Problems with FOAF and XFN

0 views
Skip to first unread message

Navarr Barnier

unread,
Feb 15, 2008, 2:11:20 PM2/15/08
to DataPortability Google Group

FOAF and XFN have both been talked about here as DataPortability technologies, but the problem that I see with them is this:

 

People are identified by OpenID in a DataPortability setting.  XFN only identifies URLs of people that you know, and I’ve never seen a single link to an OpenID account in an FOAF file.

 

Maybe it’s just me, or that I haven’t noticed it, but even with the FOAF generators, there isn’t a place to put your OpenID.  If accounts of people are recognized by their OpenID, and it’s not specified by FOAF or anything else used to import friends, the applications that would be attempting to import your friends would have to do guesswork using information like Names (in which there could be duplicates) and Email Addresses (which not everyone might want to make public).

 

This also needs to be settable for any person reference on the OpenID file, so that if you want to import your friends and you load an FOAF, the service would be able to see the OpenID logins that would initially be used with the service, and easily be able to find that account name and make them your friend.

 

Or is everything I’ve written here incredibly out of place?

Tom Morris

unread,
Feb 15, 2008, 2:23:38 PM2/15/08
to dataportabi...@googlegroups.com
On Fri, Feb 15, 2008 at 7:11 PM, Navarr Barnier <nav...@gmail.com> wrote:
> FOAF and XFN have both been talked about here as DataPortability
> technologies, but the problem that I see with them is this:
> People are identified by OpenID in a DataPortability setting. XFN only
> identifies URLs of people that you know, and I've never seen a single link
> to an OpenID account in an FOAF file.
>

That's because FOAF only recently added the foaf:openid predicate.

There already exist a few FOAF files that use this:
http://tommorris.org/foaf (naturally...)
http://danbri.org/foaf.rdf
http://people.w3.org/amy/foaf.rdf
http://www.kantenwerk.org/metadata/foaf.rdf
http://moustaki.org/foaf.rdf#moustaki
http://www.w3.org/People/Connolly/home-smart.rdf
http://www.w3.org/People/Berners-Lee/card

> Maybe it's just me, or that I haven't noticed it, but even with the FOAF
> generators, there isn't a place to put your OpenID. If accounts of people
> are recognized by their OpenID, and it's not specified by FOAF or anything
> else used to import friends, the applications that would be attempting to
> import your friends would have to do guesswork using information like Names
> (in which there could be duplicates) and Email Addresses (which not everyone
> might want to make public).
>

Well, it's pretty easy if they have a foaf:homepage or foaf:weblog,
you can simply crawl that to see if they have an OpenID. I have
written a trivially simple Python script to do this. Maybe I'll
release it soon.

Also, the FOAF generators are quite old so tend not to have more
recent updates to the FOAF specification included.

--
Tom Morris
http://tommorris.org/

Julian Bond

unread,
Feb 15, 2008, 3:07:02 PM2/15/08
to dataportabi...@googlegroups.com
Navarr Barnier <nav...@gmail.com> Fri, 15 Feb 2008 13:11:20

>People are identified by OpenID in a DataPortability setting.

Really? Surely that's only one of several possible identifiers.

>  XFN only
>identifies URLs of people that you know,

And sites that identify you.

See
http://groups.google.com/group/dataportability-public/web/best-practice-f
or-site-developers#search

There are several attributes that can be used to uniquely identify a
person in files from different sites. RDF calls these Inverse Functional
Properties or IFPs. They all have the property that one person may have
several but any one value is typically only owned by one person. eg.

- email
- mbox_sha1sum (the sha1 hash of an email to obfuscate it)
- OpenID URL
- An IM account
- The URL of an online account profile page
- A Weblog URL

I'd strongly recommend that profiles and social graphs used in DP
include at least mbox_sha1sum and preferably more.

