2007/07/19

Open Authorization, Permissions, and Socially Enabled Security

The session I proposed at Mashup Camp, Open Authentication and Authorization for Mashups, went pretty well (though I should have done more marketing).   Unfortunately none of the people on the OAuth group were at Mashup Camp, but perhaps we generated some more interest and use cases for it.

Consider a user navigating web services and granting various levels of permissions to mash-ups; a mash-up might request the right to read someone's location and write to their Twitter stream, for example.  The first time this happens, the user would be asked something like this:

The TwiLoc service is asking to do the following on an ongoing basis:
- Read your current location from AIM, and
- Create messages on your behalf in Twitter.
How does this sound?
[ ] No [ ] Yes [ ] Yes, but only for today


The user would also have a way to see what permissions they've granted, how often they've been used (ideally), and be able to revoke them at any time.

Now, of course, users will just click through and say "Yes" most of the time on these.  But there's a twist; since you're essentially mapping out a graph of web services, requested operations, granted permissions, usage, and revocations, you start to build up a fairly detailed picture of what services are out there and what precisely they're doing.  You also find out what services people trust.  Throw out the people who always click "yes" to everything, and you could even start to get some useful data.

You can also combine with social networks.  What if you could say, "by default, trust whatever my buddy Pete trusts"?  Or, "trust the consensus of my set of friends; only ask me if there's disagreement"?  Or more prosaically, "trust what my local IT department says".