert:hex, cert:decimal.
tinkster: a link to a cert:?
<danbri> so those 2 namespaces timbl dropped onto w3.org?
bblfish: http://bblfish.net/people/henry/card#me WedID
<tinkster> No, the cert links to the FOAF file. The FOAF file doesn't need to link to the cert (it describes it via those properties).
for an example
ah no my question was, could you give the full URI for "cert:identity"
http://www.w3.org/ns/auth/cert#
got it
and http://www.w3.org/ns/auth/rsa#
<caribou> member submission?
<danbri> Todo:
<danbri> - add some classes and relations for DSA
<bblfish_> http://www.w3.org/ns/auth/cert#
<danbri> - should this all be in one file? Or should this be cut up a little? Say one file for the general CERT ontology, and then files for RSA, DSA, PGP, etc... Or perhaps it does not really matter?
<danbri> - expand more on the certification side of things
<danbri> - verify this by security experts
<bblfish_> http://www.w3.org/ns/auth/rsa#>
<danbri> - add more todos
<danbri> - owl2 has some constructs for combined inverse functional properties.
<danbri> This may be useful to use in defining an RSA key which is identified
wants a foaf:knows in bblfish's foaf file :)
<danbri> by two numbers.
<danbri> - when more stable create rdf/xml version
<danbri> - also create html version of the spec by using this as a template.
<danbri> - should comments such as this be in html?
<danbri> we could publish a swig note
<danbri> or as caribou mentions, a member sub (if you continue working for a Member)
<bblfish> here http://blogs.sun.com/bblfish/entry/foaf_ssl_adding_security_to
what is the smallest thing needed for the spec to be useful
<caribou> danbri, 1 member amongst the authors is sufficient
<tinkster> Smallest thing to be useful = a blog post, though a UN resolution would be nice.
<danbri> UN :)
danbri asks if Henry would be happy for the work to be published via the W3C ?
henry would be happy for the work to be published via the W3C
<tinkster> Open Web Foundation is a possibility too.
<melvster> graphical example of the ontology (scroll down) http://www.w3.org/RDF/Validator/ARPServlet?URI=http%3A%2F%2Ffoaf.me%2Fah1&PARSE=Parse+URI%3A+&TRIPLES_AND_GRAPH=PRINT_BOTH&FORMAT=PNG_EMBED
the scribe will have to go soon
<danbri> mischat, thanks for scribing
np
This is scribe.perl Revision: 1.135 of Date: 2009/03/02 03:52:20 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/WebId/WebID/ Found Scribe: mischat Found Scribe: mischat Inferring ScribeNick: mischat WARNING: No "Topic:" lines found, but dash separators were found. Defaulting to -dashTopics option. WARNING: No "Present: ... " found! Possibly Present: AX Anita AnitaD MacTed OpenLink_Software P18 P32 Todo bblfish bblfish_ caribou cert cperey danbri hhalpin melvster mischa pchampin petef rreck timbl tinkster trackbot You can indicate people for the Present list like this: <dbooth> Present: dbooth jonathan mary <dbooth> Present+ amy Found Date: 09 Dec 2009 Guessing minutes URL: http://www.w3.org/2009/12/09-swxg-minutes.html People with action items: WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option.[End of scribe.perl diagnostic output]