FOAF+SSL: Secure, RESTful, Single-Sign-On Authentication

Ian Jacobi, Henry Story, Toby Inkster, Melvin Carvalho, et al.

19 February 2009


What is FOAF+SSL?


Current Alternatives: HTTP Authentication

Current Alternatives: OpenID


Technical Background - FOAF

FOAF+SSL - The Protocol

The user requests the page and, during the establishment of an SSL connection with the server, provides a self-signed certificate containing a pointer to the user's URI.  The server 'dereferences' the user's URI and attempts to verify the public key of the client certificate against information at the user's URI.  If the key is properly verified, the user's URI can be trusted as 'owned' by the user.

FOAF+SSL - Adding Authorization

FOAF+SSL - Adding Authorization

Once the user's URI can is trusted as 'owned' by the user, the URI may be used to reason about whether a user is authorized to access a particular resource.

Use Cases

Deployment Hurdles: Certificate Creation

Deployment Hurdles: Ontology Design

Should the key of the certificate belong to the agent? Or should the key of the certificate belong to an account of the agent?

FOAF+SSL Implementations

Open Questions

FOAF+SSL Resources

Redistribution License

Creative Commons License