FOAF+SSL: Secure, RESTful, Single-Sign-On Authentication

Ian Jacobi, Henry Story, Toby Inkster, Melvin Carvalho, et al.

27 July 2009

Overview

• What is FOAF+SSL? Why is it needed?
• How FOAF+SSL works
• Building authorization on top of FOAF+SSL

What is FOAF+SSL?

• A RESTful, secure, open authentication framework
• Like OpenID, with security by default and no provider
• Implemented seamlessly on top of SSL

Why FOAF+SSL?

• Linking common semantic representation to user token
• Distributed ACLs
• Protecting sensitive data on the Open Social Network

Technical Background - FOAF

• "Friend of a Friend" vocabulary
• A defacto RDF standard for describing a person
• Semantic Web-based vocabulary
• Gives an individual a URI

FOAF+SSL - The Protocol

FOAF+SSL - Adding Authorization

• Only establishes control of a URI
• FOAF URI and certificate allow for establishing trust (PKI/Third-parties)
• Self-signing clients are okay: Web-of-Trust works better with clients than servers
• Can use URI as unique identifier for policy reasoning

FOAF+SSL - Adding Authorization

Use Cases

• Single-sign-on web service user identification (as in OpenID)
• Single-sign-on web service personalization (linking social networks)
• Single-sign-on for other services (XMPP)
• (Distributed) HTTP access control

FOAF+SSL Resources

• Up-to-date links on the ESW Wiki
• FOAF+SSL Position Paper: "FOAF+SSL: Adding Security to Open Distributed Social Networks"
• Ongoing discussions on the foaf-protocols mailing list
• FOAF+SSL at Sun:
• Protocol Overview
• Web of Trust without Key Signing
• Thoughts on integrating OpenID with FOAF+SSL

Redistribution License