From W3C Wiki
FOAF+SSL is a secure authentication protocol that enables the building of distributed, open, and secure social networks: the Social Web. The protocol is being developed by the W3C WebID Incubator Group.
How does it work?
This is a summary of the WebID 1.0: Web Identification and Discovery unofficial draft.
FOAF+SSL is a very simple protocol. It authenticates a user in one connection; the same connection made whenever accessing a web site. This is done by making clever use of the SSL layer built into virtually every standard Web browser that implements HTTPS. The following sequence diagram illustrates this clearly:
- In the first connection the user (Romeo) arrives on the home page of Juliet, after having received a note from her at a party. This page contains a login button or link.
- Romeo clicks the login link, an https URL. Perhaps https://juliet.example/login
- Juliet's server on receiving the HTTPS connection asks the client for his certificate. As a result a popup appears in Romeo's browser asking him to choose his WebId. (see the pictures of how different browsers present this). Romeo selects one of them, and this corresponding X.509 certificate is sent back to the server, which verifies that Romeo's browser has the private key associated with the public key published in it, using the standard https protocol.
- The certificate also contains a Web ID, which is a URL such as http://romeo.example/#me that was placed in the Subject Alternative Name field of the cert. Juliet's server finds this and does an HTTP GET on it.
- If the graph of the returned document contains the relations that http://romeo.example/#me has the public key specified in the certificate, the server knows that the person at the other end of the connection is <http://romeo.example/#me> .
- Juliet' server can then check in its database if <http://romeo.example/#me> is known by any of Juliet's friends, as specified in their foaf files published on their servers.
- Juliet's server authorized Romeo to see her file.
Note: The access control rule could be different, but this one is particularly telling, as it shows how each of Juliet's friends can contribute to helping her build a web of trust.
Trust is established recursively. Individuals add people they have had direct interactions with by exchanging WebIDs to their foaf file. Those people in turn do the same with their aquaintances. This can then be used by any user to build web's of trust.
FOAF+SSL uses Public Key (PKI) standards — usually thought of as hierarchical trust management tools — in a decentralized "web of trust" way. The web of trust is built using semantic web vocabularies (particularly FOAF) published in RESTful manner to form Linked Data.
Based on well known and widely deployed standards, FOAF+SSL and its implications are being discussed on the FOAF protocols mailing list (see its archive ). FOAF+SSL does not require the FOAF vocabulary, but this helps understand the social implications of the protocol.
For a very short description of the protocol, read the one-page FOAF+SSL: Adding Security to Open Distributed Social Networks. People working with client certificates may be surprised by this usage of this old technology. Reading The FOAF+SSL Paradigm Shift may help. For a much more detailed, technical explanation of the way we are thinking of trust, see FOAF+SSL: Creating a Web of Trust without Key Signing Parties.
Try it Out
To get an idea of what to expect with foaf+ssl watch this short screen cast. You can then try it out by creating a profile with one of the identity providers, and logging in to one of the Relying parties listed below.
- FOAF+SSL Identity Providers will help you create a WebID, that is a foaf profile and a foaf+ssl certificate, without coding. ( If you prefer to hand write your foaf file see the HOWTO section ).
- FOAF+SSL Relying Parties: A Relying Party is a service that authenticates a user with Foaf+SSL. Without Relying Parties a WebID is not much fun.
Some further pointers
- WebID and Browsers Presented at the W3C Workshop on Identity in the Browser (in ogg and other formats)
- Power of WebID + OpenID Hybrid Protocol via Internet Explorer & Windows
- WebID creation and use in 4 minutes using Firefox, Opera and Chrome - shows how easy it is to create a certificate with the same WebId on each browser.
- Using Safari to Demonstrate WebID + OpenID Hybrid Protocol Power!
- WebID & OpenID Hybrid Protocol Demo Using IE on Windows (Silent With Voiceover)
- Short 5 minute interview on the Social Web by Prof. William Dutton of Oxford Internet Institute
- WebID: From Blogging to the Secure Social Web - 30 minute presentation of WebID in context (part 2)
- Philosophy and the Social Web 2 hour talk that covers in great detail Web Architecture , the Social Web and foaf+ssl from a philosophy point of view.
- Identity, Discovery and Authorization at W3C talk covering a large selection of authentication protocols.
