Re: [GNU/consensus] Who are the new kids on the block?

[hellekin (GNU/consensus)]

On 03/12/2013 03:09 PM, Nick Jennings wrote:
>
> not sure what the 'project' is for that site.
> 
> 
> Just playing devils advocate a bit
> 
*** Indeed http://myprofile-project.org/ is more explicit, but you have
to try and login in order to find it.

"MyProfile intends to put users in control of the data they have and
share on the Internet."

Their manifesto reads (http://myprofile-project.org/manifesto.html)

The Current Situation...

The Web we know is based on centralized resources, the so called 'silo'
approach. Offering particular services would usually involve having to
create dedicated accounts for each user, tying and limiting the user to
this particular service and/or resource. Furthermore, users have no
control over how their personal account data is used by the service.
Recently there have been numerous cases where social networks have made
public certain private details of their users (see Facebook and Google
Buzz), which made people realize the importance of online privacy and
public data control.

One may argue that better privacy policies may reduce the risk of
exposure. However, even if users decide to protect their public data or
even remove their accounts, there is no guarantee that the process is
instant and permanent, since most countries have passed laws which
require that online data be stored for several months up to one year or
even more.

Another important issue deals with authentication and identification.
Most services authenticate users based on username and password
combinations. Federated and single sign-on services like OpenID have
proven to be quite useful. However, implementing a cross-domain
authentication and user management system not only requires a lot of
effort from large entities in order to make everything compatible, but
also powerful trust relationships. In addition, once authentication has
been performed, services still require that users have local profiles.

To put things into perspective, let's take the case of Facebook. Its
success attracts more and more people to use it, encouraging its
developers to provide even more services. When these services prove
useful, users start to depend on them on a daily basis. There have been
people recently discussing the possibility of having Facebook acting as
a bank, or as an intermediary payment service (think PayPal). How bad it
would be if all the services offered by Facebook suddenly become
inaccessible, if all the time and data so carefully invested into
developing a rich user profile was wasted/lost?

MyProfile

This is where MyProfile comes into play. It tries to address the
shortcomings of silo-based user accounts, cross-domain authentication
and identification, as well as data sharing and propagation.

Authentication and Identification

In order to perform authentication and identification, MyProfile is
based on the recent standard proposed by W3C's WebID Community Group,
and the Friend of a Friend (FOAF) ontology.

WebID proposes a way to uniquely identify a person, company,
organization, or other agents, using a URI which is included in an X.509
browser certificate. The authentication process relies on TLS to
validate that the private key in use matches the public key of the
declared certificate, as well as the public key found in the profile at
the location indicated by the URI. In other words, it provides a
cryptographic way of authenticating and identifying a user, based on
resources managed by the user -- the browser certificate and the
corresponding profile accessible at the URI location.

The FOAF project is creating a Web of machine-readable pages describing
people, the links between them and the things they create and do; it is
a contribution to the linked information system known as the Web. FOAF
defines an open, decentralized technology for connecting social Web
sites, and the people they describe.

Initially, combining WebID and FOAF offers users the possibility to
directly participate in their interactions across the Web, by allowing
them to use a unique identity (pointing to a unique user account /
profile), across multiple domains and services. This approach comes in
contrast to current practices, where the Web centralizes all our
personal data through the multitude of online forms we have to fill in,
instead of allowing users to carefully select which information they
want to make public when accessing a particular service.

Depending on the user's social interactions on the Web, the profile
could also contain resources like blog and forum posts, or even mailing
list messages, all described using the Semantically-Interlinked Online
Communities (SIOC) ontology. We can safely say that the user's profile
can contain an unlimited number of resources, as long as they can be
expressed using standard semantic web vocabularies.

Requirements

When trying to model access control and privacy policies for social web
applications, we have to take into account several requirements.

Interoperable. Nobody likes being forced to use one identity solution
over the other, meaning that users must always be allowed to choose
their favorite platform. Also, sometimes projects are no longer
maintained, forcing people to look for alternatives. In these cases, it
is imperative that users have the means to import or export their data.
Even if most services already provide user data in common formats like
CSV or XLS, there is no way to preserve the privacy policies set in
place by the user. We believe that only by using the Semantic Web can a
true graph of a user’s identity be preserved across platforms.

Adaptive to social dynamics. Since human relations are very dynamic, the
proposed model must reflect these changes in the system’s policies.

Fine-grained privacy settings. If a picture shall be shared only with a
restricted set of people (maybe not even known in advance), it should be
easy to express such requirement.

Natural language interface and feedback. Defining privacy preferences
has to remain a simple and straightforward process. Ambiguity must be
avoided, therefore access control decisions should be transparent and
well explained to users. Similarly, the specification of privacy
preferences has to protect users from a plethora of check boxes defining
which friends is allowed to access which file or from similar
complicated policy definitions.

Security mechanisms. The solution must fulfil basic security and privacy
requirements, such as reliability, support to authentication, delegation
of rights, etc.

==
hk

P.S.: see, we're still working on the User Data Manifesto :]

signature.asc
Description: OpenPGP digital signature