specification
specification copied to clipboard
solid
Identity as a Bargaining Chip
My proposal is to make the separation of the WebID provision and the Pod Provision even if the provision is by the same party a Solid requirement.
Why?
Because if a Solid user is dissatisfied with the service of their Pod Provider and would like to leave they should be able to do so without being inconvenienced.
Inconveniences are brought about by making access to your data dependent on a service which is why Solid separates the app from the data. However, making identity dependent on a service could also be an inconvenient factor that would make an individual hesitate to leave a Pod Provider even if they are unhappy with the service.
An example of identity has been used as a bargaining chip in the past is in mobile phone numbers. Although technically possible to transfer a mobile number from one provider to another the process to do so was so cumbersome that people would desist. https://en.wikipedia.org/wiki/Mobile_number_portability
Your WebID needs to be at your pod, even if your IDP is somewhere else. This is because when people browse to your WebID, they should see your foaf profile.
There are three ways to set that up:
- on a domain name that is controlled by your pod provider, and that is used for more than one pod. This means they cannot let you take that domain name with you when you switch.
- on a domain name that has been registered only for you, by your pod provider, who then acts as both your pod provider and your DNR provider (and possibly also your IDP provider for webid-oidc, but that's irrelevant here).
- on a domain name that you registered through a DNR provider, who is not your current pod provider.
Currently, the existing pod providers don't act as DNR providers, and providing DNR is a complex business that not every pod provider will want to step into. But they might allow you to bring your own domain name (in the same way github pages, Heroku, and 5apps do, for example). You could also have a website somewhere with other things on it, and then use a subdomain of your personal domain name (pod.yourdomain.com) to point that to the IP address of your pod provider. It's worth adding a note to best practices for pod providers, that they should try to allow that.
There is the feature of solid:oidcIssuer that should allow users to decouple their Pod and IDP - I know at least @RubenVerborgh uses this in his profile (https://ruben.verborgh.org/profile/#me), but uncertain how well this is supported.
Your WebID needs to be at your pod, even if your IDP is somewhere else.
That is not correct because…
This is because when people browse to your WebID, they should see your foaf profile.
that can be realized without having your WebID at your pod.
As mentioned, this is the setup that I have (WebID: https://ruben.verborgh.org/profile/#me, pod: https://drive.verborgh.org/), but not for the reason that @megoth lists.
The solic:oidcIssuer predicate in my profile is used to indicate my IDP, but not my pod. It so happens that my IDP and my pod are the same server, but my pod is indicated by pim:storage.
The bigger point that we need to be aware of is that, (only) technically speaking, there is no concept of “my pod”. What exists is a collection of pods, some of which I have Read, Write, and/or Control access to. What we are inclined to call “my pod” is an account that we registered for ourselves. Put purely from the HTTP/LDP perspective, there is nothing special about this pod. It is considered “my pod” because I have Control access to all files, but I could be given that to any other pod, or I could lock myself out of my own.
So the notion of “my pod” is purely an organizational one (= who created the account), not a technically distinguishing one.
Exemplified with my own setup:
- My FOAF profile is hosted at https://ruben.verborgh.org/profile/#me and has been for many years, even before I was on Solid. The server at
ruben.verborgh.orgis not even a Solid server. - An IDP that allows me to authenticate as https://ruben.verborgh.org/profile/#me is at https://drive.verborgh.org/.
- There exist a couple of Solid pods on the Web to which https://ruben.verborgh.org/profile/#me has full control.
Right, true. So if I get it right now, as a Solid user you consume the following services:
- a personal or shared domain name registration (whether your own domain name or a subdomain or a shared domain) for FOAF profile and /.well-known/openid-configuration
- /.well-known/openid-configuration hosting on your personal or shared domain name
- IDP service, linked from that
- FOAF profile hosting (could be separate from
pim:storage, but then you need a different way to edit it), needs to be at your personal or shared domain name - pim:storage service, linked from that
- possibly other storage areas to which you have access
- Updates-Via, for each of these storage areas
Add your suggestions of if and how to include identity independence in the Solid Spec https://github.com/solid/solid-spec/pull/163 and test suite criteria https://github.com/solid/test-suite/blob/master/README.md
Indirectly related to this issue is also how Pods can be controlled by groups of data subjects https://github.com/solid/solid-spec/issues/164