headers
Peter Williams | 2 Jul 2012 21:12
Favicon

[foaf-dev] aggregation vs trusted proxying; FOAF+SSL etc

For years, folks have explored crawlers aggregating data sets - for which ontologys assist in that process
(amongst other benefits). We have seen data APIs form the likes of Facebook, for graphs specified as sets
of connections to other data sets. And, we have seen sites that enable data clouds for individuals,
leveraging websso connections to aggregate person data and then other datums tied to person entities.

Typically, Microsoft waits till things have matured a bit, before releasing mainstream support for
things. And, dataexplorer.sqlazurelabs.com may be the signal that it thinks things are more mainstream
than once we thought.

Of course, what I note is that its a hybrid approach, not choosing any one winner of a technology or standard
(being as happy to parse HTML5 semantic markup as use a webAPI, or do a SQL query). but what is interesting is
that the security model for proxying is built in - with the site's rights to go pick up backroom data
requiring an OAUTH-like delegation from the user (so the site can borrow some of the users privileges).
What's then interesting beyond that is that the mashup then also participates in extending the chain of
such delegations (with the privilege to use the new mashup... of other downstream sources) being
projected up to the consumer of the aggregate - who must establish read rights to all the component
datasets. Two users of the same endpoint may get difference results (muc
 h like an old X.500 server would correlate results-sets from downstream agents differently for each
consuming user, according to the security policy of the component's namespace)

Its been 6+ months since I looked at  foaf or its security modeling research. How are things evolving? Things
seemed to be heading the right way, with foaf agents acting as security guards to data transformation
processes, allowing chains of foaf agents to cooperate and enforce some users policy as a paricualr
network of foaf sources would link up.

Did folks ever complete the cycle, and find the ideal "webby" model for all the above (probably with the
dynamically generated RDFa having embedded the javascript client that implemented the (foaf+ssl)
security model on the client integrating foaf representations of policy? Did the foaf agent go this very
"ideal" route, or did it like the Microsoft work take more the OAUTH route with token-passing between
trusted agents?
(Continue reading)

Permalink | Reply |
headers
Melvin Carvalho | 2 Jul 2012 21:21
Picon
Gravatar

Re: [foaf-dev] aggregation vs trusted proxying; FOAF+SSL etc



On 2 July 2012 21:12, Peter Williams <pwilliams-gBsL2ARnWIytG0bUXCXiUA@public.gmane.org> wrote:
For years, folks have explored crawlers aggregating data sets - for which ontologys assist in that process (amongst other benefits). We have seen data APIs form the likes of Facebook, for graphs specified as sets of connections to other data sets. And, we have seen sites that enable data clouds for individuals, leveraging websso connections to aggregate person data and then other datums tied to person entities.

Typically, Microsoft waits till things have matured a bit, before releasing mainstream support for things. And, dataexplorer.sqlazurelabs.com may be the signal that it thinks things are more mainstream than once we thought.

Of course, what I note is that its a hybrid approach, not choosing any one winner of a technology or standard (being as happy to parse HTML5 semantic markup as use a webAPI, or do a SQL query). but what is interesting is that the security model for proxying is built in - with the site's rights to go pick up backroom data requiring an OAUTH-like delegation from the user (so the site can borrow some of the users privileges). What's then interesting beyond that is that the mashup then also participates in extending the chain of such delegations (with the privilege to use the new mashup... of other downstream sources) being projected up to the consumer of the aggregate - who must establish read rights to all the component datasets. Two users of the same endpoint may get difference results (much like an old X.500 server would correlate results-sets from downstream agents differently for each consuming user, according to the security policy of the component's namespace)

Its been 6+ months since I looked at  foaf or its security modeling research. How are things evolving? Things seemed to be heading the right way, with foaf agents acting as security guards to data transformation processes, allowing chains of foaf agents to cooperate and enforce some users policy as a paricualr network of foaf sources would link up.

Did folks ever complete the cycle, and find the ideal "webby" model for all the above (probably with the dynamically generated RDFa having embedded the javascript client that implemented the (foaf+ssl) security model on the client integrating foaf representations of policy? Did the foaf agent go this very "ideal" route, or did it like the Microsoft work take more the OAUTH route with token-passing between trusted agents?

Hi Peter

I think things are still going strong ...

Some of the discussions have moved to building real world apps and social platforms, for the read write web.  The mailing list, wiki and group information is here: feel free to join the group.

http://www.w3.org/community/rww/

I've also put together 4 monthly summary posts of the work we've done recently at:

http://www.w3.org/community/rww/wiki/Monthly_Updates

enjoy!
 

