The Sun BabelFish Blog

Identity in the Browser, Firefox style

Mozilla's User Interface chief Aza Raskin just put forward some interesting thoughts on what Identity in the Browser could look like for Firefox. As one of the Knights in search of the Golden Holy Grail of distributed Social Networking, he believes to have found it in giving the browser more control of the user's identity.

The mock up picture reproduced below, shows how Firefox, by integrating identity information into the browser, could make it clear as to what persona one is logged into a site as. It would also create a common user interface for allowing one to log in to a site under a specific Identity, as well as allow one to create a new one. Looking at the Weave Identity Account Manager project site one finds that it would also make it easy to generate automatically passwords for each site/identity, to sync one's passwords across devices, as well as to change the passwords for all enabled sites simultaneously if one feared one's computer had fallen in the wrong hands. These are very appealing properties, and the UI is especially telling, so I will reproduce the main picture here:

The User Interface

One thing I very strongly support in this project is the way it makes it clear to the user, in a very visible location - the URL bar -, as what identity he is logged in as. Interestingly this is at the same location as the https information bar, when you connect to secure sites. Here is what URL bar looks like when connected securely to LinkedIn:

One enhancement the Firefox team could immediately work on, without inventing a new protocol, would be to reveal in the URL bar the client certificate used when connected to a https://... url. This could be done in a manner very similar to the way proposed by Aza Raskin in the his Weave Account manager prototype pictured above. This would allow the user to

• know what HTTPS client cert he was using to connect to a site,
• as well as allow him to log out of that site,
• change the client certificate used if needed

From there it would be just a small step, but one that I think would require more investigation, to foaf+ssl enhance the drop down description about both the server and the client with information taken from the WebID. A quick reminder: foaf+ssl works simply by adding a WebID - which is just a URL to identify a foaf:Agent - as the subject alternative name of the X509 certificate in the version 3 extensions, as shown in detail in the one page description of the protocol. The browser could then GET the meaning of that URI, i.e. GET a description of the person, by the simplest of all methods: an HTTP GET request. In the case of the user himself, the browser could use the foaf:depiction of the user, to display a picture of him. In the case of the web site certificate, the browser could GET the server information at its WebId, and display the information placed there. Now if the foaf file is not signed by a CA, then the information given by the remote server about itself, should perhaps be placed on a different background or in some way to distinguish the information in the certificate, from the information gleaned from the WebId. So there are a few issues to work on here, but these just only involve well developed standards - foaf and TLS - and some user interface engineers to get them right. Easier, it seems to me, than inventing a whole protocol - even though it is perhaps every engineers desire to have developed a successful one.

The Synchronization Piece

Notice how foaf+ssl enables synchronization. Any browser can create a public/private key pair using the keygen element, and get a certificate from a WebId server, such as foaf.me. Such a server will then add that public key as an identifier for that WebId to the foaf file. Any browser that has a certificate whose public key matches that published on the server, will be able to authenticate to that server and download all the information it needs from there. This could be information

• about the user (name, depiction, address, telephone number, etc, etc)
• a link to a resource containing the bookmarks of the user
• his online accounts
• his preferences

The Security Problem

So what problem is the Weave team solving in addition to the problem solved above by foaf+ssl?

The weave synchronization of course works in a similar manner: data is stored on a remote server, and clients fetch and publish information to that server. One thing that is different is that the Weave team wish to store the passwords for each of the user's accounts onto a remote server that is not under the user's control. As a result that information needs to be encrypted. In foaf+ssl only the public key is stored on a remote server, so there is no need to encrypt that information: the private key can remain safely on the client key chain. Of course there is a danger with the simple foaf+ssl server that the owner of the remote service can both see and change the information published remotely depending on who is asking for it. So an unreliable server could add a new public key to the foaf file, and thereby allow a malicious client to authenticate as the user in a number of web sites.

It is to solve this problem that Weave was designed: to be able to publish remotely encrypted information that only the user can understand. The publication piece uses a nearly RESTful API. This allows it to store encrypted content such as passwords, identity information, or indeed any content on a remote server. The user would just need to remember that one password to be able to synchronize his various Identities from one device to another. There is a useful trick that is worth highlighting: each piece of data is encrypted using a symmetric key, which is stored on the server encrypted with a public key. As a result one can give someone access to a piece of data just by publishing the symmetric key encrypted using one of her public key.

Generalization of Weave

To make the above protocol fully RESTful, it needs to follow Roy Fielding's principle that "REST APIs must be hypertext driven". As such this protocol is failing in this respect in forcing a directory layout ahead of time. This could be fixed by creating a simple ontology for the different roles of the elements required in the protocol: such as public keys, symmetric keys, data objects, etc... This would then enable the Linked Data pattern. Allowing each of the pieces of data to be anywhere on the web. Of course nothing would stop the data from being set out the way specified in the current standard. But it immediately opens up a few interesting possibilities. For example if one wanted a group of encrypted resources to be viewed by the same group of people, one would need only one encrypted symmetric key each of those resources could point to, enabling less duplication.

By defining both a way of getting objects, and their encoding, the project is revealing its status as a good prototype. To be a standard, those should be separated. That is I can see a few sperate pieces required here:

1. An ontology describing the public keys, the symmetric keys, the encrypted contents,...
2. Mime types for encrypted contents
3. Ontologies to describe the contents: such as People, bookmarks, etc...

By separating the first two from (3), the Weave project would avoid inventing yet another way to describe a user for example. We already have a large number of those, including foaf, Portable Contacts, vcard, and many many more... I side for data formats being RDF based, as this separates the issues of syntax and semantics. It also allow the descriptions to be extensible, so that people can think of themselves in more complex ways that that which the current developers of Weave have been able to think of. That is certainly going to be important if one is to have a distributed social web.

Publishing files in an encrypted manner remotely does guard one from malicious servers. But it does I think also reduce the usability of the data. Every time one wants to give access to a resource to someone one needs to encrypt the symmetric key for that user. If the user looses his key, one has to re-encrypt that symmetric key. By trusting the server as foaf+ssl does, it can encrypt the information just in time, for the client requesting the information. But well, these are just different usage scenarios. For encrypting password - which we should really no longer need - then certainly the Weave solution is going in the right direction.

The Client Side Password

Finally Weave is going to need to fill out forms automatically for the user. To do this again I would develop a password ontology, and then markup the forms in such a way that the browser can deduce what pieces of information need to go where. It should be a separate effort to decide what syntax to use to markup html. RDFa is one solution, and I hear the HTML5 solution is starting to look reasonable now that they removed the reverse DNS namespace requirement. In any case such a solution can be very generic, and so the Firefox engineers could go with the flow there too.

RDF! You crazy?

I may be, but so is the world. You can get a light triple store that could be embedded in mozilla, that is open source, and that is in C. Talk to the Virtuoso folks. Here is a blog entry on their lite version. My guess is they could make it even liter. KDE is using it....

Posted at 09:34PM Nov 25, 2009 [permalink/trackback] by Henry Story in SemWeb  |  Comments[2]

http://openid4.me/ -- OpenId ♥ foaf+ssl

OpenId4.me is the bridge between foaf+ssl and OpenId we have been waiting for.

OpenId and foaf+ssl have a lot in common:

• They both allow one to log into a web site without requiring one to divulge a password to that web site
• They both allow one to have a global identifier to log in, so that one does not need to create a username for each web site one wants to identify oneself at.
• They also allow one to give more information to the site about oneself, automatically, without requiring one to type that information into the site all over again.

OpenId4.me allows a person with a foaf+ssl profile to automatically login to the millions of web sites that enable authentication with OpenId. The really cool thing is that this person never has to set up an OpenId service. OpenId4.me does not even store any information about that person on it's server: it uses all the information in the users foaf profile and authenticates him with foaf+ssl. OpenId4.me does not yet implement attribute exchange I think, but it should be relatively easy to do (depending on how easy it is to hack the initial OpenId code I suppose).

If you have a foaf+ssl cert (get one at foaf.me) and are logging into an openid 2 service, all you need to type in the OpenId box is openid4.me. This will then authenticate you using your foaf+ssl certificate, which works with most existing browsers without change!

If you then want to own your OpenId, then just add a little html to your home page. This is what I placed on http://bblfish.net/:

    <link rel="openid.server" href="http://openid4.me/index.php" />
    <link rel="openid2.provider openid.server" href="http://openid4.me/index.php"/>
    <link rel="meta" type="application/rdf+xml" title="FOAF" href="http://bblfish.net/people/henry/card%23me"/>

And that's it. Having done that you can then in the future change your openid provider very easily. You could even set up your own OpenId4.me server, as it is open source.

More info at OpenId4.me.

Posted at 07:57PM Nov 19, 2009 [permalink/trackback] by Henry Story in SemWeb  |  Comments[3]

7 days in SF Jail - the iPhone thief

A young black boy - 18 to 20 perhaps - very tall, entered our cell, joining our growing community. [ I am not a professional writer and don't remember the exact SF expressions. I'd welcome some help to get the language right. ]. I don't think we really asked him what he was in for. He was pissed: "Those motherfuckers got me. Damn! I could have just gone away. One iPhone too much man. One iPhone too much. Do you think I'll get bail? They have not caught me in years man. Should let me out. I need to go out, there's my pussy waiting for me out there. I just was about to call her."

Someone asked him how he got those iPhones.

"I just go up and spot someone with one, ask them the time, and when they look at their phone I just grab it and run. Really easy. That's a good money. $350 for 8 MB phone, $400 for 16MB."

Someone asked him how they can resell such a phone. Won't the GPS feature in the phone locate them? How can they resell a stolen phone anyway? "Just go to the shop, they remove the SIM card. That's it. They resell it on the market."

