Evaluation of Authentication and Authorisation with Linked Data Support for CV3.0
The CV3.0-project  needs authentication- and authorisation-methods in the context of linked data. This article summarizes the research conducted to find such methods for the project as well as the technologies and approches found.
Introduction and Overview
As part of the research conducted in the CV3.0-project, the goals of two of the project's workpackages consisted of:
- Authenticating access to a triplestore using WebID
- Authorising access to data within the triplestore with triple-level granularity
During the work on those two workpackages, the aspects authentication and authorisation have been thoroughly researched in the context of linked data. This article gives a summary about the findings as well as the approach, which has been choosen for the CV3.0-project.
Authentication (Access Control)
As technology for authentication, WebID is mandated by the project proposal for CV3.0.
WebID  is an open standard for identity and login developed by the WebID community group  at W3C. Authentication with WebID is performed using a TLS client certificate and a correlation of it to a WebID-profile exposed as RDF on the web. The basic steps are as follows:
- A certificate is requested from the client. It is not required that the certificate is checked against an authority.
- A WebID-profile specified in the certificate is dereferenced.
- The public key of the certificate is compared to the dereferenced profile.
- If the comparison is successful, the client is authenticated.
The URI leading to the profile is given in the certificate using the Subject Alternative Name entry specified by X.509 . The WebID specifications  give a more detailed overview of principles and the full protocol.
Emerging directly from the semantic web environment, WebID seems to be the ideal choice for the objectives of the proof-of-concept implementations done in the CV3.0-project. At the time, when the project started, no generic WebID-identityproviders (IDPs) could have been identified which could have been easily set up in our organisation in order to provide WebIDs for employees and students. Thus, such an IDP has been implemented as a first deliverable, more information can be found at the IDP homepage .
Besides WebID, other authentication systems have been examined initially to get a broader picture of the authentication landscape. Specifically, we did look at
- OpenID / OpenID Connect and OAuth
- BrowserID / Persona
- Webfinger, XRD and JRD
- Web Identity and Secure Messaging
These are not specifically linked data authentication mechanisms or even don't support linked data, however we will give nevertheless a short overview of these in the following sections.
OpenID / OpenID Connect and OAuth
Other protocols available to the identity and access management domain on the web include OpenID and OAuth.
OpenID  has been around since 2005 and uses URIs (like WebID) as credential. The user logs in by specifying it's URI, then, depending on the OpenID-version, different mechanisms are used for discovering the identity provider which is called an OpenID-provider. Depending on the mode, a user can then be asked for a login at the provider. Attributes are exchanged using a "properties-file"-style format. OpenID has a broad adoption, according to Wikipedia , there are over one billion of OpenID-enabled accounts.
Work on OAuth  began in 2006, it is a protocol for authorisation using tokens issued for a short period, based on HTTP. A user of a service A can authorize a service B to access (parts) of it's data at service A by defining access for service B at service A. OAuth 1.0 is specified in RFC 5849 . With quite some controversy , OAuth development has continued and in 2012, OAuth 2.0 has been published in RFC 6749 .
OpenID Connect builds on OAuth 2.0 and uses JSON as exchange format. The work on the standard has been completed  in february 2014. OpenID foundation board member Nat Sakimura gives a good overview of the protocol in this article 
Following a comparison  of WebID and OpenID, both standards should be interoperable, as the basic principle, basing on URIs for dereferencing a personal profile, is the same. There are however some differences in the way that the protocols interact with users and services which are detailed in the given comparison.
WebFinger, XRD and JRD
WebFinger  is not an authentication protocol on its own but an information retrieval mechanism used by other protocols, namely OpenID Connect. Introduced  in 2009, WebFinger is based on HTTPS and an associated well-known URI . Resources found at a given WebFinger-URI are represented in a Web Host Metadata  format, either serialised as XRD (XML) or JRD (JSON, however not JSON-LD).
BrowserID / Persona
Mozilla's Persona  is the leading implementation of the BrowserID-concept which relies on verified email-addresses to control access to webresources. The protocol is detailed in BrowserID specification , it's basic steps are:
- The user gets a dialog requesting it's email-address
- If the browser already has a corresponding certificate, login is performed using provisioning and authentication endpoints provided by the resource
- Otherwise, the user gets redirected to a login to confirm his identity
There have been some  discussions  comparing WebID and BrowserID. Generally, nothing seems to speak against at least some interoperability between the two, however, there are some distinctions to be made:
- BrowserID works only for browsers, whereas WebID is basically applicable to every agent which supports TLS.
- Both support multiple clients for one identity. Key revocation seems to be a bit easier with WebID, BrowserID chooses short validities for protection.
- Both are decentralised, however for BrowserID, only Mozilla's Persona seems to be the identity provider broadly used.
Although some large sites have adopted BrowserID for login, widespread usage could not have been determined so far. Mozilla has recently analysed  why the project failed to gain wide adoption, more details are also given in a Google-groups posting .
