Slug: making-a-list-whitelisting-with-openid-and-xfn Date: 2007-11-26 Title: “Making a list: Whitelisting with OpenId and XFN” layout: post
This weekend I ran across a post on Tim Berners Lee’s blog (the Giant Global Graph - Groan), but what got my attention was a previous post by Dan Connoly about the social-network-based whitelist they’ve developed for commenting on the Decentralized Information Group blog.
##Decentralized Information Group, OpenID+FOAF Whitelist
In FOAF and OpenID: two great tastes that taste great together, Dan writes about the system the DIG devised to whitelist comment authors:
> In more detail, you can comment on our blog if:
You can show ownership of a web page via the OpenID protocol.
That web page is related by the foaf:openid property to a foaf:Person, and
That foaf:Person is listed as a member of the DIG group in http://dig.csail.mit.edu/data, or
related to a dig member by one or two foaf:knows links.
Mapped out, the system looks something like this:
To be added to the site’s comment whitelist, either the green or blue path must be satisfied: User A has to be either identifiable (via OpenId) as a DIG member (
foaf:Person matches in the DIG member data) or another DIG member must “claim” User A (User A is identified via OpenID and their
foaf:Person is related via
foaf:knows to the known DIG member).
##OpenID+XFN (+Wordpress?) Whitelist
So tonight I got to talking to Chris Messina about DIG’s system (he pointed me to Simon Willison’s efforts back in January at whitelisting via OpenID) and wondered if we couldn’t build a similar system with a little less propeller-head factor using XFN instead of the semantically pure but pragmatically awkward FOAF.
In order to make something like this work, it seems that the flow would work like this:
- You can show ownership of a web page via the OpenID protocol.
- That web page contains your hCard, or a symmetric XFN rel=”me” link to a separate page with your hCard
- The URI of your hCard is listed in the service’s membership data, OR
- The URI of your hCard is listed in the XFN of a member of the service with an XFN relationship of “acquaintance” or better (“better” is subject to definition, based on the XFN profile).
- You get added to the service’s whitelist
This is very rough, but mapped out it looks something like this:
As before, to be added to a site’s whitelist, either the green or blue path must be satisfied. I think that a system like this for Wordpress (for example) could be built out of mostly existing parts, starting with the Wordpress OpenID Plugin (newly 2.0). (Chris has more notes on a wordpress plugin.)
My thinking here is rough, and probably contains quite a few holes, so I’m trusting that those more knowledgable that I will point out flaws in my thinking or new directions.
UPDATE: A conversation with Paul Walsh and Simon Willison sprang up in the comments on Pauls’ post, “Identity” the most widely misused term by Internet experts. Paul makes a decent case (and Simon agrees) that saying OpenID “proves identiy” is misleading - nothing is proven and no Trust is asserted. OpenID provides a form of identity (“I can prove I own this URI”) that particpants have agreed to. Thanks to Paul and I’ve updated my diagrams accordingly.