FOAF+TLS: RESTful Authentication for Distributed Social Networks ⋆ Henry Story 1 , Bruno Harbulot 2 , Ian Jacobi 3 , and Mike Jones 2 1 Sun Microsystems, http://blogs.sun.com/bblfish 2 The University of Manchester, UK, Bruno.Harbulot@manchester.ac.uk 3 MIT Abstract. We describe a very simple protocol for RESTful authenti- cation, using widely deployed technologies such as HTTP, TLS and Se- mantic Web vocabularies. After describing each of these technologies and how they come together in FOAF+TLS 4 , we show declaratively the reasoning of a server relying on this authentication mechanism to make authorization decisions. 1 Introduction Many web servers that require authentication rely on centralized systems (for example, backed by an LDAP service) that belong to the same administrative domain as the server. In this model, the user is restrained to this administra- tive domain and needs to have an account for each organization. This makes creation of links between data related to a given user held within two distinct organizations difficult. In addition, every time a new user needs authenticated access to a new organization, a new registration needs to be made; this is a burden for both the user and the organization. The process of registration is either (a) minimal —for example, e-mail address confirmation—, or (b) more in-depth —for example, in a workplace, where an administrator has to create an account, after verifications out-of-band. Process (a) is lightweight, but will often provide insufficient information, whereas process (b) may be able to give more information about a user, at the expense of a costly initial verification phase during the registration. Attempts to decentralize this process have been made. Shibboleth, 5 for ex- ample, aims at sharing accounts across administrative boundaries; it does how- ever rely on a rigid federation process between organizations. OpenId, enables authenticating a user against a URI, but requires a separate protocol and the definition of custom attributes for obtaining more information about the user. ⋆ This article will be made available under the ”Attribution 3.0 Unported” Creative Commons License, as soon as it is accepted by the SPOT2009 comittee. Do not republish until then. 4 This is also known as FOAF+SSL. Up to date information on developments in this protocol are available at http://esw.w3.org/topic/foaf+ssl 5 http://shibboleth.internet2.edu/ Draft: March 16, 2009 -- 11:44-- Page 1