Difference between revisions of "WebID"

From W3C Wiki
Jump to: navigation, search
(Screencasts)
(add link to "WebID and crawlers" page)
Line 220: Line 220:
 
* [http://dig.csail.mit.edu/breadcrumbs/node/71 Give yourself a URI] - on Tim Berners-Lee's blog
 
* [http://dig.csail.mit.edu/breadcrumbs/node/71 Give yourself a URI] - on Tim Berners-Lee's blog
 
* [http://www.w3.org/DesignIssues/ReadWriteLinkedData.html Read-Write Linked Data] and [http://www.w3.org/DesignIssues/CloudStorage.html Socially Aware Cloud Storage] - from Tim Berners-Lee's [http://www.w3.org/DesignIssues/Overview.html Design Issues] series
 
* [http://www.w3.org/DesignIssues/ReadWriteLinkedData.html Read-Write Linked Data] and [http://www.w3.org/DesignIssues/CloudStorage.html Socially Aware Cloud Storage] - from Tim Berners-Lee's [http://www.w3.org/DesignIssues/Overview.html Design Issues] series
 +
* [[WebID and Crawlers]]
  
 
=== Screencasts ===
 
=== Screencasts ===

Revision as of 20:43, 23 June 2011

WebIDs and the WebID Protocol

What is a WebID?

A WebID is a way to uniquely identify a person, company, organization, or other agent using a URI. The term "WebID" was coined by Dan Brickley and Tim Berners-Lee in 2000.


One direct use of this concept is the protocol known as foaf+ssl that is now being worked on in the WebID Incubator Group at the W3C.

FOAF+SSL WebID

A FOAF+SSL WebID is a URI that refers to a person (Agents or Robots are ok too) via a uniquely identifying description placed on the web.

X509-Sense-and-Reference.jpg

The FOAF+SSL WebID here is https://bblfish.net/#hjs . As stated by the URI specification

The fragment identifier component of a URI allows indirect identification of a secondary resource by reference to a primary resource

In this case the primary resource is the profile document https://bblfish.net/ and the secondary one is the WebID . This is usually thought of as the profile document.

FOAF is one fairly-commonly used WebID-centered vocabulary, used for profiles of agents (people, organizations, or software). Any GRDDLable format - ie, pretty much any consistent format (including JSON due to jsonGRDDL) - should work as well.

The value of having a URI as an identifier are:

  • that it can be linked to by other profiles, to create a linked web of trust
  • that it can be tied to information enabling a method of authentication ( such as OpenID or even more directly with foaf+ssl )

The screen cast Using a WebID with the FOAF+SSL on the emerging Social Web should help reveal what is being enabled here. Note that in the case of foaf+ssl the end user does not need to remember his WebID.

Why should I get a WebID?

People often publish data about themselves on the Web, such as:

  • Who they know
  • What they are interested in
  • Photos they have taken
  • Projects they work on
  • Their curriculum vitae or employment history
  • Their publications

Having a Web ID can allow you to identify yourself when you publish this sort of information online and link to each of those resources.

Most importantly of all it allows people to reference you and declare social relations on the web, as that you are their friend, colleague, parent, etc... even when their profile is hosted on a different web server as yours. This is key to enabling the Social Web: ie. social networks between individuals, citizens, companies, universities, governments, while allowing each player to remain in control of their data they publish.

In order to deal with privacy issues, a Profile Server should reveal a more or less depending on the identity (WebID) of the user.

Do I already have a WebID?

If you are already a member of a number of social networking sites, you may already have a WebID which they have given you automatically (but be aware that some sites, e.g., LiveJournal, currently expose FOAF data without creating WebIDs for each user; MyOpera and MyOpenLink are sites which do assign and use URIs for all users).

These sites export (some of) the data which you have put into them. It is normally a subset -- perhaps just the social graph (i.e., who knows whom on the site). This is useful, but it doesn't mean you can use the social networking site to manage all the data you may want in your public profile on the web.

An important question about any site which exports your data is: Does it allow me to make a link to data on another site? If so, your data becomes linked together from site to site, and people and crawlers can find all of it which you choose to expose. If a site does not allow you to link your data in this way, they are effectively confining your data to only being used within their service, which some people find restrictive.

