All Over The Map

I would like to own my data and control what I can do with on my terms. Individuals and other programs interested in looking at “my data”, could then decide to use the data, if they agree to the terms. I also would like to see it become easy for non computer specialists to project this type of presence from clouds or other similar offerings. This diagram shows the basic operation I want direct control over.

Many years ago I was very involved in a technology called JavaCard which had the promise for providing more security than current systems by protecting tokens. What I would like to see in social networking systems is the ability for me to project my personal presence and relationships with others without an aggregator in the middle. One of the technologies needed to do that is what I call point to point security that is a secure connection without a proxy between the two parties. JavaCard provided a secure store and processor that could be used as a foundation element.  Today’s phones can be used to accomplish the same thing. Think of your phone as becoming your authentication device.  A second technology that is needed for this to occur is a RBAC system that allows one to assign arbitrary access control rules to objects having URIs.

Security, is PKI the answer?

Modern systems often use PKI to come up with security solutions. There are many issues with PKI systems, some of those are documented in the following.

• My dated PKI article
• Secrets and Lies
• PKI as a Misfit

More can be found at delicous
Maybe the RBAC problem is Local and not Global?

I am less sure on the challenges involved in building an RBAC solution. When I first thought about this problem, I thought the solution required a massive RBAC system capable of understanding the relationship between each user and I realized that I was looking at it from the aggregators point of view. What is needed is a smaller scale solution where the two principals simply resolve the access control issue in real time on a per transaction basis.  A classic on big RBAC problems can be found here.

Modern approaches to this problem can be found at

• Some of Henry Story’s numerous ideas on this topic
  • http://blogs.sun.com/bblfish/entry/foaf_ssl_creating_a_global
  • http://blogs.sun.com/bblfish/entry/building_secure_and_distributed_social
• A recent publication on XACML, a web friendly access control language from various authors including some from the userisyt of Marlyland, the university that sponsored SHOE, an excellent eary example on the power of semantics.