Web Identity and Secure Messaging
An interest group  concerned of exchanging money over the web is building standards for authentication and identity in an associated W3C community group . At the time of writing, two draft community standards have emerged from this group, secure messaging  and web identity .
The secure messaging standard focuses on maintenance of a public key infrastructure by having key registration services (comparable to keyservers) and on secure and verifiable message exchange using these keys.
On the other side, the web identity standard addresses exchange of public and private identity attributes using JSON-LD over HTTP. For protecting private data, authentication is performed using HTTP-signatures , an IETF draft standard.
- CV3.0 project homepage, http://cv3.bfh.ch
- WebID homepage, http://webid.info/
- WebID community group, http://w3.org/community/webid/
- RFC 5280 (X.509), Subject Alternative Name, https://tools.ietf.org/html/rfc5280#section-22.214.171.124
- WebID specifications, https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/index.html
- BUAS WebIDP, http://webidp.bfh.ch
- OpenID homepage and specifications, http://openid.net
- Wikipedia - OpenID adoption, https://en.wikipedia.org/wiki/Openid#Adoption
- OAuth homepage, http://oauth.net
- RFC 5849 - OAuth 1.0, http://tools.ietf.org/html/rfc5849
- Wikipedia - OAuth 2.0 controversy, https://en.wikipedia.org/wiki/OAuth#Controversy
- RFC 6749 - OAuth 2.0, http://tools.ietf.org/html/rfc6749
- Release of OpenID Connect, http://openid.net/2014/02/25/a-great-day-for-internet-identity
- Nat Sakimura - OpenID Connect in a nutshell, http://nat.sakimura.org/2012/01/20/openid-connect-nutshell
- Henry Story - WebID in relation to other technologies, http://bblfish.net/tmp/2010/08/05/webid-related.respec.html
- RFC 7033 - WebFinger, http://tools.ietf.org/html/rfc7033
- Eran Hammer - Introducing WebFinger, http://hueniverse.com/2009/08/introducing-webfinger
- RFC 5785 - .well-known-URIs, http://www.faqs.org/rfcs/rfc5785.html
- RFC 6415 - Web Host Metadata, https://tools.ietf.org/html/rfc6415
- W3C public RDF working group mailinglist - JRD discussion, http://lists.w3.org/Archives/Public/public-rdf-wg/2013Feb/0038.html
- Mozilla Persona homepage, http://developer.mozilla.org/en-US/Persona
- BrowserID specification, http://github.com/mozilla/id-specs/blob/prod/browserid/index.md
- Stackoverflow comparing WebID and BrowserID, https://security.stackexchange.com/questions/5406/what-are-the-main-advantages-and-disadvantages-of-webid-compared-to-browserid
- Stackoverflow comparing various federated identities, https://security.stackexchange.com/questions/5323/what-are-the-downsides-of-browserid-persona-compared-to-openid-oauth-facebook/5390#5390
- Identity/Persona AAR, http://wiki.mozilla.org/index.php?title=Identity/Persona_AAR&oldid=919193
- Google Groups - Dan Callahan on Persona's future, https://groups.google.com/forum/#!msg/mozilla.dev.identity/Qnxt8lmOEeo/fVtJrMDfOjMJ
- Web Payments homepage, https://web-payments.org
- W3C Web Payments community group, http://www.w3.org/community/webpayments
- Secure Messaging - draft community group specification, https://web-payments.org/specs/source/secure-messaging
- Web Identity - draft community group specification, https://web-payments.org/specs/source/web-identity
- IETF HTTP Signatures - draft Cavage, http://tools.ietf.org/html/draft-cavage-http-signatures-00
- Digital Bazaar - payswarm.jsl library, https://github.com/digitalbazaar/payswarm.js
- Joyent - HTTP Signature, https://github.com/joyent/node-http-signature
- Homepage of Thomas Bergwinkl, https://www.bergnet.org
- UAC Ontology, http://ns.bergnet.org/uac/0.1/index.html
- Presentation about UAC, https://www.bergnet.org/people/bergi/files/documents/2014-02-14/index.html
- Web Access Control, http://www.w3.org/wiki/WebAccessControl
- WebID+ACO: A distributed identification mechanism for social web, http://ii.uwb.edu.pl/~dtomaszuk/WebIDACO.pdf
- ACO Ontology, http://ii.uwb.edu.pl/~dtomaszuk/access/
- S4AC Ontology, http://ns.inria.fr/s4ac/v2/s4ac_v2.html
- SHI3LD Homepage, https://wimmics.inria.fr/projects/shi3ld/
- INRIA Homepage, http://www.inria.fr
- Privacy Preference Ontology Paper, http://ceur-ws.org/Vol-781/paper6.pdf
- DERI Institute Homepage, http://deri.ie
- An Overview of RDF Triplestores, http://www.garshol.priv.no/blog/231.html
- Stardog Triplestore, Security Overview, http://docs.stardog.com/security/
- Oracle, Finegrained Access Control, http://docs.oracle.com/cd/E11882_01/appdev.112/e25609/fine_grained_acc.htm