Best Practices for Sites Providing WebIDs for Users

  • Allow your users to tell your site their existing Web ID(s). Publish these Web IDs in your data.
    • Use owl:sameAs to associate their existing Web IDs with the Web ID you provide for them; or
    • Use their existing Web ID in your data instead of the Web ID you would normally provide them.
  • Be careful to distinguish between your user as a person, and your user's account. In SIOC, these are represented as foaf:Person and sioc:UserAccount respectively. These two classes are disjoint (i.e., an entity can't be both at the same time).

Can I make my own Web ID?

You can use any web server you have authorization to publish your files to.

First you must decide on a stable place to host your profile document. If you have your own domain name, that is perfect as you can change providers without changing your Web ID. If you don't have your own domain, you'll need to pick a provider where you can host a file. The file you make will be named foaf.rdf. (Not all Web IDs will use foaf.rdf, but this is an easy example.)

Your Web ID is made up of the URL of that file on the Web, plus #ABC, where you replace ABC with your initials. (Technically, you can use #me, #this, or any other fragment identifier; initials are currently being recommended.) (<-- recommended by whom? and how to handle suffixes, e.g., Jr., Sr., III, IV?)

So your Web ID looks something like:

http://your.isp.com/whatever/~yourusername/foaf.rdf#ABC


You can consult the Best Practice Recipes for Publishing RDF Vocabularies for some options on how to do this.

There are a number of ways to make a FOAF file.

  • Use Tabulator (version supporting this action has not yet been released, as of 2008-11)
  • Use a template and edit it for your own use
  • FOAF builder, a recent service that allows you to create a FOAF file to place where you want, or to be saved on their servers (which currently requires an OpenID).
  • Use FOAF-a-Matic
  • Get A URI in 5 Minutes or Less via ODS from OpenLink Software
  • Use FOAF-o-Matic, a recent service for creating FOAF profiles in which you may decide to reuse pre-existing URIs for you or your friends, this way improving the integration of the FOAF social network. This service is empowered by the Entity Name System (ENS) which is developed as part of the OKKAM EU-funded project.

It is good to pick a hosting service which allows you to edit the file in place using WebDAV. WebDAV is an extension for HTTP which lets you edit as well as read web pages, without needing to learn how to download and upload files with that host.

See EditingData for details of how to make an editable web site.

How does a WebID compare with my social networking site?

When you get an account on your favorite social networking site, like Facebook, MySpace, LinkedIn and so on, you spend a lot of time telling that site about yourself, who your friends are, what photos include you, and so on. This information is re-used to provide, within that site, services like showing you photos of your friends. The trouble is, each site is a silo. When you want to use info you gave to one site on another, you have to negotiate for each site to access your data on the other.

But this is your data. You can publish it anywhere you can publish web content.

That said, these silos are slowly opening; technologies like OpenID, OAuth, OpenSocial, PortableContacts, and so on, are being deployed on many such sites. A Web ID is an identifier that you can use to tie together information exposed by such services, in a portable and future-proof way.

I have a home page, is that a Web ID?

No, your Web Page URL identifies the location of a document that is associated with you, in a sense it is similar to your drivers license or social security card, both of these artifacts identify you indirectly.

In DBMS parlance, an indirect identifier takes the form of a Unique Key, and in Semantic Web parlance indirect identifiers are values associated with Inverse Functional Properties (IFPs).

Since you aren't a Document, a Web Page URL cannot be used to construct an Identifier that uniquely identifies you. It cannot be the Naming mechanism used by other Web users to accurately reference you.

A Web ID looks similar to a home page URL, but it specifically identifies Entity You of Type: Person. Typically, the definition of Type: Person, comes from a vocabulary or ontology or data dictionary. One such vocabulary is FOAF, which is the basis of this effort.

When you get a Web ID, it can be used to accurately reference "You". It is also the conduit to all information associated with "You" which includes things you've created -- Blog Posts, Shared Bookmarks, Music, Photos etc. -- and relationships you have with other people (your social network for example).

Can I use a Web ID for Federated Single Sign-on?

Yes! WebIDs form the basis of the WebID Protocol, an innovative approach to federated single sign-on, which is discussed below.

What is the WebID Protocol?

The WebID Protocol authenticates a digital identity (a WebID) by allowing an Agent (e.g., a Web Browser) to prove possession of or access to a private key, whose corresponding public key is tightly bound to that WebID. The private key is usually associated with a "certificate" on the user's computer, while the public key and WebID are part of that certificate and tightly bound to its subject.  Likewise, the public key and WebID are both tightly bound into the profile-oriented document(s) that describe the identity being authenticated.

