A global distributed Social Web requires that each person be able to control their identity, that this identity be linkable across sites - placing each person in a Web of relationships - and that it be possible to authenticate globally with such identities.
This specification outlines a simple universal identification mechanism that is distributed, openly extensible, improves privacy, security and control over how each person can identify themselves in order to allow fine grained access control to their information on the Web. It does this by applying the best practices of Web Architecture whilst building on well established widely deployed protocols and standards including HTML, URIs, HTTP, and RDF Semantics.
There are a number of concepts that are covered in this document that the reader may want to be aware of before continuing. General knowledge of RDF [[!RDF-PRIMER]] is necessary to understand how to implement this specification. WebID uses a number of specific technologies like Turtle [[!turtle]] and RDFa [[!RDFA-CORE]].
A general Introduction is provided for all that would like to understand why this specification is necessary to simplify usage of the Web.
The terms used throughout this specification are listed in the section titled Terminology.
A WebID is an HTTP URI which refers to an Agent (Person, Organization, Group, Device, etc.). A description of the WebID can be found in the
text/turtle [[!turtle]], but MAY be available in other RDF serialization formats (e.g. [[!RDFA-CORE]]) if requested through content negotiation.
WebIDs can be used to build a Web of trust using vocabularies such as FOAF [[!FOAF]] by allowing people to link together their profiles in a public or protected manner.
Such a web of trust can then be used by a
This specification is divided in the following sections.
This section gives a high level overview of WebID, and presents the organization of the specification and the conventions used throughout the document.
Section 2 provides a short description for the most commonly used terms in this document.
Section 3 describes what a WebID URI is.
Section 4 presents an overview of WebID.
Section 5 deals with the publishing of a
Section 6 describes how a request for a
This section provides definitions for several important terms used in this document.
text/turtle[[!turtle]] representation of the requested profile. This document MAY be available in other RDF serialization formats, such as RDFa [[!RDFA-CORE]], or [[!RDF-SYNTAX-GRAMMAR]] if so requested through content negotiation.
Examples assume the following namespace prefix bindings unless otherwise stated:
When using URIs, it is possible to identify both a thing (which may exist outside of the Web) and a Web document describing the thing. For example, the person Bob is described on his homepage. Alice may not like the look of the homepage, but may want to link to the person Bob. Therefore, two URIs are needed, one for Alice and one for the homepage or a RDF document describing Alice.
The WebID HTTP URI must be one that dereferences to a document the user controls.
For example, if a user Bob controls
then his WebID can be
There are two solutions that meet our requirements for identifying real-world objects: 303 redirects and hash URIs. Which one to use depends on the situation, both have advantages and disadvantages, as presented in [[!COOLURIS]]. All examples in this specification will use such hash URIs.
The relation between the
The WebID URI - http://www.w3.org/People/Berners-Lee/card#i" (containing the #i hash tag) - is an identifier that denotes (refers to) a person or more generally an agent. In the above illustration, the referent is Tim Berners Lee, a real physical person who has a history, who invented the World Wide Web, and who directs the World Web Consortium.
The WebID Profile URI - "http://www.w3.org/People/Berners-Lee/card" (without the #i hash tag) - denotes the document describing the person (or more generally any agent) who is the referent of the WebID URI.
The WebID Profile gives the sense of the WebID: its RDF Graph contains a Concise Bounded Description of the WebID such that this subgraph forms a definite description of the referent of the WebID, that is, a description that distinguishes the referent of that WebID from all other things in the world.
The document can, for example, contain relations to another document depicting the WebID referent, or it can relate the WebID to principals used by different authentication protocols. (More information on WebID and other authentication protocols can be found on the WebID Identity Interoperability page).
WebID requires that servers MUST at least be able to provide Turtle representation of profile documents, but other serialization formats of the graph are allowed, provided that agents are able to parse that serialization and obtain the graph automatically. HTTP Content Negotiation can be employed to aid in publication and discovery of multiple distinct serializations of the same graph at the same URL, as explained in [[!COOLURIS]]
It is particularly useful to have one of the representations be in HTML even if it is not marked up in RDFa as this allows people using a web browser to understand what the information at that URI represents.
WebID RDF graphs are built using vocabularies identified by URIs, that can be placed in subject, predicate or object position of the relations constituting the graph. The definition of each URI should be found at the namespace of the URI, by dereferencing it.
Personal details are the most common requirement when registering an
account with a website. Some of these pieces of information include an e-mail
address, a name and perhaps an avatar image, expressed using the FOAF [[!FOAF]] vocabulary. This section includes
properties that SHOULD be used when conveying key pieces of personal information
but are NOT REQUIRED to be present in a
A widely used format for writing RDF graphs by hand is the Turtle [[!turtle]] notation.
It is easy to learn, and very handy for communicating over e-mail and on mailing lists.
