Matthias,
I'm a bit late to this thread but will add my €0.02 anyway.
I agree that simple HTTP authentication is the first approach we
should look at, it might be enough in many cases. This is, in fact,
what Twine are doing at the moment, they are still in private beta and
require you to HTTP-authenticate to access any of the RDF.
Peter asked how to convey to a client what waits behind the
authentication wall, so the client can decide wether it should try
getting credentials. I think the most obvious place to put this is
into the HTTP response body that is sent along with the "401
Authentication Required" response. Usually the response body would be
a default Apache HTML error page, but why not put some useful RDF there?
The whole issue of sharing private data between applications has been
explored in depth by the Web 2.0 community for a couple of years now,
in the context of mashups and RESTful APIs. A typical scenario is that
you want to expose your private data stored in application A to
application B, but don't want to give full access (or your password)
to application B. The emerging standard in this area is OAuth [1, used
e.g. by Twitter], and exploring how OAuth could be used to manage data
access between Linked Data apps would certainly be interesting.
There was a thread about these issues raging on the FOAF list [2, look
for “privacy and open data” and “RDFAuth”], I didn't follow it closely
but I think that OAuth was also discussed there. Henry Story came up
with what looks like a pretty complete proposal which he blogged here:
[3].
This is a very interesting topic and definitely worth exploring further.
Best,
Richard
[1] http://oauth.net/
[2] http://lists.foaf-project.org/pipermail/foaf-dev/
[3] http://blogs.sun.com/bblfish/entry/foaf_ssl_creating_a_global
On 17 Apr 2008, at 10:01, Matthias Samwald wrote:
I hope this is not too off-topic for a mailing list entitled
'linking open data'...
A question that will surely arise in many places when more people
get to know about the linked data initiative and the growing
infrastructure of linked open data is: how can these principles be
applied to organizational data that might not / only partially be
open to the public web? People will soon try to develop practices
for selectively protecting parts of their linked data with fine-
grained access rights. Could simple HTTP authentication be useful
for linked data? How does authentication work for SPARQL endpoints
containing several named graphs? Can we use RDF vocabularies to
represent access rights? Should such vocabularies be standardized?
Is there any ongoing work on defining such practices (or even 'best
practices')?
Cheers,
Matthias Samwald
Semantic Web Company, Austria // DERI Galway, Ireland
http://www.semantic-web.at/
http://www.deri.ie/
