[xwiki-devs] foaf+ssl on XWiki

Hi, foaf+ssl [1] is a very simple protocol for distributed authentication. It essentially does what OpenId does, but in a RESTful manner. It works with most desktop browsers since X509v3 came out (which is a long time ago). It only uses open standards and protocols - it just uses them in a more distributed way. It is also very easy to implement, and here is what would be needed to implement in XWiki. I can help out here. 1. Profile Creation ------------------- Take any user home page URL. 1. You can either have that page link to an rdf/xml representation of a foaf graph, or you can add RDFa directly to the home page by marking up the page with foaf. It depends on how much those pages are templated. If they are very templated then the rdfa solution can be very neat, as there is less risk that the user will mess something up. 2. Add a certification creation servlet that knows how to deal with the keygen tag, and the microsoft activeX component. We have the code for this available open source in Java. What we need in addition is a little database to keep track of the different public keys used by the profile owner, so that he can delete a key if he looses his computer, or add a new one if he wishes to use someone else's. The above should be very little work, and should allow people to log into other services in one click. You can try a test case out by going to http://foaf.me/ but clearly generating rdf/xml for users to play around with is not a good idea. Also foaf.me only allows one to have one certificate per profile. Ok, so you will say there are not a lot of services for the moment. True. We are in boot strapping mode. But with one tiny little trick you can get one useful service going. http://openid4.me/ gives anyone an openid automatically and allows them to log in using foaf+ssl. (There are just a few lines of code that you need to add to get that to work at the top of the profile page) 2. Authentication ----------------- There is one super easy way to get authentication working and that is to use https://foafssl.org/srv/idp The details of how that works is explained there. (and the source code is also available at https://sommer.dev.java.net/ ) With that service you can get someone's WebID in a few lines of code. See the login link at the top of http://foaf.me/ . Setting up an xwiki server so that it asks the user for his Client certificate is a bit more advanced, as it requires a hack to the SSL layer on the server (so that authentication does not fail if it cannot find the Certificate Authority). (By the way this should not be the only means of authentication. OpenId and username passwords are good fallback solutions) 3. Possible services to build ------------------------------ With the previous pieces in place some very nice services should be buildable. But those could be left to groovy developers. 1. Improve comment management on blogs. (if someone logs in with an OpenId that points to a foaf, or with a webid, you can get links to images of the person, their blog, and other accounts, friends perhaps, etc... This can help the person who is going to validate the post to get some contextual information on the person posting the blog (and perhaps add him to a contact list). Verification can be done automatically by the server by GETing a blog page and finding a link there back to the foaf) 2. Allow people from other XWiki instances (and indeed any foaf file) access to another wiki. So one could specify things like: allow only my friends or friends of my friends access to this wiki page. Or the colleagues of my friends, ... ) But one should start simple... We have written out a list of use cases here: http://esw.w3.org/topic/foaf+ssl/UseCases There are bound to be a lot more. But for us and everyone to try them, we need to have some basics in place. Henry [1] see the introductory material here http://esw.w3.org/topic/foaf+ssl Social Web Architect http://bblfish.net/