Excerpts from chung's message of Thu Jan 14 19:14:58 +0100 2010:
> Hi All
>  I had a thought about the authentication API. According to REST
> architecture every user should be a resource - thus have a URI and a
> corresponding RDF representation which could contain the following
> information:
> 
> * username
> * realname (first + last)
> * timestamp of user creation
> * email
> * Optionally personal information like: Country, City, Address, Web
> Site, Tel, favorite band etc
> * And finally the password(actually its digest)
> 
> It is quite easy to extend the API properly to include such entities and
> build some user RDFs but it is still not very clear how one (e.g.  a
> service) will securely access those data which of course *should not* be
> accessible to everyone but only to the various services of OpenTox. If
> these data are accessible from all OpenTox services (and only these), we
> have a distributed system with distributed users. 
> 
> To restrict access to these data only to some services we could
> establish a Virtual Private Network ( see
> http://en.wikipedia.org/wiki/Virtual_private_network  ) over SSL to
> ensure secure travelling of sensitive data. This way user data will be
> available only to the services. Additionally I think it is good practice
> to use hash functions like SHA-512 to store passwords.
> 
> Do you think such a structure would be appropriate for OpenTox? 

I think that authentification is straightforward and relatively easy to manage. The
hard part is authorisation and the propagation of access rights (models
should e.g. inherit permissions from their traing datasets). I had a
brief look at OAauth that could do the job. Although juggling around
with all these tokens is not very straightforward, I have no idea for a
simpler solution.

Best regards,
Christoph