_______________________________________________
foaf-dev mailing list
foaf-dev-RyYwo1q5J+qwHaC900ee1w@public.gmane.orgect.org
http://lists.foaf-project.org/mailman/listinfo/foaf-dev

_______________________________________________
foaf-dev mailing list
foaf-dev@...
http://lists.foaf-project.org/mailman/listinfo/foaf-dev
Permalink | Reply |
headers
Peter Williams | 3 Jul 2012 18:29
Favicon

Re: [foaf-dev] aggregation vs trusted proxying; FOAF+SSL etc

Thanks, thats useful.

Take a look at
http://www.commoncriteriaportal.org/files/epfiles/ca-directory-r120-sec-eng.pdf. Its not
that the particular read/write "agent" technology is that interesting to the wider web (being X.500,
ldap). But look at the way things are structured in security terms, formally. Look at the way the
particular concept "overlays" an access control system ontop of a repository of data records. And, if one
knows how to read such target disclosures, note how its security system clams makes lots of operating
assumptions (in reality, when treating their agent as an "foaf agent," the security concept may be
expecting folks to run this particular software system in a secure data center on a "system-high"
platform, surrounded by armed guards, and highly indoctrinated staff with years of experienc
 e on the particular software set and tuned-up compensating controls.... with a very specific notion of
high availability that is perhaps not sufficient webby.)

Not all directory/foaf agents are the same, clearly. And not all intend to be internet-facing. Some are
"veneers", much like perhaps that microsoft agent was is something of a veneer that happens to leverage
token-passing and token-delegation to overlay a ditdributed security policy for access controls on a
distributed data set; with no redundancy (in that first version of the tool).

________________________________
From: Melvin Carvalho [melvincarvalho@...]
Sent: Monday, July 02, 2012 12:21 PM
To: Peter Williams
Cc: foaf-dev@...
Subject: Re: [foaf-dev] aggregation vs trusted proxying; FOAF+SSL etc

On 2 July 2012 21:12, Peter Williams
<pwilliams@...<mailto:pwilliams@...>> wrote:
For years, folks have explored crawlers aggregating data sets - for which ontologys assist in that process
(amongst other benefits). We have seen data APIs form the likes of Facebook, for graphs specified as sets
of connections to other data sets. And, we have seen sites that enable data clouds for individuals,
leveraging websso connections to aggregate person data and then other datums tied to person entities.

Typically, Microsoft waits till things have matured a bit, before releasing mainstream support for
things. And, dataexplorer.sqlazurelabs.com<http://dataexplorer.sqlazurelabs.com> may be the
signal that it thinks things are more mainstream than once we thought.

Of course, what I note is that its a hybrid approach, not choosing any one winner of a technology or standard
(being as happy to parse HTML5 semantic markup as use a webAPI, or do a SQL query). but what is interesting is
that the security model for proxying is built in - with the site's rights to go pick up backroom data
requiring an OAUTH-like delegation from the user (so the site can borrow some of the users privileges).
What's then interesting beyond that is that the mashup then also participates in extending the chain of
such delegations (with the privilege to use the new mashup... of other downstream sources) being
projected up to the consumer of the aggregate - who must establish read rights to all the component
datasets. Two users of the same endpoint may get difference results (muc
 h like an old X.500 server would correlate results-sets from downstream agents differently for each
consuming user, according to the security policy of the component's namespace)

Its been 6+ months since I looked at  foaf or its security modeling research. How are things evolving? Things
seemed to be heading the right way, with foaf agents acting as security guards to data transformation
processes, allowing chains of foaf agents to cooperate and enforce some users policy as a paricualr
network of foaf sources would link up.

Did folks ever complete the cycle, and find the ideal "webby" model for all the above (probably with the
dynamically generated RDFa having embedded the javascript client that implemented the (foaf+ssl)
security model on the client integrating foaf representations of policy? Did the foaf agent go this very
"ideal" route, or did it like the Microsoft work take more the OAUTH route with token-passing between
trusted agents?

Hi Peter

I think things are still going strong ...

Some of the discussions have moved to building real world apps and social platforms, for the read write web. 
The mailing list, wiki and group information is here: feel free to join the group.

http://www.w3.org/community/rww/

I've also put together 4 monthly summary posts of the work we've done recently at:

http://www.w3.org/community/rww/wiki/Monthly_Updates

enjoy!

_______________________________________________
foaf-dev mailing list
foaf-dev@...<mailto:foaf-dev@...>
http://lists.foaf-project.org/mailman/listinfo/foaf-dev
Permalink | Reply |

Gmane