- The Social Network privacy mess: Why we need the Social Web explains the background need for this protocol
- 10 minute Lightening Talk at HAR 2009 (Hackers at Random conference in Holland) direct ogg video link
- Using a Web ID on the Social Web a 10 min detailed screen cast of foaf+ssl in action]
- 40 minute Presentation at FrOSCon 2009 (Free and Open Source Conference in Sankt Augustin, Germany) direct link to ogg video
- an audio slide-show some background on the need for foaf+ssl, with introduction to the semantic web, and a description of the protocol, presented at JavaOne 2008.
- a presentation given at the W3C project review for FOAF+SSL (2009-02-19)
- Tim Berners Lee's presentation Distributed Social Networking - Through Socially Aware Cloud Storage with notes shows how Web IDs and FOAF+SSL tie in with the big picture of Cloud computing. See also the paper Socially Aware Cloud Storage
- Flexible management of Virtual Organisations using FOAF+SSL presented by Bruno Harbulot at the e-Science All Hands Meeting 2009 in Oxford
- Open Web Podcasts episode 24, in German, dedicated to foaf+ssl
Papers & Blogs
- FOAF+SSL: Adding Security to Open Distributed Social Networks short explanation of the protocol
- how to have a web of trust without key signing goes into more detail in how to establish trust in FOAF+SSL
- Towards A Privacy-Aware, Trusted Web
- Spkac and the Netscape keygen tag ( now in html5 ) can be used to create web services that make secure client certificates in one click
- outline of of a business model for open distributed social networks, and hence for FOAF+SSL
- FOAF+SSL backstory - early mailing list discussions and blog posts
- TimBL's Illustration of a Writable Web of Linked Data based on FOAF+SSL.
- Socially Aware Cloud Storage, design note by Tim Berners Lee
- A Flock of Twitters: Decentralized Semantic Microblogging gives a very good overview of what is possible in the micro blogging space with Web IDs.
- Thoughts on Securing Linked Data with OAuth and FOAF+SSL
- Time for Another Look at WebID? by Jennifer Zaino, published July 18, 2011 - on semanticweb.com
- FOAF+SSL: RESTful Authentication for the Social Web a 12 page paper presented at the 2009 European Semantic Web Conference
- RDF Policy-based URI Access Control for Content Authoring on the Social Semantic Web by Joe Presbrey under the supervision of Tim Berners Lee.
- "RDF Based Access Control System" by Shreyas Krishnamurthy Lokkur, MSc in Web Technology, University of Southampton, 25th September 2009 - considers Semantic Web services and foaf+ssl in a SOAP environment
- Building a Distributed Social Network 6.UAP Final Report Charles McKenzie, May 9 2010
- SWRL-based Access Policies for Linked Data Hannes Mühleisen, Martin Kost and Johann-Christoph Freytag, Humboldt-University of Berlin
- Standing on the Shoulders of the Trusted Web: Trust, Scholarship and Linked Data. Matthew Gamble, Carole Goble, University of Manchester. Presented at Web Science Conf. 2010, April 26-27, 2010, Raleigh, NC, USA
- A Widget Library for Creating Policy-Aware Semantic Web Applications , James Dylan Hollenbach, MSc thesis 2010
- Connected Information Management. Dissertation, LMU München Axel Rauschmayer (2010)
- The widely known Friend Of a Friend Ontology
- the in development Certificate and RSA ontologies (in RDF/XML and N3)
- The Web Access Control section of this wiki has pointers to relevant ontologies
Some further wiki pages dedicated to check:
- FOAF+SSL Identity Providers: Sites that make it easy to get a WebId
- FOAF+SSL Relying Parties: Sites that one can log into with those WebIds
- FOAF+SSL FAQ (Frequently asked questions)
- FOAF+SSL Use Cases wiki page
- FOAF+SSL Howto wiki page
- FOAF+SSL Clients for the state of our knowledge concerning support in browsers
- Open Questions wiki page
- the simplest User Story
- Using FOAF+SSL to authorise RESTful updates to an RDF file
- more on the FOAF+SSL Use Cases wiki page
- Enabling SSL client certificates on Apache, explains how to get any client side certificates from the client from an Apache server
- How to setup Tomcat as a foaf+ssl server
- How to setup JBoss AS 4.2.3 as a foaf+ssl server
- How to write a simple foaf+ssl authentication servlet
- a thread with good links to IIS related issues
- How to setup OpenLink Data Spaces (ODS) as a foaf+ssl server
- How to use foaf+ssl for ACLs within ODS-Briefcase
- How to create a WebId certificate by hand (for people who want to use their old foaf file)
- How to configure Apache to serve a WebID (based on application type requested - either html or rdf)
- How to use FOAF+SSL from a Command Line
- more on the FOAF+SSL Howto wiki page
Relations to Other Protocols
- short initial comparison to OpenID
- FOAF+SSL+OpenID the wiki page
- How to make OpenId RESTful using foaf+ssl, a thread on the foaf-protocols mailing list
- OpenId4.me is a service that makes it easy for any Web ID enabled agent, to get an Open ID that is based on his foaf profile, and uses foaf+ssl for Open ID authentication.