It was remarkable how candid he was about his operation. He really seemed to have no conscience about what this activity being wrong in any way. Nor did he seem to think about the possibility that in the crowd of detainees there might lurk a few cops in disguise, which one of the older more experienced detainees later tried to get him to consider by targeting the white boy who was arrested with someone else in a drug deal, and suggesting that he might be with the other side. "What! he's way too young." was the astonished reaction. "They come in all forms and all ages" was the response. The boy defended himself weakly. "We'll see", said the older one. "If those dollar notes and their serial numbers appear in court, then you'll know it was a trap." He repeated this a few times. Ominous.

Sadly I can't quite remember where the iPhone thief was working, because that would be a good place to hang out for people with a good insurance and a broken one... (psst, here's a tip: Apparently you have more chance of being robbed if you look somewhat drunk, lost and helpless.)

I asked the young boy if he was not worried to get shot. That thought surprised him. No he said, he runs back to the car, that's where they have the guns. They caught him just before he reached the car. "Otherwise, hehe..." I wondered if he was for real, or just trying to impress. It was just too weird. Someone else pointed out that using guns in a crowded street would be very dangerous. (A bit like using nuclear armaments to win wars, I thought. Not precise enough, too indiscriminate, too full of bad consequences for the one using it. That is of course if the one using it spends a little time to think about the consequences of their actions.)

I wondered where the boy had gone to school. Of all the crimes, theft is probably the one that is the oldest, and best well known to be wrong. One should not even need school to know about this. Already in 1750 B.C. (nearly 4 thousand years ago) in ancient Babylon the Code of Hammurabi (full text) had some very strong punishments for theft: death for stealing of sacred objects, and repayment of 30 times the original value for others - or death if the thief could not repay. Punishments were quite simple in those days, perhaps due to the effort of writing those laws out in stone...

I was too tired by my own troubles to dig much deeper. I would loved to know how he came to work in this field. Who had guided him in his youth? I think he mentioned feeding his brothers and sisters as a reason for doing this, but I am not sure...

If he got bail, he was calculating, he could steal a few more iPhones to cover the costs . I think he was deluded. He was not going to get out of jail soon. And perhaps here there was something useful for him to learn. One could hope that this would be a place for him to gain a little conscience. As Philip Larkin wrote in "Wires":

The widest prairies have electric fences,
For though old cattle know they must not stray
Young steers are always scenting purer water
Not here but anywhere. Beyond the wires

Leads them to blunder up against the wires
Whose muscle-shredding violence gives no quarter.
Young steers become old cattle from that day,
Electric limits to their widest senses.

Posted at 07:35PM Nov 16, 2009 [permalink/trackback] by Henry Story in travel  |  Comments[0]

7 days in SF Jail - arrival

On October 29 I left London for what was to be a month tour of California. On all previous trips I prepared very little. This time though I spent two weeks organizing a Social Web Camp in order to build up contacts in the Bay. But things took a very different turn.

At Hexagram 64 of the Yi Ching - the oldest book in China - entitled "Before Completion", one can read:

The caution of a fox walking over ice is proverbial in China. His ears are constantly alert to the cracking of the ice, as he carefully and circumspectly searches out the safest spots. A young fox who as yet has not acquired this caution goes ahead boldly, and it may happen that he falls in and gets his tail wet when he is almost across the water. Then of course his effort has been all in vain. Accordingly, in times "before completion," deliberation and caution are the prerequisites of success.

Flight to San Francisco

The British Airways flight left in the late morning from London Heathrow. To keep me busy for the 10 hours trip I had bought the UK and US editions of Wired Magazine at the airport to complement the 1300 pages long collections of essays by Francois Jullien comparing European and Chinese approaches to wisdom which I had bought in Paris a few weeks earlier. ( some of these are available on Google Books in English ).

The plane took off and we were a served a very good and healthy lunch - I was pleasantly surprised. The shades were then pulled down to allow people to sleep or watch films. Even though I woke up at 5am that morning, I was too excited to sleep. So I read the easier Wired magazines from beginning to end to help me get back into the Silicon Valley spirit. One article that caught my attention and that was reprinted in both editions was Neil Christy's "Empty the Prisons" in the "12 Shocking Ideas that Could Change the World" Section. The following diagram makes the point very simply:

The cost of putting people in prisons is very high. Not just the monetary cost, but also the cost to Liberty. The easier it is for the state to put people in prison, the easier it is for this to be abused by underground operatives to put pressure on people to do things they would not have done otherwise. Perhaps there are crimes that should not be crimes. Not impossible: Alcohol was illegal in the 30ies in the US before being legalised after the complete failure of the program.

Having finished those mags I started reading a longer article by Francois Jullien on the different conceptions of Evil and negativity in the East and the West. It is an interesting story that goes all the way back to the earliest conceptions of religion. If God is pure good, how does evil enter the world? Is evil just the lack of Good, as Socrates would have had it? Or is the universe a battle between two equal forces, Good and Evil, as Saint Augustin, had been tempted to think in his earlier days as proponent of the Manichean religion. Or as the Taoists would have it, and as is symbolized so well in the Taoist Tajitu symbol, are these concepts such that they cannot exist without one another? Just as light cannot exist without dark, or high without low, perhaps good cannot exist without bad. And perhaps there is bad in the good and good in the bad? Certainly the Good of One can be the Bad of the other, as this poem - which is part of John Cage's Indeterminacy series - so nicely illustrates:

Kwang-tse
   points         out
               that         a         beautiful
                                                woman


                 who         gives
                           pleasure

                                                 to         men




    serves
 only                                                                                             to
      frighten

                             the         fish


                                                                                when         she
   jumps
                                                                 in         the          water.

Moving away from the desire for purity, may be a very healthy thing to do.

I was tired and would not have had time to finish the 200 page article. Dinner was served. It was then just a short wait till we arrived. The plane dipped. I yawned to relieve the pressure on my ears, and looked out of the window, to what was the only view of the Bay I was going to be allowed to have. The plane landed around 3pm California time, which would have been 11pm London time.

Arrest

I had not filled in the forms for immigration, so I decided to do that comfortably in the plane. Those are the sheets where you are asked questions such as "Have you ever been or are you now involved in espionage or sabotage; or in terrorist activities; or genocide; or between 1933 and 1945 were you involved, in any way, in persecutions associated with Nazi Germany or its allies?" One has to enter 3 or four times the same information. I had to look up the address and phone number of my contacts in the Bay Area. As a result I was the last person to get out of the plane. A huge line awaited me at the passport control check point, and I was upset with myself for not getting out faster. I still wanted to get my bicycle out of the box, and go to Menlo Park to get a few posters for the Social Web Camp and place them around the Bay Area.

I arrived at the control point, gave the officer my passport and cards. But I had forgotten to enter my birth date on the back of one form, so he ordered me to the side to do that, while he dealt with another traveler. I came up, he processed the forms, asked me to put my hand on a fingerprint machine. Something beeped. He did not seem to happy, and told me to go down to the corner of the huge room, to the door I could see in the distance. "Straight down there", he said. I wondered what that was about.

As I entered the room I first saw a row of benches with a little under 10 people sitting there waiting to be processed. I was told to put my passport in a slot and sit down. I thought I could perhaps phone someone, but one was not allowed to make calls there for some reason. I did not want to bother anyone before I knew what the problem was anyway, so I just waited. Slowly people were processed. Some came out of interview rooms. A Woman was asked if she knew someone the Bay Area. She seemed not to understand. An interpreter came around. Her son was called...

I was asked to step to the back office, where they passed my hand through a machine which took the prints of my whole hand and of the side of my hand. They took a few photos. Then they asked me if I knew why I was arrested. No I did not. I thought perhaps I had failed to pay a parking ticket, but I could not imagine that that would warrant my being stopped at the border. So no, I did not understand.

It turns out that a case from 2001, which I was certain had been closed had popped up in their systems. This was from my last year working in the Bay Area, when I had moved to San Francisco to work for E-Translate, at the end of the dot.com boom. So quite some time ago. I had come to the Bay Area three or four times since then, which seemed to shock them, as much as their bringing this issue up shocked me. I told them this was certainly a mistake. Everything had been taken care of. I would be certainly very happy to get this problem cleared up at the courts, and I told them it would very certainly not take much time - Indeed when 6 days later I saw the judge it took him 30 seconds to clear the case. But the officer in front of me did not know that. The information against me on the computer looked bad enough for him, and that was it.

By this time they had taken my telephone, passport and other material, and I was no longer in a position to get advice. I certainly had never been read any rights, and I could not ask anyone for help - I suppose that is just for US citizens. In fact by signing the entry papers I had waived my rights to an immigration court hearing I was told. The interrogating officer, very slowly typed up a report. The first question on the report was: "How are you feeling?" My answer: very tired. It was probably 3am in the morning UK time.

I had pleaded with the officer that I had come just to talk at a conference which I had organized, and to then present talks in different venues. My interest was to have a clear record, and so I would certainly show up in court. Somehow he made me think that I could get bail, and that from there on I could organize the hearings. That seemed like a good enough solution. I felt relieved. Shit happens. At least I'd get a free ride in a cop car.

Ride in a police car

After another long wait, I was asked to remove my shoe laces, empty all my pockets, was handcuffed and walked out to the front of the San Francisco airport. There a couple of policemen were waiting for me. I squeezed into the back seat on the very narrow bench separated by glass and metal from them. They closed the door and drove off, the bag with my cell phone, passport and other bits and bobs with them in the front seat.

They were quite entertaining. One of the officers asked the other if he wanted to go for a pizza, to which the first officer replied that he could no longer eat greasy foods since his appendicitis operation. He went into detail to describe both the cause of appendicitis, the operation, the stones they found in the appendix and the whole trouble that this caused. His colleague did not abandon the pizza idea, and described in detail a famous low cost pizza place where there were only 4 types of pizza available, and where you had better be careful not to ask for anything else. I suggested that I would not be against going for a pizza, to which the pizza loving officer responded jokingly that that clearly showed that I was evil: trying to kill his appendix missing colleague with fatty foods!

