Slug: making-a-list-whitelisting-with-openid-and-xfn Date: 2007-11-26 Title: “Making a list: Whitelisting with OpenId and XFN” layout: post

This weekend I ran across a post on Tim Berners Lee’s blog (the Giant Global Graph - Groan), but what got my attention was a previous post by Dan Connoly about the social-network-based whitelist they’ve developed for commenting on the Decentralized Information Group blog.

In less than a nutshell, the DIG is using the relationship data in their members’ FOAF files to build a whitelist of users (identified by their OpenID) who can comment on the site.

##Decentralized Information Group, OpenID+FOAF Whitelist

In FOAF and OpenID: two great tastes that taste great together, Dan writes about the system the DIG devised to whitelist comment authors:

> In more detail, you can comment on our blog if:
You can show ownership of a web page via the OpenID protocol.
That web page is related by the foaf:openid property to a foaf:Person, and
That foaf:Person is listed as a member of the DIG group in http://dig.csail.mit.edu/data, or
related to a dig member by one or two foaf:knows links.

Sean Palmer has a deeper, very interesting description of the process that went into the system, and Shahan Khatchadourian describes how it works for a new user

Mapped out, the system looks something like this:

To be added to the site’s comment whitelist, either the green or blue path must be satisfied: User A has to be either identifiable (via OpenId) as a DIG member (foaf:Person matches in the DIG member data) or another DIG member must “claim” User A (User A is identified via OpenID and their foaf:Person is related via foaf:knows to the known DIG member).

##OpenID+XFN (+Wordpress?) Whitelist

So tonight I got to talking to Chris Messina about DIG’s system (he pointed me to Simon Willison’s efforts back in January at whitelisting via OpenID) and wondered if we couldn’t build a similar system with a little less propeller-head factor using XFN instead of the semantically pure but pragmatically awkward FOAF.

In order to make something like this work, it seems that the flow would work like this:

1. You can show ownership of a web page via the OpenID protocol.
2. That web page contains your hCard, or a symmetric XFN rel=”me” link to a separate page with your hCard
3. The URI of your hCard is listed in the service’s membership data, OR
4. The URI of your hCard is listed in the XFN of a member of the service with an XFN relationship of “acquaintance” or better (“better” is subject to definition, based on the XFN profile).
5. You get added to the service’s whitelist

This is very rough, but mapped out it looks something like this:

As before, to be added to a site’s whitelist, either the green or blue path must be satisfied. I think that a system like this for Wordpress (for example) could be built out of mostly existing parts, starting with the Wordpress OpenID Plugin (newly 2.0). (Chris has more notes on a wordpress plugin.)

My thinking here is rough, and probably contains quite a few holes, so I’m trusting that those more knowledgable that I will point out flaws in my thinking or new directions.

UPDATE: A conversation with Paul Walsh and Simon Willison sprang up in the comments on Pauls’ post, “Identity” the most widely misused term by Internet experts. Paul makes a decent case (and Simon agrees) that saying OpenID “proves identiy” is misleading - nothing is proven and no Trust is asserted. OpenID provides a form of identity (“I can prove I own this URI”) that particpants have agreed to. Thanks to Paul and I’ve updated my diagrams accordingly.