Social Web Incubator Group Teleconference

09 Dec 2009

See also: IRC log






<trackbot> Date: 09 December 2009

no one is chatting bblfish

<tinkster> Nobody talking on phone.

<danbri> danbri: i propose skipping all admin and going straight to henry

<bblfish> ok :-)

<danbri> hearing no objections ...

<hhalpin> who is scribing?

i can scribe

<danbri> yes please!

<danbri> what's the script notation to say

<danbri> scribe: mischat

<hhalpin> scribe: mischat

<danbri> :)

<bblfish> ok, if people want they can download a presentation I have made recently http://bblfish.net/tmp/2009/11/

<tinkster> This will be useful, or just "if people want"?

<cperey> which one?

<bblfish> (it's 45MB, so just start now. I won't go through all of it, but it will make things easier)

<bblfish> if you don't have keynote, take the pdf

<rreck> yes


<tinkster> yes

<tinkster> +1 skip

any actions which people want to talk about ?

<danbri> danbri proposing skip admin

<danbri> skipping!

<danbri> Henry Story

<danbri> ----

henry story to talk about foaf+ssl

<bblfish> http://bblfish.net/tmp/2009/11/


henry works for Sun Mircosystems, and has been travelling around europe talking about distributed social networks

2005 - http://www.w3.org/2001/sw/Europe/events/foaf-galway/ ?

<cperey> +1

semantic web helps us solve a problem which is required to have a distributed social network

issues with single sites such as facebook, where you have to log in, and then add all your friends one by one

there are loads of social networks about

recreating your social graph on every SNS is tedious and causes problems

such issues, and the notion of ownership of data has led to the data-portablity movement

scoble had an issue where he got kicked out of his social network, after attempting to remove all of this data

users don't own the data they upload to social networks

social graph, and the issue that you only have access to your own social graph, but the service providers have a view of everyones' social graph

companies with secrets cant use existing social networks, re: data ownership problems

there is a big brother privacy issue, we may not want people to look at what you are doing on a given social networking start

<danbri> (2000 even)

danbri and libby started foaf in 2000 :)

<danbri> timbl: 1989!

foaf project enables a distributed social network

<danbri> (I have a pile of foaf slides here http://www.slideshare.net/danbri )

current social networks are really popular, and they have good working UIs, and have engaged users

<danbri> for timbl, see http://www.w3.org/History/1989/proposal.html The "Personal Skills Inventory". "Personal skills and experience are just the sort of thing which need hypertext flexibility. People can be linked to projects they have worked on, which in turn can be linked to particular machines, programming languages, etc. "

<danbri> (ie. this use case was envisaged in the original design for the Web itself)

foaf and the semantic web, allows for data to be linked together between different sites

foaf allows for people to be linked together

people get given a URI

a foaf:Person URI

<danbri> :)

these URIs give you the ability to produce a global namespace for people

semantic web, builds on logic

allows for sentences to be built about things in the world

semantic web, mathematics of merging and mapping information

in order to show how foaf works, and how the Semantic Web can work, henry built a foaf-based Address book

this address-book allows for webpages to dragged and dropped into the address book app

and it grabs your foaf file

and it then populates your address book with information about the person just added to your address

the address book makes http requests to people's foaf files, and extracts information about that person and adds this information into your address book

<danbri> (public's good and all, but not everyone wants to share everything :)

the problem people had with the Address Book was that it required that all your information be in public foaf files

foaf gives us data-ownership

people can host their own info

it doesn't solve the action creation complexity problem

it solves a bunch of problem by not touching them, i.e. privacy

henry has found that in order to support privacy

<danbri> (we had some old experiments with PGP ... http://usefulinc.com/foaf/encryptingFoafFiles ... but it was limited to the tiny subset of us who could remember their PGP / GPG passwords and how to use them :)

there was a need to implement a form of authentication

and identification

for the last 20 years we have relied on usernames and password

but imagine a distributed social network, where people host their own data, you would have to hold accounts with usernames and passwords on all of your friends servers

this just wouldn't work

then came openid

openid gave each person a global identifier or a URI

<danbri> ( slide 53 = openid )

the protocol is a tad complicated

there is a lot of back and forwarding when doing an openid login

attribute exchange of openid is not restful

which makes it hard to link to information

there are also known security issues with openid ?

openid is very much compatible with the foaf+ssl work

foaf+ssl uses the client-certificate infrastructure built into modern web-browsers

it is built on top of https


<bblfish> http://foaf.me/

you can create your own certificate and your own foaf file

<danbri> (is foaf.me down right now?)

melvster: ^^ ?