We arrived at the San Mateo police station. I had been taken to this station I was told because the San Francisco airport is in fact located in the San Mateo district. They would have to send me over to San Francisco within 5 days. How long that would take would depend on the space available there. I was hoping I could bail out before hand I told them, to which they replied that I would have to talk to the officers in the San Mateo station, they would help me work that out.

San Mateo police station

In San Mateo I was then asked a lot of details all over again. Contact details for people in the Bay, what I was doing here, if I was suicidal, and so on. If you think that the checks at the airport are intrusive - when they ask you to clear everything out of your luggage, and remove your shoes - then you may not want to read the next paragraph.

I was placed into a room and told to strip naked. The officer then frisked my body, then my balls, then asked me to turn against the wall, lean over, spread my cheeks and say "ahh". Not sure what the "Ahh" was for. It did not seem like a good idea not to obey. "Nothing is hidden" as Wittgenstein so well writes in the Philosophical Investigations. I was just happy that the officer did not have to make his blue plastic gloves dirty. As Scott McNeally once quipped: "You have zero privacy anyway. Get over it". So I did.

I could then put my shoes and clothes back on. I was sent to a window where a nurse asked me to fill out a form for diseases I could have, if I practiced safe sex, if I was gay or straight, if I was suicidal, and so on... I then had to go through a hand scan and fingerprint scan once more. Then I was sent to a glass protected cell facing the police office, with a small hard bench and behind a low wall, a metal toilet.

In the room was a telephone attached to the wall for collect calls only, and plastered against the wall was a list of bail agents and their telephone numbers. These could be called to borrow money for bail. They take 10% of the money lent. I called one of them to see if and how they would be able to help. Nope he said. We don't help foreigners. Mhh. Well I could pay for bail myself if I had to.

The Drunk Depressive

As I was doing this, the door opened, and I was joined by a strong, slightly overweight and effeminate man, with a bit of a South American look to him, but unusually well dressed. Not very well dressed, I should add. Just that he had a striped office shirt, and clearly paid attention to his looks.

"Burn, burn. They should all burn in hell", he said, which made me just a little uncomfortable.

"People are bad. They deserve to die.", he continued. "They all deserve to die, each one of them.", and after a pause. "We will all die". This he repeated quite a lot.

I let him go on like this, looking through the window. I wanted to find out how I could get bail, as I was quite keen to leave this place. If I could get out of here then I could find hotel close by, and prepare for my talk on Monday. There was still time.

I knocked on the window, as an officer passed and asked how I could find out about bail. They told me to wait for the O.R. people, and pointed to two women working diagonally across the room. I tried waving to them. Time passed.

I found out that the guy in my cell had been arrested for Jay walking and being somewhat drunk. Though to me he seemed more depressed than drunk. He certainly did not smell heavily of alcohol. I did not know Jay Walking could land you in Jail. I never heard of anyone in France being booked for that. It is also I think quite rare for people to be sent away for being tipsy, unless they make a lot of noise, in which case they would be sent out for being a public nuisance I suppose. He wanted to go home, because he had to work at 5 or 6 in the morning at what I understood to be something like a cafe. He had been unemployed for a while, and this was his first job a lady had helped him get. So he had just been celebrating his new job that evening, and things had turned bad.

No exit

"Look at them, they are like children", he said pointing at the officers. "Playing their little games, so sure of themselves. They don't care. They don't care at all. Playing sheriff. Look at that one..."

And it is true they did not seem to care. It must have been 11pm now, and I had been up for over 26 hours without sleep. I was wondering when I could get bail! I might as well sleep here I thought, that would save me a night at the hotel. I started to get worried, so I called the friends in California, whose number I was had written down on a scrap of paper they had left me - I thought someone at least ought to know where I am.

At some point, one of the women came up to the door, and told me I could not get bail. The immigration officers had put an ICE hold on me, disallowing that. I broke up in tears, as I felt the doors close one by one on me.

Posted at 01:34AM Nov 10, 2009 [permalink/trackback] by Henry Story in travel  |  Comments[25]

November 2nd: Join the Social Web Camp in Santa Clara

The W3C Social Web Incubator Group is organizing a free Bar Camp in the Santa Clara Sun Campus on November 2nd to foster a wide ranging discussion on the issues required to build the global Social Web.

Imagine a world where everybody could participate easily in a distributed yet secure social web. In such a world every individual will control their own information, and every business could enter into a conversation with customers, researchers, government agencies and partners as easily as they can now start a conversation with someone on Facebook. What is needed to go in the direction of The Internet of Subjects Manifesto? What existing technologies can we build on? What is missing? What could the W3C contribute? What could others do? To participate in the discussion and meet other people with similar interests, and push the discussion further visit the Santa Clara Social Web Camp wiki and

If you are looking for a reason to be in the Bay Area that week, then here are some other events you can combine with coming to the Bar Camp:

• The W3C is meeting in Santa Clara for its Technical Plenary that week in Santa Clara.
• The following day, the Internet Identity Workshop is taking place in Mountain View until the end of the week. Go there to push the discussion further by meeting up with the OpenId, OAuth, Liberty crowd, which are all technologies that can participate in the development of the Social Web.
• You may also want to check out ApacheCon which is also taking place that week.

If you can't come to the west coast at all due to budget cuts, then not all is lost. :-) If you are on the East coast go and participate in the ISWC Building Semantic Web Applications for Government tutorial, and watch my video on The Social Web which I gave at the Free and Open Source Conference this summer. Think: if the government wants to play with Social Networks, it certainly cannot put all its citizens information on Facebook.

Posted at 12:35AM Oct 16, 2009 [permalink/trackback] by Henry Story in SemWeb  |  Comments[1]

One month of Social Web talks in Paris

As I was in Berlin preparing to come to Paris, I wondered if I would be anywhere near as active in France as I had been in Germany. I had lived for 5 years in Fontainebleau, an hour from Paris, close but just too far to be in the swing of things. And from that position, I got very little feel for what was happening in the capital. This is what had made me long to live in Paris. So this was the occasion to test it out: I was going to spend one month in the capital. On my agenda there was just a Social Web Bar Camp and a few good contacts.

The Social Web Bar Camp at La Cantine which I blogged about in detail, was like a powder keg for my stay here. It just launched the whole next month of talks, which I detail below. It led me to make a very wide range of contacts, which led to my giving talks at 2 major conferences, 2 universities, one other Bar Camp, present to a couple of companies, get one implementation of foaf+ssl in Drupal, and meet a lot of great people.

Through other contacts, I also had an interview with a journalist from Le Monde, and met the very interesting European citizen journalism agency Cafe Babel (for more on them see this article).

Here follows a short summary of each event I presented the Social Web at during my short stay in Paris.

Friday, 18 September 2009

Arrived in plane from Berlin, and met the journalists at the Paris offices of Cafe Babel, after reading an article on them in the July/August issue of Internationale Politik, "Europa aus Erster Hand".

Saturday, 19 September 2009

Went to the Social Web Bar Camp at La Cantine which I blogged about in detail. Here I met a many people, who connected me up with the right people in the Paris conference scene, where I was then able to present. A couple of these did not work out due to calendar clashes, such as an attempted meeting with engineers and users of Elgg a distributed Open Source Social Networking Platform popular at Universities here in France and the UK.

Monday, 21 September 2009

Visited the offices of Le Monde, and had lunch with a journalist there. I explain my vision of the Social Web and the functioning of foaf+ssl. He won't be writing about it directly he told me, but will develop these ideas over time in a number of articles. ( I'll post updates here, though it is sadly very difficult to link to articles in Le Monde, as they change the URLs for their articles, make them paying only after a period of time, and then don't even make an abstract available for non paying members).

Friday, 25 September 2009

I visited the new offices of af83.com a startup with a history: they participated in the building of the web site of Ségolène Royal the contender with Nicholas Sarkozi, during the last French Presidential Elections.
There I met up with Damien Tournoud, and expert Drupal Developer, explained the basics of foaf+ssl, pointed him to the Open Source project foaf.me, and let him work on it. With a bit of help from Benjamin Nowack the creator of the ARC2 Semantic Web library for PHP, Damien had a working implementation the next day. We waited a bit, before announcing it the following Wednesday on the foaf-protocols mailing list.

Tuesday 29 September, 2009

La Cantine organised another Bar Camp, on a wide range of topics, which I blogged about in detail. There I met people from Google, Firefox, and reconnected up with others. We also had a more open round table discussion on the Social Web.

Thursday 1st and Friday 2nd October, 2009

I visited the Open World Forum, which started among others with a track on the Semantic Desktop "Envisioning the Open Desktop of the future", headed by Prof Stefan Decker, with examples of implementations in the latest KDE (K Desktop Environment).
I met a lot of people here, including Eric Mahé, previously Technology Advisor at Sun Microsystems France. In fact I met so many people that I missed most of the talks. One really interesting presentation by someone from a major open source code search engine, explained that close to 60% of Open Source software came from Eastern and Western Europe combined. (anyone with a link to the talk?)

Saturday, 3rd October 2009

I presented The Social Web in French at the Open Source Developer Conference France which took place in La Villette.
I was really happily surprised to find that I was part of a 3 hour track dedicated to the Semantic Web. This started with a talk by Oliver Berger "Bugtracking sur le web sémantique. Oliver has been working on the Baetle ontology as part of the 2 year government financed HELIOS project. This is something I talked about a couple of years ago and wrote about here in my presentation Connecting Software and People. It is really nice to see this evolving. I really look forward to seeing the first implementations :-)
Oliver's was followed by a talk by Jean-Marc Vanel, introducing Software and Ontology Development, who introduced many of the key Semantic Web concepts.

Tuesday 6th October, morning

Milan Stankovitch whom I had met at the European Semantic Web Conference, and again at the Social Web Bar Camp, invited me to talk to the developers of hypios.com, a very interesting web platform to help problem seekers find problem solvers. The introductory video is really worth watching. I gave them the talk I keep presenting, but with a special focus on how this could help them in the longer term make it easier for people to join and use their system.