The syntax is very similar to the SPARQL query language.
Turtle profile documents should be served with the
text/turtle content type.
Take for example the WebID https://bob.example.org/profile#me, for which the WebID Profile document contains the following Turtle representation:
@prefix foaf: <http://xmlns.com/foaf/0.1/> . <> a foaf:PersonalProfileDocument ; foaf:maker <#me> ; foaf:primaryTopic <#me> . <#me> a foaf:Person ; foaf:name "Bob" ; foaf:knows <https://example.edu/p/Alice#MSc> ; foaf:img <https://bob.example.org/picture.jpg> .
RDFa in HTML [[!RDFA-CORE]] is a way to markup HTML with relations that have a well defined semantics and mapping to an RDF graph. There are many ways of writing out the above graph using RDFa in HTML. Here is just one example of what a WebID profile could look like.
<div vocab="http://xmlns.com/foaf/0.1/" about="#me" typeof="foaf:Person"> <p>My name is <span property="name">Bob</span> and this is how I look like: <img property="img" src="https://bob.example.org/picture.jpg" title="Bob" alt="Bob" /></p> <h2>My Good Friends</h2> <ul> <li property="knows" href="https://example.edu/p/Alice#MSc">Alice</li> </ul> </div>
If a WebID provider would prefer not to mark up his WebID profile in HTML+RDFa, but
just provide a human readable format for users in plain HTML and have the RDF graph appear
in a machine readable format such as Turtle, then he SHOULD provide a link of type
to a machine readable format [[!RFC5988]]. This can be placed in the HTTP header or in the
html as shown here:
<html> <head> <link rel="alternate" type="text/turtle" href="profile.ttl"/> </head> <body> ... </body> </html>
A WebID Profile is a public document that may contain public as well personal information about the agent identified by the WebID. As some agents may not want to reveal a lot of information about themselves, RDF and Linked Data principles allows them to choose how much information they wish to make publicly available. This can be achieved by separating parts of the profile information into separate documents, each protected by access control policies.
On the other hand, some agents may want to publish more information about themselves, but only to a select group of trusted agents. In the following example, Bob is limiting access to his list of friends, by placing all foaf:knows relations into a separate document.
@prefix foaf: <http://xmlns.com/foaf/0.1/> . @prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> . <> a foaf:PersonalProfileDocument ; foaf:maker <#me> ; foaf:primaryTopic <#me> . <#me> a foaf:Person ; foaf:name "Bob" ; rdfs:seeAlso <https://bob.example.org/friends> ; foaf:img <https://bob.example.org/picture.jpg> .
Where https://bob.example.org/friends is a reference to an Access Control List (ACL) protected document containing:
@prefix foaf: <http://xmlns.com/foaf/0.1/> . <> a foaf:PersonalProfileDocument ; foaf:maker <https://bob.example.org/profile#me> ; foaf:primaryTopic <https://bob.example.org/profile#me> . <https://bob.example.org/profile#me> a foaf:Person ; foaf:knows <https://example.edu/p/Alice#MSc> ; foaf:knows <https://example.com/people/Mary/card#me> .
and having the following corresponding ACL rule, expressed using the WebAccessControl ontology:
@prefix acl: <http://www.w3.org/ns/auth/acl#> . <#FriendsOnly> ; acl:accessTo <https://bob.example.org/friends> ; acl:agent <http://example.edu/p/Alice#Msc>, <http://example.com/people/Mary/card#me> ; acl:mode acl:Read .
The standard way of overcoming such attacks is to rely on the cryptographic security protocols within the HTTPS [[!HTTP-TLS]] stack. HTTPS servers are identified by a certificate either signed by a well known Certification Authority or whose public key is listed in the DNSSEC as specified by the DANE protocol [[!DANE]], or both. This makes it much more difficult to set up a fake server by DNS Poisoning attacks. Resources served over HTTPS are furthermore signed and encrypted removing all the simple man-in-the-middle attacks.
Applying the above security measure does not remove the burden from server administrators to take the appropriate security measures, in order to avoid compromising their servers. Similarly, clients that fetch documents on the web also need to make sure their work environment has not been compromised.
As security is constantly being challenged by new attacks, to which new responses are found, a collection of security considerations will be made available on the WebID Wiki.
It is recommended that the
text/turtle in the HTTP
Accept-Header with a higher priority than in the case of
text/html, as sites may produce HTML without RDFa markup but with a link to graph encoded in a pure RDF format such as Turtle.
For an agent that can parse Turtle, rdf/xml and RDFa, the following would be a reasonable Accept header:
The following people have been instrumental in providing thoughts, feedback, reviews, criticism and input in the creation of this specification:
Stéphane Corlosquet, Erich Bremer, Kingsley Idehen, Ted Thibodeau, Alexandre Bertails, Thomas Bergwinkl.