On 19 Mar 2010, at 23:24, Glenn McGurrin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I would assume by delegation you would mean something like having a > private key to a cert that has been signed the the user whose data we > are talking abouts private key. If this is not what you are talking > about I would suggest thinking about it. Just like your browser throws > exceptions if the cert it receives from a website is not trusted itself > or signed by a trusted cert who also has your trust to sign other certs, > you could allow delegation of authority through signing a cert for that > 3rd party. That would also allow for separate key usage extensions or > similar that would be specific to this type of application, those usage > extensions could specify what kinds of data the third party is allowed > to access on your behalf. The final benefit I see right now is the > potential to revoke a 3rd parties permission without a re keying or to > set a time limit on their access, for instance I want to test compatible > service ABC, but I am not sure I want to use then for any real length of > time, I sign a cert for them that has an expiration date in one week so > that I can try it out and give them access, but if I decide I do not > like it their permission will expire and if they are not trustworthy it > does not matter, they can not in any way keep any useful credentials to > continue.
I think it can be done more easily than that. Just think of the server (the third party) as another agent in the p2p (declarative) network that is the web. It like anyone else will have a WebId too. So not only will people have WebIds ( one of mine being http://bblfish.net/#hjs ), but so will services such as https://identi.ca/#co , or https://ibm.com/#co, or https://photo.com/#phto .... It is just a question of the owner of a resource then adding (in an automatic way as much as possible) the WebId of those services to a group linked to, or in his foaf profile. So I could create a group of TrustedServices [] a :TrustedService; foaf:member <https://identi.ca/#co>, <https://photo.com/#phto> ... Then I could give access to privacy sensitive parts of my foaf (ones containing my e-mail address, social security number, phone number, ... or anything else I care ) to members of that group. One scenario is the one I described here: http://blogs.sun.com/bblfish/entry/sketch_of_a_restful_photo Henry _______________________________________________ StatusNet-dev mailing list StatusNet-dev@lists.status.net http://lists.status.net/mailman/listinfo/statusnet-dev