This proof is accomplished by adding an invisible look-up step into the standard client-side certificate verification process (that is, the TLS Handshake Protocol) used by the SSL protocol -- which is in use anytime you see an https:// link.  This look-up reveals the user accessing the site (i.e., the owner of the WebID) in the overall Web of Linked Data, against which the server can then query to determine the level of trust that user should be granted. Note: This process works with self-signed certificates, so it does not require the participation of Certificate Authorities to grow.

The WebID Protocol promises to be more fine grained than other Federated Single Sign-on methods. Federation generally implies large entities that work together toward a common goal. The WebID Protocol lets individuals participate at the same level as large entities.

Some Protocol Details

An excerpt from the introduction of the Transport Layer Security (TLS) Protocol specification may help clarify matters somewhat.

  The TLS Record Protocol is used for encapsulation of various higher-
  level protocols.  One such encapsulated protocol, the TLS Handshake
  Protocol, allows the server and client to authenticate each other and
  to negotiate an encryption algorithm and cryptographic keys before
  the application protocol transmits or receives its first byte of
  data.  The TLS Handshake Protocol provides connection security that
  has three basic properties:
  
  -  The peer's identity can be authenticated using asymmetric, or
     public key, cryptography (e.g., RSA [RSA], DSA [DSS], etc.).  This
     authentication can be made optional, but is generally required for
     at least one of the peers.
  
  -  The negotiation of a shared secret is secure: the negotiated
     secret is unavailable to eavesdroppers, and for any authenticated
     connection the secret cannot be obtained, even by an attacker who
     can place himself in the middle of the connection.
  
  -  The negotiation is reliable: no attacker can modify the
     negotiation communication without being detected by the parties to
     the communication.

The WebID Protocol simply adds a check to the existing TLS Handshake, authenticating the identity of the client-side peer. That check is a look up against the WebID for the public key received during a successful handshake.

Why is the WebID Protocol Viable?

The simple answer is that URLs can be used to name anything, including, in particular, people. In the LinkedData pattern one places information about the object at the URL of the object named. This helps in finding the meaning of any URI: you just need to click it, to GET it. The same pattern is applied here. Someone names themselves with a URL, and places a document containing structured data about themselves, typically including links to the people they know, at that URL. Each link they add is a vote of trust in the information at which they are pointing; in this case, trusting that the URL they are using for their friend really is one that reliably and stably refers to and describes their friend — since their friend wants to use that URL to keep track of the information about theirself. This builds a network of trust.

WebID Protocol is just a technology that leverages X.509 Certificates, already in common (and largely invisible) use. By placing that same URL in the certificate that identifies the user, and then placing information at that URL about the public key of the certificate, a web server that receives a user request can verify that the user has write access to that URL. If that can be proven then the server may as well agree that the user is the person in question described by the resource. The value of the trust the server puts into what this person says can then be established by the position of that URL in the network of trust. A more detailed version of this explanation can be found in the article FOAF+SSL: Creating a Web of Trust Without Key Signing Parties.

How does the WebID Protocol compare with OpenID?

OpenID is also a single-sign-on system.

However, while it does give you an identity for sign on, it does not give you an identity for all the types of networks mentioned above, such as Friend Of A Friend (FOAF), Description Of A Project (DOAP), and so on.

OpenIDs serve as fine indirect identifiers. Much as you can talk about "the Person who has the blog at example.org" or "the Company whose homepage is at example.com", you can use an OpenID page identifier as an indirect identifier for the person who controls that OpenID page. In fact, this in a way OpenID works — by demonstrating OpenID control over some identifying page, you can assure other sites of your real-world identity. OpenID is decentralized in that it allows you to arrange for any page (e.g., your longstanding homepage or blog) to serve as an indirect person-identifying page.

Additionally, because OpenID allows you to demonstrate control of your page to other sites, it can also be used to help those sites know what the preferred Web ID is for any OpenID user whose pages link to a FOAF description. In other words, once you have the combination of OpenID/FOAF set up, you can log in elsewhere using your OpenID and it will also make clear what your preferred Web ID is.

It is possible to connect your Web ID to your OpenID in both directions.

For a detailed protocol-level discussion, see A comparison of FOAF+SSL and OpenID.

Official Specifications

Related (seeAlso)

Screencasts