WebID Access Delegation

WebID Access Delegation

"Extending the WebID Protocol with Access Delegation" presentation at the COLD 2012 workshop (ISWC) in Boston.


Philipp Frischmuth

November 12, 2012


  1. COLD2012, Boston, 12.11.2012 Extending the WebID Protocol with Access Delegation

    Sebastian Tramp, Henry Story, Andrei Sambra, Philipp Frischmuth, Michael Martin, and Sören Auer
  2. Introduction DELETE GET POST PUT Identification + Auth entication orization

  3. WebID „A WebID is a hash HTTP URI which denotes

    an agent. You can GET an RDF model as TURTLE.“
  4. WebID Protocol X . 5 0 9 C E R

    T I F I C A T E https://my-profile.eu/people/pfrischmuth/card#me SAN DATE SELF-SIGNED 12. November 2012
  5. None
  6. Photo Sharing Example (contd.) • Roster of all friends required

    for authorization decision • Friends may restrict access to that information • Problem: Server may need to access WebID profiles in the name of the user
  7. Terms • The secretary acts in the name of another

    agent, the principal. • The principle is the agent who has a secretary that acts on its behalf.
  8. General Principles • Distinguish secretary from principal • Easy to

    use • Minimal protocol footprint • Efficiency
  9. S1: Acting as the user • Agent A acts as

    the user U • Certificate Cu with WebID of U as SAN • Add public key to profile Pu • No change to WebID protocol (+) • Full trust required
  10. S1: Limitations • Agent A serves multiple users U1,...,Un •

    Problems • data perspective • efficiency
  11. S2: Origin Server acting on Behalf of a User •

    Agent A uses same certificate for server and client roles • Origin server match = same trust in client role as in profile provider role (server) • X-On-Behalf-Of HTTP header • One TLS connection + multiple requests on behalf of different users
  12. S2: Limitations • Wider usage of same key poses a

    higher risk, when key is compromised • When client key is compromised, also the server key is affected • Origin server may be different from profile provider
  13. S3: Secretary acting on Behalf of a User • Secretary

    acts as agent with WebID • Principal adds :secretary relation to profile • Consumer checks both WebIDs + existence of above relation
  14. Cache Alice's Server Client cert request TLS-Light Service Guard WebID

    Verifier Protected Resource Bob's Secretary Secretary Server Secretary Profile Bob's Profile Bob's Server Secretary Verification Certificate & private key verification HTTPS GET HTTPS GET Authorization TLS setup 5a Bob Alice Alois Social Graph 5b 7 4 6 1 2 3 exponent modulus modulus exponent ? ? ? ? Basic WebID Check Secretary Check
  15. None
  16. None
  17. Thank you for your attention!