WebID specifications

Put together by the WebID Incubator Group chaired by Henry Story.


A global distributed Social Web, enabling the building of Socially Aware Cloud Storage, requires a distributed identity system. To fit web architecture it must have the following properties:

The following specs have been put together by the WebID Incubator Group with those properties in mind.


WebID 1.0 - Web Identity and Discovery
This specification outlines a simple universal identification mechanism that is distributed, openly extensible, enabling each person to control their identity, and to build a decentralised web of trust, which can be used to allow fine grained access control. It does this by applying the best practices of Web Architecture whilst building on well established widely deployed protocols and standards including HTML, URIs, HTTP, and RDF Semantics.
WebID-TLS - WebID Authentication over TLS
The WebID-TLS protocol enables secure, efficient and user friendly authentication on the Web using TLS and X.509 Certificates. It enables people to authenticate onto any site by simply choosing one of the certificates proposed to them by their browser. These certificates can be created by any Web Site for their users. It is also very effective means for software agents to authenticate. This specification extends the WebID Identity specification which defines many of the core concepts used in WebID-TLS.
Certificate Ontology
WebID Profile documents can be used to publish public keys that identify the referent of the WebID as the owner of the corresponding private key. The Certificate Ontology defines the vocabulary to use to publish this information.

Prototype Specs

The benefits of WebID become even more evident if the following prototype specifications are taken into account. These are currently published on a wiki. Please implement them, send feedback, and help us turn them into widely implemented well reviewed specifications.

Web Access Control
Every resource on the Web can link to a resource describing in RDF the Access Control Restrictions on that resource: i.e. which agent or groups of agents (listed by WebID ) are allowed Read, Write or Control access on a resource. This allows clients to understand what they need to do to get access to a resource, using the same vocabulary the server uses to give access to resources. It also allows the Access Control rules to be editable using the same protocol defined by the Linked Data Platform. The Linked Data Platform is putting together a set of requirements for Access Control
Agents can be identified in many more ways than via WebIDs. A WebID is a direct identifier: it refers directly to an agent. There are also a large number of indirect identifiers, that is identifiers that refer to things ( usually not agents ) directly, but that only indirectly refer to an agent. For example the initial http OpenIds, directly identify a web page, and indirectly an agent. An account name is a string that refers to itself, but indirectly identifies an account, which itself identifies a person. A public key identifies a set of numbers, but indirectly an agent that knows the private key, etc.... Each of the identifiers then come with methods of verifying the referent. The Identity Interoperability document should aim to show how one can transfer trust gained via one authentication procedure to another identifier, by relying on relations published between these identifiers in a Linked Data space tied potentially to a WebID.