From FOAF

How can FoaF be used for FoafAuthentication?

The following is based in the context of FoafCheck, a Python utility I created, and its usage as a weblog comment identity feature. Authentication is not yet implemented, but this is how I thought to do it:

1. Host generates a "challenge" (using FoafCheck) that is time sensitive, say 6-10 alphanumeric characters, and places it next to the FoaF icon on the entry form.

1. User pastes the challenge into a local client that signs the challenge with their private key, which they then paste back into a field in the form (I'm thinking the Name field).

1. User pastes the URI of their homepage or a FoaF file that has their foaf:Person description into the Homepage field.

1. Host calls FoafCheck with the URI and the response to the challenge.

1. FoafCheck locates and reads the FoaF file.

1. Locates and verifies its signature.

1. Picks the appropriate foaf:Person (see FoafCheck for details, and Topic Finder for another approach).

1. Uses the public key within the signed FoaF file to decrypt the response and compare it to the challenge.

Authoritive references on challenge/response using public keys will of course be used for actual implementation.

[edit] Alternatives

SamRuby describes a much more practical (today) approach using an e-mail client to send already-signed comments to a weblog entry.

Ben Nolan recommends SharedID.com - a webservice providing single sign on and foaf identity assurance, with open APIs.