<petef> seems to be down for me

<melvster> sorry yes

it works in FF, opera , safari

<melvster> appears down at this second

but not IE

<danbri> fixable? :)

<melvster> im looking ...

slide 57 has a UML diagram

<tinkster> Generating keys in IE requires ActiveX and none of us have been bothered to look at that yet.

<MacTed> http://downforeveryoneorjustme.com/foaf.me

yay to links

<bblfish> here http://esw.w3.org/topic/foaf+ssl

links to most of the topics covered can be found on the esw wiki


<bblfish> here the protocol description http://blogs.sun.com/bblfish/entry/foaf_ssl_adding_security_to

<petef> slide 57 = 59 = 62 ?

<tinkster> slide 61

once you have created your certificate, you can log in to a foaf+ssl enabled site by simply presenting your cert to the site

in order to attach a URI to a certificate

foaf+ssl has used a property in the X.509 header

property X?

this property should point to your foaf file

<tinkster> (And Peter Williams also said that we're using it pretty much how it should be used.)

<danbri> ' X509v3 Subject Alternative Name:'


<bblfish> here http://esw.w3.org/topic/WebId

and if foaf file has the public key of the cert in question, then the cert is said to be associated to the foaf:Person URI

<melvster> very sorry guys ... seems to be an ISP issue with foaf.me ... trying to trace the issue ...

which is now being called a WebID

so whoever owns the private key of the public key stated in the foaf file is said to be the person identified in the X.509 certificate

<caribou> WebID

danbri asks about the level of security in foaf+ssl and the robustness of the desig

<danbri> esp re first step, where you're loading a public foaf file

<danbri> ... how much of a difference do we care re https vs http URIs for the public files

http resource can be made subject to man in the middle attack

so for more security critical applications one should use an https WebId

<danbri> wondering role for xmldsig-signed markup here ...

<tinkster> Use FOAF+SSL to log into a social network, but not into a bank.

<MacTed> since foaf.me is down ... worth noting that this has all been built into Virtuoso & OpenLink Data Spaces ...

<MacTed> docs -- http://ods.openlinksw.com/wiki/ODS/VirtODSFOAFSSL -- can be followed against http://myopenlink.net/ods/ or http://my.openlinksw.com/ods/ (which servers are up and running) or you can put up your own pretty quickly.

<bblfish> dnssec

<danbri> tinkster, that's a nice first step towards getting mother maiden names, birthdays etc...

using the WOT

<bblfish> HAR

back in the day danbri was playing with the signed foaf files with pgp

but the issue was that not that many people used pgp

danbri asked if henry thought it was a good idea to revisit such things

henry started talking about signing sub-graphs in RDF

i don't understand why you would want to sign a sub-grapg


<tinkster> J Carroll paper mentioned by danbri - http://www.hpl.hp.com/techreports/2003/HPL-2003-142.pdf

digitally signing rdf : http://xmlns.com/wot/0.1/

<danbri> danbri: 2 scenarios ... user signs locally and pushes the result up to server (atompub etc); or else the host signs, so even if they don't use ssl everywhere, you could know livejournal/hi5 etc's pubkey and be sure the file wasn't interfered with

foaf+ssl makes it easy to have multiple certs

you can also easily invalidate a cert if you loose a machine

using pgp, if you loose your private key, you will have to ask people to re-sign your key


danbri proposes a method of pushing data signed data via atom-pub or similar to a site such as facebook

<danbri> (with eg garlik as a file-signing intermediary ...)

our foaf validator, can tell you if your foaf file is signed properly

but yes, signing a foaf file for someone else does sound interesting

<danbri> (I'm not gonna hold my breath waiting for dns to be secured :)

<danbri> mischa, ... just to say 'garlik saw this, and got it from the party whose openid x checked out...' ... but not necc to vouch for its contents

<Zakim> danbri, you wanted to ask about attacks when not https

it would be nice to see if there was a method in the X.509 external where you could say only send information to a party if it is signed ?

