Here's a quick scribbled description of an application of FOAF I've been thinking about lately. I am forever forgetting the passwords for various Web sites; usually those of my friends (photos etc), rather than huge dot-com sites. I'd like to make it easy for such sites to offer password-protected access to their content, without my having to remember loads of different passwords.
So I'm wondering how feasible it would be to do something like the following: in my FOAF file, or another RDF/XML document linked from it, list a bunch of 'account descriptions' giving my username and (in some cases) crypted passwords. Some of these could be generic accounts, eg 'generic friends photo login'. FOAF-aware sites could use this if they want to give me access but defer password management to external systems. I'd update/edit/delete account descriptions, including passwords, and sites would read my FOAF file regularly to keep up to date.
The bare bones of this could be implemented with relatively little scripting, but it raises some issues that need careful thought. First up, it isn't super-wise to have a single username/password used on loads of sites, especially if it is sent in cleartext HTTP, or if you're not careful about which sites you send it to. Secondly,we'd need to use something like PGP's identity-assurance mechanisms, otherwise my friends might accidentally use evil-danbri-impersonator.rdf to check passwords, and allow the wrong users to see their content. So I might PGP-sign a chunk of RDF that says 'this is danbri@rdfweb.org's low-security photo-website generic account'.
There's more to think and write and test on all this, but I just wanted to scribble the basic idea. I suspect the next step is a prototype...
Posted by danbri at December 30, 2002 01:19 AM