Tuesday 6th September, afternoon

I talked and participated in a couple of round table talks at the 2nd Project Accelerator on Identity at the University of Paris 1, organised by the FING. Perhaps the most interesting talk there was the one by François Hodierne , who works for the Open Source Web Applications & Platforms company h6e.net, and who presented the excellent project La Distribution whose aim it is to make installing the most popular web applications as easy as installing an app on the iPhone. This is the type of software needed to make The Internet of Subjects Manifesto a reality. In a few clicks everyone should be able to get a domain name, install their favorite web software on it - Wordpress, mail, wikis, social network, photo publishing tool - and get on with their life, whilst owning their data, so that if they at a later time find the need to move, they can, and so that nobody can kick them off their network. This will require rewriting a little each of the applications so as to enable them to work with the distributed secure Social Web, made possible by foaf+ssl: an application without a social network no longer being very valuable.

Thurday 9th October, 2009

Pierre Antoine Champin from the CNRS, the National French Research organisation, had invited me to Lyon to present The Social Web. So I took the TGV from Paris at 10:54 and was there 2 hours later, which by car would have been a distance of 464km (288.3 miles) according to Google Maps. The talk was very well attended with close to 50 students showing up, and the session lasted two full hours: 1 hour of talks and by many good questions.
After a chat and a few beers, I took the train back to Paris where the train arrived just after 10pm.

Saturday October 10, 2009

I gave a talk on the Social Web at Paris-Web, on the last day of a 3 day conference. This again went very well.
After lunch I attended two very good talks that complemented mine perfectly:

• David Larlet had a great presentation on Data Portability, which sparked a very lively and interesting discussion. Issues of Data ownership, security, confidentiality, centralization versus decentralization came up. One of his slides made the point very well: by showing the number of Web 2.0 sites that no longer exist, some of them having disappeared by acquisition, others simply technical meltdown, leaving the data of all their users lost forever. (Also see David's Blog summary of Paris-Web. )
• Right after coffee we had a great presentation on the Semantic Web by Fabien Gandon, who managed to give in the limited amount of time available to him an overview of the Semantic Web stack from bottom to top, including OWL 1 and 2, Microformats, RDFa, and Linked data, and various very cool applications of it, that even I learned a lot. His slides are available here. He certainly inspired a lot of people.

Tuesday, 13 October 2009

Finally I presented at the hacker space La suite Logique, which takes place in a very well organized very low cost lodging space in Paris. They had presentations on a number of projects happening there:

• One project is to build a grid by taking pieces from the remains of computers that people have brought them. They have a room stashed full of those.
• Another projects is to add wifi to the lighting to remotely control the projectors for theatrical events taking place there.
• There was some discussion on how to add sensors to dancers, as one Daito Manabe a Japanese artist has done, in order to create a high tech butoh dance (see the great online videos).
• Three engineers presented the robots they are constructing for a well known robot fighting competition

Certainly a very interesting space to hang out in, meet other hackers, and get fun things done in.

Posted at 07:16PM Oct 12, 2009 [permalink/trackback] by Henry Story in travel  |  Comments[0]

Sketch of a RESTful photo Printing service with foaf+ssl

Let us imagine a future where you own your data. It's all on a server you control, under a domain name you own, hosted at home, in your garage, or on some cloud somewhere. Just as your OS gets updates, so all your server software will be updated, and patched automatically. The user interface for installing applications may be as easy as installing an app on the iPhone ( as La Distribution is doing).

A few years back, with one click, you installed a myPhoto service, a distributed version of fotopedia. You have been uploading all your work, social, and personal photos there. These services have become really popular and all your friends are working the same way too. When your friends visit you, they are automatically and seamlessly recognized using foaf+ssl in one click. They can browse the photos you made with them, share interesting tidbits, and more... When you organize a party, you can put up a wiki where friends of your friends can have write access, leave notes as to what they are going to bring, and whether or not they are coming. Similarly your colleagues have access to your calendar schedule, your work documents and your business related photos. Your extended family, defined through a linked data of family relationship (every member of your family just needs to describe their relation to their close family network) can see photos of your family, see the videos of your new born baby, and organize Christmas reunions, as well as tag photos.

One day you wish to print a few photos. So you go to web site we will provisionally call print.com. Print.com is neither a friend of yours, nor a colleague, nor family. It is just a company, and so it gets minimal access to the content on your web server. It can't see your photos, and all it may know of you is a nickname you like to use, and perhaps an icon you like. So how are you going to allow print.com access to the photos you wish to print? This is what I would like to try to sketch a solution for here. It should be very simple, RESTful, and work in a distributed and decentralized environment, where everyone owns and controls their data, and is security conscious.

Before looking at the details of the interactions detailed in the UML Sequence diagram below, let me describe the user experience at a general level.

1. You go to print.com site after clicking on a link a friend of your suggested on a blog. On the home web page is a button you can click to add your photos.
2. You click it, and your browser asks you which WebID you wish to use to Identify yourself. You choose your personal ID, as you wish to print some personal photos of yours. Having done that, your are authenticated, and print.com welcomes you using your nicknames and displays your icon on the resulting page.
3. When you click a button that says "Give Print.com access to the pictures you wish us to print", a new frame is opened on your web site
4. This frame displays a page from your server, where you are already logged in. The page recognized you and asks if you want to give print.com access to some of your content. It gives you information about print.com's current stock value on NASDAQ, and recent news stories about the company. There is a link to more information, which you don't bother exploring right now.
5. You agree to give Print.com access, but only for 1 hour.
6. When your web site asks you which content you want to give it access to, you select the pictures you would like it to have. Your server knows how to do content negotiation, so even though copying each one of the pictures over is feasible, you'd rather give print.com access to the photos directly, and let the two servers negotiate the best representation to use.
7. Having done that you drag and drop an icon representing the set of photos you chose from this frame to a printing icon on the print.com frame.
8. Print.com thanks you, shows you icons of the pictures you wish to print, and tells you that the photos will be on their way to your the address of your choosing within 2 hours.

In more detail then we have the following interactions:

1. Your browser GETs print.com's home page, which returns a page with a "publish my photos" button.
2. You click the button, which starts the foaf+ssl handshake. The initial ssl connection requests a client certificate, which leads your browser to ask for your WebID in a nice popup as the iPhone can currently do. Print.com then dereferences your WebId in (2a) to verify that the public key in the certificate is indeed correct. Your WebId (Joe's foaf file) contains information about you, your public keys, and a relation to your contact addition service. Perhaps something like the following:

   :me xxx:contactRegistration </addContact> .

   Print.com uses this information when it creates the resulting html page to point you to your server.
3. When you click the "Give Print.com access to the pictures you wish us to print" you are sending a POST form to the <addContact> resource on your server, with the WebId of Print.com <https://nasdaq.com/co/PRNT#co> in the body of the POST. The results of this POST are displayed in a new frame.
4. Your web server dereferences Print.com, where it gets some information about it from the NASDAQ URL. Your server puts this information together (4a) in the html it returns to you, asking what kind of access you want to give this company, and for how long you wish to give it.
5. You give print.com access for 1 hour by filling in the forms.
6. You give access rights to Print.com to your individual pictures using the excellent user interface available to you on your server.
7. When you drag and drop the resulting icon depicting the collection of the photos accessible to Print.com, onto its "Print" icon in the other frame - which is possible with html5 - your browser sends off a request to the printing server with that URL.
8. Print.com dereferences that URL which is a collection of photos it now has access to, and which it downloads one by one. Print.com had access to the photos on your server after having been authenticated with its WebId using foaf+ssl. (note: your server did not need to GET print.com's foaf file, as it still had a fresh version in its cache). Print.com builds small icons of your photos, which it puts up on its server, and then links to in the resulting html before showing you the result. You can click on those previews to get an idea what you will get printed.

So all the above requires very little in addition to foaf+ssl. Just one relation, to point to a contact-addition POST endpoint. The rest is just good user interface design.

What do you think? Have I forgotten something obvious here? Is there something that won't work? Comment on this here, or on the foaf-protocols mailing list.

Notes

print.com sequence diagram by Henry Story is licensed under a Creative Commons Attribution 3.0 United States License.
Based on a work at blogs.sun.com.

Posted at 09:15PM Oct 07, 2009 [permalink/trackback] by Henry Story in SemWeb  |  Comments[0]

foaf+ssl in Mozilla's Fennec works!

At yesterday's Bar Camp in La Cantine I discovered that Mozilla's Fennec browser for mobile phones can be run on OSX (download 1.0 alpha 1 here). So I tried it out immediately to see how much of the foaf+ssl login would work with it. The answer is all of it, with just a few easy to fix user experience issues. I really am looking forward to trying the Nokia N810 Internet Tablet for real.

Anyway here are quick snapshots of the user experience.

Getting a certificate

First of all the best news is that the <keygen> tag, now documented in html5 works in Fennec. This means that one can get a client certificate in one click without going through the complex dance I described in "howto get a foaf+ssl certificate to your iPhone".

This is how easy it can be. Go to foaf.me.

After filling out the form, you can create yourself an account on foaf.me:

To make your WebId useful all you need to do is click on the "Claim account with SSL certificate" button -- which could certainly be phrased better -- on the account creation successful page:

Once clicked, your browser will start calculating a new public private key pair, send the public key to the server which will turn it into a certificate, and send that back to your browser, which will then add it to they keychain! All you will see of this whole transaction is:

The Fennec message here is a bit misleading: you should not in fact need to keep a backup copy of your certificate. Foaf+ssl certificates are very cheap to produce. And without a link to the keychain from the popup, most users won't know what is being talked about, or how to keep a backup. Also on a cell phone they may well wonder where to put the backup anyway. So in this case it is wrong, and not that helpful. Much better would be to have a popup say: "Your certificate has been installed. Would you like to see it?" Or something like that. Most people won't care.

Using the certificate

You can then test the foaf+ssl certificate on any number of sites. The foaf.me site has a login button for example that when clicked will get the browser to ask the user to choose a certificate. And, this is where the User Interface choices made by the Mozilla team are just simply embarrassing. Not unusable, but just really bad.