<tinkster> http://openid4.me

<danbri> http://openid4.me/

<danbri> also http://github.com/akbarhossain/openid4me

understood danbri

openid4.me allows you to use an openid login form

<danbri> (garlik or other biz-s could also fact check specific claims, like workplaceHomepage ... )

<melvster> AX: not yet programmed

<melvster> sreg works

openid4.me allows you to use your WebID, and your foaf+ssl cert to log in openid providers

one important piece which is yet to be solved, that is content negotiation on foaf files

so in openid you can decide which bits of personal information you want to send to a service provider

there is no solution as of yet in the foaf+ssl world

<melvster> http://foaf.me appears to be back ... ?

yup it is melvster

<bblfish> openid http://openid4.me

<bblfish> http://blogs.sun.com/bblfish/entry/sketch_of_a_restful_photo

this is a restful implementation of how you may want to interact with a restful web service using your foaf+ssl WebID

isn't this a similar example as presented in the openid spec



you are right

<danbri> oauth use photo sites as their intro use case

<melvster> it's actually closer to oauth WRAP (the newer version) than oauth

i recall the oauth example in the spec uses the photo service

foaf+ssl wants to be make us of linked data, semantic web, RDF.

in the future we can imagine a world where every user has their own website

<danbri> sounds like http://unite.opera.com/ :)


or mac.com user pages

<danbri> see also http://mail.jabber.org/pipermail/social/2009-June/000540.html

<bblfish> http://ladistribution.net

<danbri> anyone have questions for henry?


<bblfish> http://blogs.sun.com/bblfish/entry/identity_in_the_browser_firefox

<danbri> anyone with questions, use "q+ to ask about blahblah" here please

<danbri> see http://lists.foaf-project.org/pipermail/foaf-protocols/

<bblfish> here http://lists.foaf-project.org/pipermail/foaf-protocols/

people should join the foaf-protocol mailing list

<cperey> me too, bye

<danbri> mischa: with foaf+ssl you need something inside your browser ...

<danbri> ... do you think we're moving to a world where ppl carry their browser around with them

<danbri> ... or they use machines from anywhere, unless you brin your cert

<danbri> bblfish: i was a bit worried initially re signing others' foaf files with my pubkey

<danbri> ppl can selfsign their certs, ... very easy to create new certs, ...

<danbri> foaf.me should let you get a list of certs you have, ... click on them and cancel, ... to create one for 10 mins (eg. a net cafe), ...

<danbri> ... also another tech, USB cards, which can be linked with firefox so you can put your key on usb card, they'll do the encryption

<danbri> without privkey being shared anywhere

<danbri> (missed detail)

<danbri> bblfish: by basing on tls/ssl, we build on existing expertise

<danbri> ... they relied a bit too much on ldap data structures

<danbri> so too much pre-web design

<danbri> lacking web-style flexibility/ namespaces

<danbri> ldap doesn't allow you to have a global directory

<tinkster> Also, too much emphasis on top-down certificate signing, rather than self-signed.

<danbri> (x500 did, kinda? -danbri)

<danbri> bblfish: so we're supplying a missing piece to make the most of ssl

<Zakim> danbri, you wanted to ask about feedback you've had, in your tours/talks

<petef> have to duck out now, thanks Henry.

danbri askes about the feedback on your tour, and your priorities for the upcoming months

<danbri> bblfish: similar questions come up

mainly security based questions

<danbri> re security, ... was pleased that specialists seemed relatively untroubled by the design

services such as foaf.me

<danbri> (foaf.me is back btw :)

and openid4.me have really helped when trying to see foaf+ssl

foaf+ssl is seen as a practical way of showing the semantic web working

in a real world context that is a social networking application

drupal dev's found it an easy way into Semantic web tech

henry thinks we need more use cases for such technology

<tinkster> bblfish, ARC2's SPARQL is pretty good in my experience, but can only operate on in-database (MySQL-only in fact) triple stores; not in-memory.

we need to have people using it, so that we can identify issues with the foaf+ssl proposition


the european tour was very useful, giving talks about the work really helped. Most talks at barcamps, and non-traditional conferences, i.e. not that academic


henry would love the swxg to support foaf+ssl



<danbri> I logged into Jyte: * Signed in as openid4.me/http://foaf.me/danbri2%23me

<tinkster> RDF vCard would be nearly as useful.

no offense to danbri

<danbri> yeah, it's a fair question

<danbri> foaf was designed to be optional!