Bruno Harbulot put a proof of concept together for delegated login using SAML.
There is some work going on exploring how foaf+ssl could be used in this space. See the Rhizomatik foaf+ssl XMPP page, and some of the mailing list discussion. This still needs to be discussed further, so please post ideas and contributions to the mailing list.
For a comparison of features of these libraries see WebID Protocol Implementations
- Apache module: mod_authn_webid (formerly at http://dig.csail.mit.edu/hg/)
- Apache module: mod_auth_foafssl (announcement, ReadMe notes) by Joe Presbrey
- Perl module: Web::ID
- Python library: python-webid
- Python library: TAAC - FOAF+SSL access control module for mod_python using AIR
- Drupal library: very early Drupal library
- Maven library: 3 Maven Ready libraries in Java
- PHP library: libAuthentication - for server-side support
- PHP library: WebIDDelegatedAuth - quickly enables any PHP application to allow delegated WebID login (other end of WebIDauth below)
- PHP library: WebIDauth - a lightweight library with extensive debug elements to construct a full WebID authentication service (which can be used for other apps to delegate it authentication) : requires tuning the Web server's SSL config to query client SSL certs of connecting clients (which may not coexist well with other SSL apps hosted on the same server)
- Ruby library: foafssl-ruby
- Scala OSGi based implementation running in Apache Clerezza
- foafssl.org FOAF+SSL Identity Provider makes it easy for developers to create a FOAF+SSL login button, without needing a server side SSL stack.
- FCNS offers another FOAF+SSL Identity Provider, functionally very similar to foafssl.org, in order to maintain compatibility with client libraries.
- OpenLink Software's MyOpenLink service (an ODS demo instance) lets users get a new WebID (and OpenID), or reuse an existing one to open an ODS account, with full support for OpenID+FOAF+SSL. (See the ODS with FOAF+SSL usage scenarios for additional ODS & FOAF+SSL information.)
SSL/TLS is a core part of the Web, and client certificates is very important for security conscious organisations. As such it is implemented in all high volume browsers. Before the development of FOAF+SSL though, client certificates were used in a very limited setting. Usually a client cert would be used only on the site that had released it and to a small extent on partner sites. As such the user interface for client certificates has not been very carefully worked on, especially the option of using one certificate across many sites.
For more details on the state of support of various browsers see the FOAF+SSL Clients page .
The most important thing now is to build tools that make it very easy for any member of the general public to get and use a WebID. This can be done most easily by retrofitting an existing application, mostly because all the user interface work will already have been done by the existing application developers.
Other Applications of FOAF+SSL
- Fixing Email Spam -- Using WebIDs for DKIM Identity
- replacing e-mail with WebID + Atom/restmail. This would in one go make e-mail secure, RESTful, webenabled and reduce spam, or at least severely restrict the damage, as the spammer would have to identify himself, and perhaps even host the spam.
- Web of Trust
- Demo of another WOT initiative by Against Intuition Inc.
- SSL Authentication Extension for MediaWiki
- Finding Bacon's Key: Does Google Show How the Semantic Web Could Replace Public Key Infrastructure? - a paper by Joseph M. Reagle Jr., <firstname.lastname@example.org>, derived "from a discussion with Tim Berners-Lee"
- X.509 certificate and its subject name field (email thread)
- X.509 - RFC 2459
- First Few Milliseconds of an HTTPS Connection
- How SSL Works Presentation / Video Tutorial
- How SSL Works Presentation / Video Tutorial
- Getting Cheap SSL certificates
see the attachments section of this wiki page