No user ever cares about these details! It is confusing. Do you think users have issues with URLs? Well what do you think they are going to make of the old outdated Distinguished Names?

Just compare this with the User Experience on the iPhone

Quite a few bug/enhancement reports have been reported on this issue on the Mozilla site. See for example Bug 396441 - Improve SSL client-authentication UI, and my other enhancement requests.

Still this user interface issue should be really easy to fix, as it is just a question of making things simpler, ie. of reducing the complexity of their code. And clearly on a cell phone that should be a priority.

Another issue I can see on the Fennec demo browser, is that I could not find a way to remove the certificates.... That would be quite an important functionality too.

But in any case using foaf+ssl on Fennec is the easiest of all cell phone browsers to use currently - and one of the rare ones, if not the only one, that works correctly! So kudos for that! Fennec and the Nokia N810 is the place to look for what a secure life without passwords, without user names, and a global distributed social network can look like on a mobile platform.

Posted at 11:38AM Sep 30, 2009 [permalink/trackback] by Henry Story in SemWeb  |  Comments[6]

Social Web Bar Camp in Paris

After flying in from Berlin on Friday and celebrating the Jewish new year late into the night with Ori Pekelman, I woke up earlyish on Saturday to go to the Social Web Bar Camp organized in and by La Cantine, the very friendly Parisian conference, community, meeting space for creative people in the digital age.

At 10am the conference started and people slowly arrived for the freely available espresso coffee and pastries. The conference was free too, being sponsored by the member organizations of La Cantine. At 10:20am as the coffee had worked itself into the 60 or more attendees, Ori started the workshop (picture) by having everybody introduce themselves shortly by name and 3 tags. The Bar Camp rules of the game were then explained:

• Everybody is a participant
• You make the event
• Feel free to move between sessions if you feel you are not getting what you were looking for at one of them
• Write up your interests on the black board, this will be used to create the time table.

Of course I put up a session on foaf+ssl and Distributed Social Networks on the black board, for the session starting at 11am.

After a last coffee, a little over 20 people gathered in the room. I connected the laptop to the projector, introduced myself and the W3C Social Web XG, before starting the presentation (slides in pdf) which I have been giving in various universities and hacker spaces around Europe for the past 5 months. (see the FrOSCon video for example)

A round table discussion of this size has a very different dynamic to conference presentations. It is a lot more free flowing and people can ask question and did as I went through the presentation, leading to lively discussions on security, identity and web architecture. At times it seemed in danger of veering off into widely philosophical discussions, but somehow we always got back to the topic helped by the real implementations of foaf+ssl that are now available. Somehow we did in fact manage to complete covering the subject by 12:30 including an excursion into a description of the very real business opportunities this enables.

From the twitter posts (tagged #swcp) and the invitations to follow up with other French public and private institutions that I got over the course of the day, I can only say that this conference was a great success. I could not have started my 1 month stay in Paris in a better way. I will clearly be very busy during the coming month, before my return to Berlin.

Thanks to Huges M for the photos. More of his pictures are available on his flickr account under the #swcp tag.

Further pointers

• Summary in French of the foaf+ssl session
• David Larlet's summary "Retours sur le Social Web Camp Paris"
• Blog Post by Laurent Enzo: "#swcp l’innovation dans les entreprises, un enjeu de relations publiques ?" on the camp.

Posted at 01:14PM Sep 20, 2009 [permalink/trackback] by Henry Story in travel  |  Comments[1]

Freiheit statt Angst - Freedom, not fear

This weekend in Berlin, 20 thousand people, from most political backgrounds, came to protest against increasingly intrusive and worrying surveillance measures of all kinds, made possible by modern information technology, under the banner Freiheit statt Angst. As governments and businesses automate the collection of information about individuals, worries are starting to grow about how that information could be used. In Germany for example the request by the government that the ISPs keep records of the mail headers of all the communications between people for 6 months, was among one of the major motivators bringing people out. The growing use of video surveillance cameras - not as bad as in the UK here, though they were clearly lining the street along the road of the demonstration - is another vector of resentment. Electronic RFID enabled passports containing personal information readable at a distance and being put into operation soon, generate a lot of worries, quite understandable, especially after listening to Chris Paget's RFID cloning presentation. The German Chaos Computer Club has further pages undermining the use of these technologies, such as the article "How to fake fingerprints" where you can learn how to capture fingerprints left over on a glass, make a copy of it, and duplicate it anywhere you choose. Others are worried about the creation of centralised medical data banks, citing the cases where massive amounts of data have been lost by companies directly involved in telecommunication infrastructure, such as when the information of 17 million T-mobile customers was stolen. If telecoms companies can't secure their data, who will be able to do it? These and many other cases bringing issues of privacy, security and data ownership are fueling a debate that is strong enough to move 20 thousand people to the street: quite a feat, considering the abstract nature of the debate.

The following video covers the issues from a German perspective very well (an english version will be available here soon)

If these issues sound remarkably like those arising in France, the UK, and other European Countries, it is that the movement for internet rights is a global phenomenon, reacting to technological problems that span borders as the July/August issue of Internationale Politik argues. Clearly these topics need to be debated in much more depth and with much more seriousness, by involving much larger sections of the community. One just cannot magically solve complex problems with misguided laws, however comforting it may seem at first to be. Bad solutions introduced in a climate of fear, can only grow the insecurity and mistrust between citizens, governments and business. With Germany's historical proximity to both fascist and communist surveillance regimes, these issues of trust are alive and healthy here. Hopefully other countries won't be misled by their distance to such horrors into thinking that it cannot happen to them. The only solution is active participation in the debate.

Here are some photos I took from the roof of the Green bus which gives a good idea of the size of the protest. You can clearly see the large Pirate Party bus at the back, with their Orange banner, the Red Left convoy, the CCC bus covered with video surveillance cameras, and their Federal Trojan Horse, with the sign "watch the watchmen!"

The Green party was escorted by some of the top Green politicians

The large Anti-Fascist convoy was ironically the most escorted by the police. Perhaps the use of face covering masks, illegal in Germany for citizens, though not it seems for the police, was what attracted the security forces. Their presence certainly formed a good symbol of the problem between privacy, public statement, anonymity, and surveillance.

Add to that the fact that there were close to a thousand police officers for a demonstration the police claimed had attracted only 10 thousand individuals, and we have a police to demonstrator ration of 1/10, which goes only to increase the surveillance message. As the following photos show quite clearly the demonstration was peaceful. Put 20 000 geeks on the road on a sunny day, and you get something like this:

The result in the press was quite positive. Here are some of the articles I gathered from following Twitter #fsa09 tag for a few minutes:

• ZDNet.de: 25.000 Menschen demonstrieren gegen Überwachung, Vorratsdatenspeicherung und Zensur
• donaukurier.de: Tausende demonstrieren gegen Überwachung
• Gruene.de: Das Grundgesetz ist kein Steinbruch, for some interviews of Green participants
• n-tv.de: Großdemonstration in Berlin Gegen Überwachungswahn
• Spiegel Online: Demo gegen Überwachung - Veranstalter gehen von 20.000 Teilnehmern aus
• netzpolitik.org: Freiheit statt Angst im Fernsehen - collection of TV reportages on the event
• Abendshau: YouTube video of the news bulletin
• Radio IBS Liberty: Freiheit statt Angst Berlin
• golem.de: Freiheit statt Angst: Über 25.000 demonstrieren in Berlin
• Heise.de: "Ihr werdet euch noch wünschen, wir wären politikverdrossen!", review of the demonstration, and links to press conference videos by the Swedish EU representativce of the Pirate Party.
• Spiegel.de: Polizeichef verspricht Aufklärung der Demo-Prügelei. Article on the one police incident that marred the demonstration.
• Taz.de: Chaos Computer Club überwacht Polizei: "Das wurde dezidiert gefilmt": The Chaos Computer Club defends itself of filming police asked to reveal their identification number - which they are legally obliged to do. Oddly enough those question were usually followed by police violence, captured on film.

One story that made the round of Twitter, the blogosphere and the news was the following incident of police brutality captured by a demonstrator on video:

[Update Tuesday 15 September: It seems this incident was provoked by a demonstrator asking the police for their Identification number, which they are obliged to give, but which they don't like handing out, preferring to treat those who ask for it as troublemakers. This is a long standing issue as the following article "Anonymität schützt Polizisten" - Anonymity protects the police explains. So in short the police themselves and the state by extension are very keen on anonymity, but refuse the same for the demonstrators and the public which is being placed every day under increasing surveillance measures. Luckily the attack was caught on High Definition video by a member of the Chaos Computer Club, helping identify the police who committed the excess. This resulted in the CCC publishing the following press release "Chaos Computer Club fordert bundeseinheitliche Nummernschilder für Polizisten": CCC calls for nationwide number plates for Police.]

Clearly then the same tools that can be used to create a surveillance society, can also be used when distributed to the citizenry as a means of watching the watchmen. Perhaps that is the lesson of the demonstration: the need to reduce the asymmetry of surveillance technology. It should be understood that Kant's Categorical Imperative - "act only according to that maxim whereby you can at the same time will that it should become a universal law" - applies especially to legislation. If you want to watch others don't be surprised if they then watch back. If you want anonymity, don't refuse it to others.

Update

• Spanish translation: Libertad, no miedo - Freiheit statt Angst - Freedom, not fear - Contra la manía de la Vigilancia
• Italian translation: Contro la Mani Di Conrollo: Liberta'...non Paura!

