From W3C Wiki

FOAF Plus OpenID

A method of blocking, for example, blog comment spam, by connecting the Friend Of A Friend (FOAF) social network with the OpenID single signon.

1. You need an OpenID

  • (Get one) -- or discover you already have one

Your OpenID identity is typically your home page. When you get an OpenID set up, you put the URI of the OpenID service provider into the head section of your home page as follows.

<link rel="openid.server" href="" />
<link rel="openid.delegate" href="" />

2. You need a FOAF file

  • You may already have one of you are on a social network site which does FOAF. See FoafSites
  • Copy someone else's and edit it or use the Foaf-a-matic
  • If you have one, make sure it has a foaf:openid value gives the URI of the home page you used as your OpenID.

For example: <foaf:openid rdf:resource=""/>

(If you don't have foaf:openid but you do have foaf:homepage and the homepage is a valid OpenID page, this will currently work, but it slows down our crawl and we may drop it. So please use foaf:openid).

Your foaf file can be discovered from your home page if you insert the following tag in the head part of the html, changing the href to match where your foaf file is hosted or available from.

<link rel="meta" name="FOAF Profile" href="" type="application/rdf+xml" />

PeterAnsell : Why should foaf:homepage when resolved with link rel="openid.server" and link rel="openid.delegate" be enough? Is one extra hop really that bad considering the usefulness of the method? How often are these "crawls" performed? How often should they be performed ideally? Who is "we"? Duplicate entries for the person's homepage and openid don't seem to be that necessary.

3. You need to be known

Once you have a FOAF identity, get your friends to say they know you. Then you become known in the social network at large. You get to comment on blogs, and so on.

If your FOAF file is one on a social networking site such as Advogato, then someone you makes you a friend on that site it endorses you. (On Advogato they 'certify' you).

Different sites may have different criteria for the people they allow to log on.

Example: The DIG blog

Dig is the Decentraized Information Group at MIT's Computer Science and Artificial Intelligence lab. After attacks by spammers, now to comment on their blog, they use FOAF+OpenID. For that site, you need to be a friend (of a friend to a max of 3 hops) of anyone in the group.

That's it. (2007/10) DIG expects the system to get more complicated with time. The objective is not to be discrimatory, but to identify people who are not spammers As it uses RDF we can also later include things like enrollment in classes, or co-authorship of papers or co-attendees at conferences as alternative ways of being connected. They are willing to allow in potentially some very large number of people -- they only want to exclude spammers. They may need a blacklist of popele who seem to know spammers.


A secure system is traditinally broken into authentication and authorization. In a real world, each must be simple and decentralized, under the control of real people. Here, OpenId is authentication, and the authorization is just pulled out of the RDF graph of social relationships.

Related Reading