<danbri> original name was rdfweb ... foaf was just the 'utility vocab'

<danbri> <- http://www.foaf-project.org/original-intro

question regarding whether foaf was necessary in the foaf+ssl

<tinkster> DNA checksum will be useful when we create FOAF+Blood authentication.

semantic web tech allows you to add more namespaces

<danbri> 'please spit on the screen'

<danbri> 'no, down a bit...'

allowing you add more information to your foaf file, as ontologies come about

<MacTed> GoodRelations - what do you need, what do you have...

danbri asked which properties you need to implement a foaf+ssl


<danbri> danbri: exactly which properties (and classes) are needed when implementing a foaf+ssl system

<tinkster> cert:identity, rsa:public_exponent, rsa:modulus, cert:hex, cert:decimal.

tinkster: a link to a cert:?

<danbri> so those 2 namespaces timbl dropped onto w3.org?

bblfish: http://bblfish.net/people/henry/card#me WedID

<tinkster> No, the cert links to the FOAF file. The FOAF file doesn't need to link to the cert (it describes it via those properties).

for an example

ah no my question was, could you give the full URI for "cert:identity"


got it

and http://www.w3.org/ns/auth/rsa#

<caribou> member submission?

<danbri> Todo:

<danbri> - add some classes and relations for DSA

<bblfish_> http://www.w3.org/ns/auth/cert#

<danbri> - should this all be in one file? Or should this be cut up a little? Say one file for the general CERT ontology, and then files for RSA, DSA, PGP, etc... Or perhaps it does not really matter?

<danbri> - expand more on the certification side of things

<danbri> - verify this by security experts

<bblfish_> http://www.w3.org/ns/auth/rsa#>

<danbri> - add more todos

<danbri> - owl2 has some constructs for combined inverse functional properties.

<danbri> This may be useful to use in defining an RSA key which is identified

wants a foaf:knows in bblfish's foaf file :)

<danbri> by two numbers.

<danbri> - when more stable create rdf/xml version

<danbri> - also create html version of the spec by using this as a template.

<danbri> - should comments such as this be in html?

<danbri> we could publish a swig note

<danbri> or as caribou mentions, a member sub (if you continue working for a Member)

<bblfish> here http://blogs.sun.com/bblfish/entry/foaf_ssl_adding_security_to

what is the smallest thing needed for the spec to be useful

<caribou> danbri, 1 member amongst the authors is sufficient

<tinkster> Smallest thing to be useful = a blog post, though a UN resolution would be nice.

<danbri> UN :)

danbri asks if Henry would be happy for the work to be published via the W3C ?

henry would be happy for the work to be published via the W3C

<tinkster> Open Web Foundation is a possibility too.

<melvster> graphical example of the ontology (scroll down) http://www.w3.org/RDF/Validator/ARPServlet?URI=http%3A%2F%2Ffoaf.me%2Fah1&PARSE=Parse+URI%3A+&TRIPLES_AND_GRAPH=PRINT_BOTH&FORMAT=PNG_EMBED

the scribe will have to go soon

<danbri> mischat, thanks for scribing


Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2009/12/09 17:21:31 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.135  of Date: 2009/03/02 03:52:20  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/WebId/WebID/
Found Scribe: mischat
Found Scribe: mischat
Inferring ScribeNick: mischat

WARNING: No "Topic:" lines found, but dash separators were found.  
Defaulting to -dashTopics option.

WARNING: No "Present: ... " found!
Possibly Present: AX Anita AnitaD MacTed OpenLink_Software P18 P32 Todo bblfish bblfish_ caribou cert cperey danbri hhalpin melvster mischa pchampin petef rreck timbl tinkster trackbot
You can indicate people for the Present list like this:
        <dbooth> Present: dbooth jonathan mary
        <dbooth> Present+ amy

Found Date: 09 Dec 2009
Guessing minutes URL: http://www.w3.org/2009/12/09-swxg-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.

[End of scribe.perl diagnostic output]