Posted at 02:47PM Sep 14, 2009 [permalink/trackback] by Henry Story in travel  |  Comments[2]

FrOSCon: the Free and Open Source Conference in Sankt Augustin, Germany

At HAR2009 a couple of people put me in contact with Dries Buytaert, the creator and project lead of Drupal, the famous Open Source content management platform based on php. Dries is leading a very interesting effort aimed at integrating the semantic web stack in Drupal. So I was really happy when he responded to the introduction. He suggested we meet at FrOSCon the Free and Open Source conference located in Sankt Augustin, near Bonn, Germany. I really wanted to stay a bit longer in Amsterdam, but this was just too important an occasion to miss. So I packed up my bag Friday, and after meeting up with Dan Brickley, the co-author of the Foaf ontology who needs no introduction, I caught the last train towards Germany. This turned into a 5 hour trip with 5 changes on slow local trains as those were the only ones I could bring my bicycle onto without first packing it into a box.

[note: this blog uses html5 video tag to view ogg video files, and is best viewed with Firefox 3.5]

Going to FrOSCon turned out to be a very good idea. First of all I met Dries and introduced him quickly to foaf+ssl. It took less than 15 minutes to explain how it worked, for Dries to get himself a foaf certificate on foaf.me and to try it out. If this were made easy to use on Drupal sites, it would be a great way to get some very creative people to help build some cool apps making the most out of distributed social networks...

On Sunday Dries gave a very good keynote "The secrets of building and participating in Open Source communities". Building Open Source communities is not easy, he starts off with, yet it is fundamental to any successful project. He then goes on to elaborate on 6 six themes which from his experience allow a community to thrive and grow:

• Time: it takes time to grow a community. Open source communities are always a bit broken, like the internet: there is always something not functioning, but the whole works very well.
• Software architecture:
  • make the code modular,
  • centralise the source code, so that people who contribute modules, and others can find the code
• Ecosystem: allow volunteers and commercial organizations to work together. Each has something to bring to the party. Everybody has to be equal. And don't have roadmaps, as they disencourage experimentation and rigidify processes. "Trust, not money is the currency of Open Source"
• Tools, Community Design patterns:
  • Adoption: easy registration. RSS feeds, documentation
  • Identity: profiles, avatars, buddy lists, contacts
  • Group support: issue queues, trackers, activity streams, reputation
  • Conversations: messaging, comments, forums, blogs, interest groups, planet/aggregator
  • Development: CVS/SVN/git/bzr issue queues. release management
• Mission: Have a mission that goes beyond the project. In the case of Drupal it is democratizing online publishing. And the core values are
  • Be open to Change
  • Collaboration
  • 100% transparency
  • Agile
• Leadership: "leadership is not management". Replace planning with coordination (see Clay Shirky's talk "Institution vs collaboration")

Just before the start of Dries' keynote you may have noticed an announcement about a change in the program. The talk on Subversion was canceled due to the inability of the speakers to attend, and it was replaced by a talk on distributed social networks. Yep! During the party the evening before I was told there could be a slot for me to give a talk on foaf+ssl the next day. So on the suggestion of Naxx, an open source grey hat security specialist I had met in Vienna, and who I was surprised to see here again, I spent the whole evening rewriting my slides for Apple Keynote. Naxx spends 3/4 of the year traveling giving talks on security and he had a few hints for me on how to improve my presentation skills. I tried to remember a few of them, and to make sure I did not wave my hands as much as I did at HAR. Here is the result "The Social Web: How to free yourself of your social networks and create a global community:

(The slides for this talk are available online here)

Please do send me some feedback on how I can improve both my talk and my presentation of it. I may have gone a bit too deeply here into technical details for example, and I should probably have added a section on the business model of distributed social networks. As the last talk of the conference there were only 40 or so attendees, but I was really thankful for the last minute opportunity given to me to present on this topic.

Naxx who helped me work on my presentation skills, gave a very interesting and worrying talk "Malware for Soho Routers: The war has begun", where he showed just how easy it is to hack into everyday home routers and turn them into zombie machines ready to launch an attack on the web. I had always thought that financial incentives would lead large telecoms to make sure that such routers were secure. Not at all it seems. Short term profit motives have led many of them to buy the cheapest machines with the worst possible software (web pages built with shell scripts!) with laughable security. Security may be on the news everyday since September 11 2001, but clearly it was always just a sham. Listen to his talk, and be very worried:

Time either to help out on a open source project for secure routers, or to invest money in a cisco one!

Finally I do have to say that the prize for best presentation (I saw) clearly has to go to Simon Wardley from Canonical, for his funny, entertaining and educational keynote "Cloud Computing". If you have been wondering what this beast is, this will really help:

Well that's it from the FrOSCon, which in german is pronounced FroshCon, "Frosch" being the german for Frog, hence the logo. It was great attending, and I have the feeling of having made a huge leap forward here on my tour.

Posted at 06:04PM Aug 24, 2009 [permalink/trackback] by Henry Story in travel  |  Comments[4]

Camping and Hacking at HAR2009

On Monday 10 August evening I arrived under a light drizzle in Vierhouten in the Netherlands, after cycling the last 100km section of the 300km that I had traveled from the University of Koblenz. I just had time for a beer and a soup, as the c-base bus arrived from Berlin. Night was falling fast, and so we all got together and helped put up the large colorful tent on the edge of a still mostly empty field. The BSD camp next to us had worked out how to get some electricity and kindly let us have enough to power a lamp and a couple of laptops. So we could relax and listen to some music, as it got colder.

I travel very light weight on my bicycle for obvious reasons. So I don't carry a tent with me. Instead I go from hotel, to youth hostel, to family couch. I have not tried the Couch surfing network yet, but it's an extra option I could use. Here on the camp, in the middle of the forest, none of the options were available. So I was very grateful to Dirk Höschen for having taken a nice tent with him for me to sleep in, and also to Rasta for having given me some blankets and furs he happened to have to sleep on. The thick down coat I had carried with me from France, finally came in useful, in the cold nights that followed.

(the tent to the right was the one I slept in)

HAR (Hacking At Random) is an international technology and security conference, with a strong free software, freedom of information political leaning. I had not heard of it until I reached Berlin, but was told so much good about it from so many different people, that I was convinced to go. I was lucky to get some last minute tickets, from some friends of a friend from the Viennese Metalab who could not make it. The 2000 tickets had all been sold out a month ago. Needless to say I had largely missed the deadlines for submitting a presentation. The organisers though were interested enough in what I was presenting on Distributed Social Networks that they gave me a couple of 2 hour workshop sessions to present. The first one of them was filmed, but I am not sure where the video is yet. (I'll update this when I get a link to it.) On Saturday I was lucky to get a 10 minute slot on the Lightening Talks track. This was recorded (slides here)

(( Mhh, one learns a lot from being filmed. I was not so aware how much I gesticulate with my hands. Something I picked up in France I think, but without the french mastery...))

Given how foaf+ssl builds up on X509 and relies on existing Internet infrastructure this conference was an excellent place to come to and learn the latest on holes and limitations in these technologies. Perhaps the most relevant talk was the one given by Dan Kaminsky x509 considered harmful, which he gave while downing a bottle of excellent whiskey - as I found out while talking to him after the presentation.

In his talk Dan really beats home the importance of DNSSEC, the next version of DNS which is about to get a lot higher profile as the root DNS server moves over to it at the end of this year. The x509 problems could mostly disappear with the rollout of DNSSEC, which is good for me, because it means we can continue working on foaf+ssl. Also foaf+ssl relies a lot less on Certificate Authorities. The only place where that is important is for server authentication (which is where DNSSEC comes in). Client certificates can be self signed as far as foaf+ssl is concerned.

If there was a main theme I got from this conference, then it was clearly the importance of the deployment of DNSSEC. It may be a lot more heavy weight, and a lot more complex than what we have currently, but the problems are getting to be so big, that it is unavoidable. For a good presentation of these issues see Bert Hubert's talk, the man behind PowerDNS:

For an overview/introduction of what DNSSEC is, how it functions and what problems it solves, see Rick Van Rein's presentation Cracking Internet: the urgency of DNSSEC.

Sun Microsystems is also supporting the DNSSEC effort. In this security alert, you can read

Note 1: The above patches implement mitigation strategies within the implementation of the DNS protocol, specifically source port randomization and query ID randomization making BIND 9 more resilient to an attack. It does not, however, completely remove the possibility of exploitation of this issue.

The full resolution is for DNS Security Extensions (DNSSEC) to be implemented Internet-wide. DNS zone administrators should start signing their zones.

If your site's parent DNS zone is not signed you can register with the ISC's DNSSEC Look-aside Validation (DLV) registry at the following URL:

https://secure.isc.org/ops/dlv/

Further details on configuring your DNA zones for DNSSEC is available from the ISC at the following URL:

http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf

The issues addressed by these talks are not just technical, they have political implications for how we live. There were many good talks on the subject here at HAR, but my favorite, perhaps because I followed the story in France so carefully, was the one given by Jéremie Zimmermann co-founder of Quadrature du Net a French site with an English translation, that does an excellent job tracking the position of French and European politicians on issues related to web freedom. Jeremie's talk on Hacking the Law was on Sunday noon, the last day of the talk, and there were some technical problems getting the projectors to work. The best way to get it for the moment is to download it from the command line

curl -o jeremie.ogv ftp://ftp.sickos.org/pub/HAR2009/room1/r1-filer.20090816-115405.ogv

The talks will hopefully be placed online soon in an easier to access manner.

But HAR2009 was not just about talks. It was also about meeting people, talking, exchanging ideas. Some of the best parties were organised by the Chaos Computer Club a German wide hacker's club that deals with security and political issues, and that is widely referenced by the German media, when in need of enlightenment. They had a great tent with an excellent view of a pond, and at night had excellent DJs to create just the right ambiance to meet people. Mix that together with some Tschunk a cocktail of Club-Mate - the Germanic hacker drink - and Rum, and I found it difficult to go to sleep before 4am.

On Monday morning I cycled the remaining 100km to Amsterdam, one of the most easy going, beautiful towns in Europe, where I am writing this.