--
Julian Bond E&MSN: julian_bond at voidstar.com M: +44 (0)77 5907 2173
Webmaster: http://www.ecademy.com/ T: +44 (0)192 0412 433
Personal WebLog: http://www.voidstar.com/ skype:julian.bond?chat
Un-Balanced Load

Kevin Marks

unread,
Feb 15, 2008, 3:22:18 PM2/15/08
to dataportabi...@googlegroups.com
On Fri, Feb 15, 2008 at 12:07 PM, Julian Bond <julia...@voidstar.com> wrote:
>
> Navarr Barnier <nav...@gmail.com> Fri, 15 Feb 2008 13:11:20
>
> >People are identified by OpenID in a DataPortability setting.
>
> Really? Surely that's only one of several possible identifiers.
>
>
> > XFN only
> >identifies URLs of people that you know,

OpenID lets you prove that you own a URL, so can validate your
connection to the source URL for the XFN (this doesn't necessarily
validate rel="me" claims of course - bidirectional "me" verification
is still stronger)


>
> And sites that identify you.
>
> See
> http://groups.google.com/group/dataportability-public/web/best-practice-f
> or-site-developers#search
>
> There are several attributes that can be used to uniquely identify a
> person in files from different sites. RDF calls these Inverse Functional
> Properties or IFPs. They all have the property that one person may have
> several but any one value is typically only owned by one person. eg.
>
> - email
> - mbox_sha1sum (the sha1 hash of an email to obfuscate it)
> - OpenID URL
> - An IM account
> - The URL of an online account profile page
> - A Weblog URL
>
> I'd strongly recommend that profiles and social graphs used in DP
> include at least mbox_sha1sum and preferably more.

Email is not ideal, and mbox_sha1sum should not be included without
the users' permission; users have been surprised by sites outputting
the mbox_sha1sum and inadvertently connecting them via email that were
otehrwise private between them and the site. Also, my
security-conscious colleagues say that applying a dictionary or
rainbow table attack against mbox_sha1sum means that it should not be
considered strongly secure.

Julian Bond

unread,
Feb 15, 2008, 5:53:45 PM2/15/08
to dataportabi...@googlegroups.com
Kevin Marks <kevin...@gmail.com> Fri, 15 Feb 2008 12:22:18

>Email is not ideal, and mbox_sha1sum should not be included without
>the users' permission; users have been surprised by sites outputting
>the mbox_sha1sum and inadvertently connecting them via email that were
>otehrwise private between them and the site. Also, my
>security-conscious colleagues say that applying a dictionary or
>rainbow table attack against mbox_sha1sum means that it should not be
>considered strongly secure.

You're right that mbox_sha1sum is not ideal. It's not hard to guess that
my email is julia...@ecademy.com and then check it against the
mbox_sha1sum to prove it. But it falls under the heading of good enough.
Mostly. It does have the huge advantage though if you're trying to match
social graphs that almost every site stores an email address against
each account. That's not yet true of any other IFP.

Uldis Bojars

unread,
Feb 16, 2008, 11:16:41 AM2/16/08
to dataportabi...@googlegroups.com
On Feb 15, 2008 7:11 PM, Navarr Barnier <nav...@gmail.com> wrote:

> People are identified by OpenID in a DataPortability setting. XFN only
> identifies URLs of people that you know, and I've never seen a single link
> to an OpenID account in an FOAF file.

There is a foaf:openid property (mentioned in earlier replies). It is
one of the options for identifying a person in FOAF. See
http://www.xmlns.com/foaf/spec/#term_openid

Real-life usage of this property: LiveJournal FOAF data now include
foaf:openid. There must be at least as many FOAF profiles using
foaf:openid property as there are LJ pages.

Alexandre Passant has an interesting idea of using OpenID and FOAF
together - when a commenter authenticates on a WordPress with an
OpenID, a plugin finds commenter's FOAF profile using his OpenID URL.
Even though this makes a connection in the opposite direction that
what you were asking about, might be worth a look:

- http://apassant.net/blog/2007/09/23/retrieving-foaf-profile-from-openid/
- http://apassant.net/blog/2008/01/12/one-foaf-fits-all/

Uldis

[ http://webcamp.org/SocialNetworkPortability ]

Julian Bond

unread,
Feb 16, 2008, 12:16:35 PM2/16/08
to dataportabi...@googlegroups.com
Uldis Bojars <capt...@gmail.com> Sat, 16 Feb 2008 16:16:41

Nice. This works well *if* you are using delegation and so your OpenID
is under your control. It's going to mean some effort to try and get the
actual OpenID providers (eg Yahoo) to do this.

--
Julian Bond E&MSN: julian_bond at voidstar.com M: +44 (0)77 5907 2173
Webmaster: http://www.ecademy.com/ T: +44 (0)192 0412 433
Personal WebLog: http://www.voidstar.com/ skype:julian.bond?chat

Tax Not Included

Reply all
Reply to author
Forward
0 new messages