Hi All
 I had a thought about the authentication API. According to REST
architecture every user should be a resource - thus have a URI and a
corresponding RDF representation which could contain the following
information:

* username
* realname (first + last)
* timestamp of user creation
* email
* Optionally personal information like: Country, City, Address, Web
Site, Tel, favorite band etc
* And finally the password(actually its digest)

It is quite easy to extend the API properly to include such entities and
build some user RDFs but it is still not very clear how one (e.g.  a
service) will securely access those data which of course *should not* be
accessible to everyone but only to the various services of OpenTox. If
these data are accessible from all OpenTox services (and only these), we
have a distributed system with distributed users. 

To restrict access to these data only to some services we could
establish a Virtual Private Network ( see
http://en.wikipedia.org/wiki/Virtual_private_network  ) over SSL to
ensure secure travelling of sensitive data. This way user data will be
available only to the services. Additionally I think it is good practice
to use hash functions like SHA-512 to store passwords.

Do you think such a structure would be appropriate for OpenTox? 

Best Regards,
Pantelis