Posted at 06:15PM Aug 20, 2009 [permalink/trackback] by Henry Story in travel  |  Comments[2]

How to write a simple foaf+ssl authentication servlet

After having set up a web server so that it listens to an https socket that accepts certificates signed by any Certification Authority (CA) (see the Tomcat post), we can write a servlet that uses these retrieved certificates to authenticate the user. I will detail one simple way of doing this here.

Retrieving the certificate from the servlet

In Tomcat compatible servlets it is possible to retrieve the certificates used in a connection with the following code:

import java.security.cert.X509Certificate;
protected void doGet(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
       //...
       X509Certificate[] certificates = (X509Certificate[]) request
                       .getAttribute("javax.servlet.request.X509Certificate");
       //...
 }

Verifying the WebId

This can be done very easily by using a class such as DereferencingFoafSslVerifier (see source), available as a maven project from so(m)mer repository (in the foafssl/ directory).

Use it like this:

  Collection<? extends FoafSslPrincipal> verifiedWebIDs = null;

  try {
     FoafSslVerifier FOAF_SSL_VERIFIER = new DereferencingFoafSslVerifier();
     verifiedWebIDs = FOAF_SSL_VERIFIER.verifyFoafSslCertificate(foafSslCertificate);
  } catch (Exception e) {
     redirect(response,...); //redirect appropriately
     return;
  }

If the certificate is authenticated by the WebId, you will then end up with a collection of FoafSslPrincipals, which can be used for as an identifier for the user who just logged in. Otherwise you should redirect the user to a page enabling him to login with either OpenId, or the usual username/password pair, or point him to a page such as this one where he can get a foaf+ssl certificate.

For a complete example application that uses this code, have a look at the Identity Provider Servlet, which is running at https://foafssl.org/srv/idp (note this servlet was trying to create a workaround for an iPhone bug. Ignore that code for the moment).

Todo

The current library is too simple and has a few gaping usability holes. Some of the most evident are:

• No support for rdfa or turtle formats.
• The Sesame RDF framework/database should be run as a service, so that it can be queried directly by the servlet. Currently the data gathered by the foaf file is lost as soon as the FOAF_SSL_VERIFIER.verifyFoafSslCertificate(foafSslCertificate); method returns. This is ok for a Identity Provider Servlet, but not for most other servers. A Java/RDF mapper such as the So(m)mer mapper would then make it easy for Java programmers to use the information in the database to personalize the site with the information given by the foaf file.
• develop an access control library that makes it easy to specify which resources can be accessed by which groups of users, specified declaratively. It would be useful for example to be able to specify that a number of resources can be accessed by friends of someone, or friends of friends of someone, or family members, ....

But this is good enough to get going. If you have suggestions on the best way to architect some of these improvements so that we have a more flexible and powerful library, please contact me. I welcome all contributions. :-)

Posted at 10:23AM Jul 24, 2009 [permalink/trackback] by Henry Story in Art  |  Comments[0]

How to setup Tomcat as a foaf+ssl server

foaf+ssl is a standards based protocol enabling one click identification/authentication to web sites, without requiring the user to enter either a username or a password. It can be used as a global distributed access control mechanism. It works with current browsers. It is RESTful, thereby working with Linked Data and especially linked foaf files, enabling thereby distributed social networks.

I will show here what is needed to get foaf+ssl working for Tomcat 6x. The general principles are documented on the Tomcat ssl howto page, which should be used for detailed reference. Here I will document the precise setup needed for foaf+ssl. If you want to play with this protocol quickly without bothering with this procedure I recommend using the foaf+ssl Identity Provider service which you can point to on your web pages, and which will then redirect your users to the service of your choosing with the URLEncoded WebId of your visitor.

foaf+ssl works by having the server request a client certificate on an https connection. The server therefore needs an https end point which can be specified in Tomcat by adding the following connector to the conf/server.xml file:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="50" scheme="https" secure="true"
           sslProtocol="TLS"/>

Servers authentify themselves by sending the client a certificate signed by a well known Certificate Authority (CA) whose public key is shipped in all browsers. Browsers use the public key to verify the signature sent by the server. If the server sends a certificate that is not signed by one of these CAs (perhaps it is self signed) then the web browser will usually display some pretty ugly error message, warning the user to stay clear of that site, with some complex way of bypassing the warning, which if the user is courageous and knowledgeable enough will allow him to add the certificate to a list of trusted certs. This warning will put most people off. It is best therefore to buy a CA certified cert.(I found one for €15 at trustico.) Usually the CA's will have very detailed instructions for installing the cert for a wide range of servers. In the case of Tomcat you will end up with the following addition property values:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="50" scheme="https" secure="true"
           keystoreFile="conf/yourServerCert.kdb" 
               keystoreType="JKS" keystorePass="changeme" 
           sslProtocol="TLS"/>

And of course this requires placing the server cert file at the keystoreFile path.

There are usually two ways for the server to respond to the client not sending a (valid) certificate. Either it can simply fail, or it can allow the server app to decide what to do. Automatic failure is not a good option, especially for a login service, as the user will then be confronted with a blank page. Much better is to allow the server to redirect the user to another page explaining how to get a certificate and giving him the option of authentication using OpenId or simply the well known username/password pattern. To enable Tomcat to respond this way you need to add the clientAuth="want" attribute value pair:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="50" scheme="https" secure="true"
           keystoreFile="conf/yourServerCert.kdb" 
               keystoreType="JKS" keystorePass="changeme" 
           sslProtocol="TLS" clientAuth="want" />

Most Java Web Servers on receiving a client certificate, attempt to automatically validate it, by verifying that it is correctly signed by one of the CA's shipped with the Java Runtime Environment (JRE), verifying that the cert is still valid, ... As the SSL library that ships with the JRE does not implement foaf+ssl we will need to do the authentication at the application layer. We therefore need to bypass the SSL Implementation. To do this Bruno Harbulot put together the JSSLUtils library available on Google Code. As mentioned in the JSSLUtils Tomcat documentation page this will require you to place two jars in the Tomcat lib directory: jsslutils-0.5.1.jar and jsslutils-extra-apachetomcat6-0.5.2.jar (the version numbers may differ as the library evolves). You will also need to specify the SSLImplementation in the conf file as follows:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="50" scheme="https" secure="true"
           keystoreFile="conf/yourServerCert.kdb" 
               keystoreType="JKS" keystorePass="changeme" 
           SSLImplementation="org.jsslutils.extra.apachetomcat6.JSSLutilsImplementation" 
           sslProtocol="TLS" clientAuth="want" />

Usually servers send in the request to the client a list of Distinguished Names of certificates authorities (CA) they trust, so that the client can filter from the certificates available in the browser those that match. Getting client certificates signed by CA's is a complex and expensive procedure, which in part explains why requesting client certificates is very rarely used: very few people have certificates signed by well known CAs. Instead those services that rely on client certificate tend to sign those certificates themselves, becoming their own CA. This means that certificates end up being valid for only one domain. foaf+ssl bypasses this problem by accepting certificates signed by any CA, going so far as to allow even self signed certs. The server must therefore send an empty list of CAs meaning that the browser can send any certificate (TLS 1.1). With the JSSLutils library available to Tomcat, this is specified in the conf/server.xml file with the acceptAnyCert=true attribute.

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="50" scheme="https" secure="true"
           keystoreFile="conf/yourServerCert.kdb" 
               keystoreType="JKS" keystorePass="changeme" 
           SSLImplementation="org.jsslutils.extra.apachetomcat6.JSSLutilsImplementation"
           acceptAnyCert="true" sslProtocol="TLS" clientAuth="want" />

At this point you have set up your Apache Server correctly. A user that arrives at your SSL endpoint and that has a couple of certificates will be asked to choose between them. Your client code can the extract the certificate with the following code:

       X509Certificate[] certificates = (X509Certificate[]) request
                       .getAttribute("javax.servlet.request.X509Certificate");

You can use these certificates then to extract the WebId, and verify the SSL certificates. I will write more about how to do this in my next blog post.

Posted at 06:25PM Jul 23, 2009 [permalink/trackback] by Henry Story in Java  |  Comments[3]

two months of foaf+ssl talks

For the past one and a half months I have been traveling through Europe giving talks on foaf+ssl, the RESTful authentication protocol for the Social Web. Here is a short summary of where I have been.

18 May 2009, Salzburg Research

On my way cycling from Fontainebleau to Vienna, I stopped by in Salzburg, Austria, where the offices of the organisers of the EU sponsored KIWI (Knowledge in a Wiki) project, which Sun is participating in, are located. I introduced the group there to foaf+ssl, and they are now working on an implementation for their award winning semantic wiki.

20 May 2009, Semantic Web Company

Right after arriving in Vienna, I met up with Andreas Blumauer, editor of the recently published Springer Book "Social Semantic Web". Hopefully my presentation will make its way in some form or another into the next edition :-). Andreas also gave me an overview of the powerful yet easy to use thesaurus management system named Pool Party, they are developing.

1 June 2009, European Semantic Web Conference, Heraklion

Ian Jacobi who had come to Crete for the occasion, helped me present the paper FOAF+SSL: RESTful Authentication for the Social Web in the SPOT track. The other papers presented in that track all fitted together very well, giving a very good overview of the topics that need to be covered in this space. I will be rereading them soon. The ESWC conference was also a great opportunity to do a number of quick one to one presentations by demoing it working on the iPhone. ( Sadly the latest OS release broke the SSL stack, making my iPhone so much less useful )

18 June, Vienna University of Technology

In Crete I met Christoph Grün who helped organize a slot to present at the Institute of Software Technology & Interactive Systems. Christoph is working on Online Tourism web services, which would be a great use case for foaf+ssl. Imagine a group of people deciding to organize an outing on a tourism wiki site, where all members of the group would get access to that outing after a simple drag and drop of a foaf:Group URL onto the outing project console.... No account setup required.

23 June, Metalab Hacker's Club, Vienna

While in Vienna I gave a presentation at the Metalab, an open meeting space for hackers of all walks of life. As it happened a journalist from the well known French newspaper "Le Monde" happened to be present and wrote up an article "Les nouvelles tribus du Net" (now paying) on the lab, mentioning my presentation en passant.

2-3 July, Sun Microsystems Kiwi Meeting, Prague

The Kiwi group met in Prague for a couple of days to synchronize their work. After having won the best semantic web application prize at the European Semantic Web Conference in Crete, the mood was very positive. This was a good place to introduce the rest of the group to the potential of foaf+ssl, which is currently being implemented in Kiwi by Stefanie Stroka.

13 July, University of Leipzig

I spent a whole day with the excellent Agile Knowledge Engineering and Semantic Web team at the University of Leipzig. After an update on their latest work with DBPedia, Ontowiki, xOperator, ... I presented foaf+ssl. After lunch we then spent the afternoon on a very helpful hands on session. There are still enough rough edges in the different implementations of foaf+ssl that a bit of guidance can save a lot of time. End result, a few days later Sebastian Dietzold notified me that Philipp Frischmuth had written a first implementation available publicly at http://trunk.ontowiki.net/. During our session we also discovered a bug on http://foaf.me/, which was soon fixed.

15 July, University of Potsdam

Hagen organised a very well attended meeting at the University of Potsdam. The questions following the talk were very good, and showed a large interest. Sadly we did not have time for a hands on session, as my next meeting was just a few hours later. Hands on sessions are still very important, as they help turn a talk into an experience. It helps a lot that Melvin Carvalho enhanced foaf.me to make it very easy to create both a foaf file and a linked certificate, so with time these hands on sessions should be easier and shorter to do.

15 July, New Thinking Store, Berlin

I finished the day with a presentation at the New Thinking Store in Berlin, organized by Martin Schmidt. This was an opportunity again to present to Web 2.0 and more directly practical people.

Posted at 05:16PM Jul 20, 2009 [permalink/trackback] by Henry Story in travel  |  Comments[0]

The foaf+ssl world tour

As you can see from the map here I have been cycling from Fontainebleau to Vienna (covering close to 1000km of road), and now around Cyprus in my spare time. On different occasions along my journey I had the occasion to present foaf+ssl and combine it with a hands on session, where members of the audience were encouraged to create their own foaf file and certificates, and also start looking into what it takes to develop foaf+ssl enabled services. This seems like a very good way to proceed: it helps people get some hands on experience which they can then hopefully pass on to others, it helps me prioritize what need to be done next, and should also lead to the development of foaf+ssl services that will increase the network value of the community, creating I hope a viral effect.

I started this cycle tour in order to loose some weight. I still have 10kg to loose or so, which at the rate of 3kg per 1000km will require me to cycle another 3000km. So that should enable me to visit quite a few places yet. I will be flying back to Vienna where I will stay 10 days or so, after which I will cycle to Prague for a Kiwi meeting on the 3rd of July. After that I could cycle on to Berlin. But really it's up to you to decide. If you know a good hacker group that I can present to and cycle to, let me know, and I'll see how I can fit it into my timetable. So please get in contact! :-)

Posted at 12:21PM Jun 11, 2009 [permalink/trackback] by Henry Story in travel  |  Comments[5]

FOAF+SSL: RESTful Authentication for the Social Web

The European Semantic Web Conference (ESWC) will be held in Heraklion on the Island of Crete in Greece from 31 May to 4 June. I will be presenting the paper "FOAF+SSL: RESTful Authentication for the Social Web" which I co-authored with Bruno Harbulot, Ian Jacobi and Mike Jones. Here is the abstract:

We describe a simple protocol for RESTful authentication, using widely deployed technologies such as HTTP, SSL/TLS and Semantic Web vocabularies. This protocol can be used for one-click sign-on to web sites using existing browsers — requiring the user to enter neither an identifier nor a password. Upon this, distributed, open yet secure social networks and applications can be built. After summarizing each of these technologies and how they come together in FOAF+SSL, we describe declaratively the reasoning of a server in its authentication decision. Finally, we compare this protocol to others in the same space.

The paper was accepted by the Trust and Privacy on the Social and Semantic Web track of the ESWC. There are quite a number of interesting papers there.

I have never been to Greece, so I have a feeling I will really enjoy this trip. Hope to see many of you there.

Posted at 11:54PM May 14, 2009 [permalink/trackback] by Henry Story in SemWeb  |  Comments[4]

A Simple foaf+ssl Identity Provider (IdP)

In order to help people get started with foaf+ssl, we have put together a very simple Identity Provider service (IdP). This removes the need for web services to have to deal with setting up https certificates and changing much to their current web setup. With a few lines of server side code any server can now easily find the WebId of a user, and try out some interesting ideas at little cost. If the experiment is useful, for extra security and reliability a business case can then be made for integrating a full foaf+ssl stack.

The protocol is very much as we outlined in a earlier post entitled "Sketch of a foaf+ssl+openid service". The details of the API are listed directly on the root of the first foaf+ssl IdP serviced, available here: https://foafssl.org/srv/idp. All the Service Provider - that is the consumer of the IdP - needs to do is to add a login button or link to his web page that points to the above IdP with a authreqissuer=$url parameter that points back to a CGI controlled by the Service Provider that can parse the redirect containing the user's WebId. That url comes with a timestamp to avoid replay attacks, and is signed to assure authenticity.

Bruno Harbulot wrote the code and published it under a BSD licence by the University of Manchester where he studies. The code is available on the So(m)mer Subversion repository. You can download it with:

$ svn checkout https://sommer.dev.java.net/svn/sommer/foafssl/trunk foafssl --username guest

Update September 14, 2009

The IdP is now RDFa enabled, using Damian Steer's RDFa parser for Jena which I ported to Sesame. The war file can be downloaded directly from the dev.java.net Maven repository. To set up your own IdP use that WAR and follow the foaf+ssl setup instructions for Tomcat. This war may only work for Tomcat 7.

Posted at 12:56PM May 12, 2009 [permalink/trackback] by Henry Story in SemWeb  |  Comments[0]

Sun Initiates Social Web Interest Group

I am very pleased to announce that Sun Microsystems is one of the initiating members of the Social Web Incubator Group launched at the W3C.

Quoting from the Charter:

The mission of the Social Web Incubator Group, part of the Incubator Activity, is to understand the systems and technologies that permit the description and identification of people, groups, organizations, and user-generated content in extensible and privacy-respecting ways.

The topics covered with regards to the emerging Social Web include, but are not limited to: accessibility, internationalization, portability, distributed architecture, privacy, trust, business metrics and practices, user experience, and contextual data. The scope includes issues such as widget platforms (such as OpenSocial, Facebook and W3C Widgets), as well as other user-facing technology, such as OpenID and OAuth, and mobile access to social networking services. The group is concerned also with the extensibility of Social Web descriptive schemas, so that the ability of Web users to describe themselves and their interests is not limited by the imagination of software engineers or Web site creators. Some of these technologies are independent projects, some were standardized at the IETF, W3C or elsewhere, and users of the Web shouldn't have to care. The purpose of this group is to provide a lightweight environment designed to foster and report on collaborations within the Social Web-related industry or outside which may, in due time affect the growth and usability of the Social Web, rather than to create new technology.

I am glad we are supporting this along with these other prestigious players:

• ASemantics
• Boeing
• Cisco
• DERI Galway at the National University of Ireland, Galway, Ireland
• Garlik
• Institut National de Recherche en Informatique et en Automatique (INRIA)
• Institute of Informatics and Telecommunications (IIT), NCSR
• NICTA
• Rochester Institute of Technology
• SUN Microsystems
• Talis
• Telecom Italia
• University of Bristol
• University of Edinburgh
• Universidad Politécnica de Madrid
• University of Versailles
• Vrije Universiteit
• Vodafone

This should certainly help create a very interesting forum for discussing what I believe is one of the most important issue on the web today.

Posted at 10:22AM Apr 07, 2009 [permalink/trackback] by Henry Story in SemWeb  |  Comments[4]

howto get a foaf+ssl certificate to your iPhone

In my previous post I showed that a passwordless distributed social web is already possible on the iPhone. It just requires one to upload a foaf+ssl certificate to it. Here is a relatively easy way to do this. I leave it up to the readers of this blog to build even better ways to do it.

First of course you need to have a foaf+ssl certificate. If you don't have a foaf file, then you may want to first check out foafbuilder to create a foaf file and help you tie your distributed persona on the web together. It would be great if foafbuilder could also create those foaf+ssl certs.... For the moment they don't so the easiest way to get it is using the foafssl.org certificate creation service. That will load the certicicate right in your browser, and help you test it.

Once you have a certificate in your browser - I am assuming Firefox here - you just need to export it to the hard drive. In FF go to Preferences, and click on the advanced tab, and choose the encryption section.

I have a number of foaf+ssl certificates as you can see here. Choose one of them and click the Backup button. This will open another window asking you where you wish to save your certificate. Save it somewhere obvious in pkcs12 format. Make sure the file ends with a .p12 extension. You will also be asked for a password to encrypt your certificate, so it can't be opened in transit. You can use a complex password here as you will only need to remember it once.

Then just mail yourself that .p12 file using an account you can access on the iPhone of course. It is just a matter then of going to your iPhone, and opening your mail. In my mail I added a link to the web service I wanted to use next, to save me typing later.

When you click on the p12 link in your iphone, it will then ask you if you wish to install it. The certificate will most likely not be verified by another party. But that's ok, because you are the person who verified it. It is a certificate about you, and you know yourself better than most other people (except your mama of course).

You are then asked to enter the password you used to encrypt the certificate earlier. Once this is done your certificate will be installed on your iPhone, where it can stay happily for a very long time.

If you wish to have a number of different personalities on the web you can create different foaf profiles of yourself, where you can link different pieces of your web life together. As all detective films show it is very difficult to keep things forever secret. But you can at least keep pieces of your life clearly seperated, to keep nosy people busy.

Posted at 07:19PM Apr 03, 2009 [permalink/trackback] by Henry Story in SemWeb  |  Comments[2]