Privacy concerns with a decentralised social network

Continuing on the earlier rant I had, I felt a void when it came to "Private" areas of certain social networks. In a simple world, the entire web is public, but unfortunately the world ain't simple

When you upload a picture to Flickr, or if you upload a video to Google Video, or if you create a Picasa Web Album, you can opt to have it unlisted and sort of "private" -- friends only. If I opt out of those services (by hosting my photos or videos myself) then I must also carry the burden of protecting those resources. How should / could this be done in the semantic web?

I already have a nice big list of friends in my foaf.rdf file. Just a few days ago, the foaf developers found out that they should have a foaf:openid. This is the obvious solution to part of the problem of protecting my resources.

I have a foaf file where I list my friends. I would like my friends to be able to view a certain album. Ok, cool.
The list contains their OpenIDs, and not necessarily their e-mail addresses
I require a simple OpenID login (not that hard to implement; it should be a standard code fragment) for those "protected" resources
When someone successfully logs in to OpenID and asks for a protected resource, I simply check my foaf file(s) to see if the foaf:Person behind that OpenID is someone I know, and is someone that I would like to give access to this page.

Now this all seems quite easy to do, except that I need some code on my server which performs the actual security checks for me. I have to do this on my own server; I can't really delegate this. If I receive a GET request for a protected resource then I can't really trust the end user that they have performed the checks I outlined above :-)

I will need

An OpenID log in page and code which handles the entire OpenID log in
A place where I can say that resource X is protected somehow
Another place (?) where I can say that only my family can look at resource X
Some code on the server which lperforms the checks based on the incoming request; checking my foaf and the current OpenID login

The OpenID login page is pretty easy I guess; it should be pretty standard stuff, so I won't get into details here.

To indicate that a resource is protected an easy guess is that someone has already figured out that ACLs are easily expressed in RDF: Resource foo is protected by ACL bar. Any request for foo must therefore pass the bar access control.

The access control list itself is similarly RDFish: family are allowed to GET resources. This can also be expressed in RDF using a specific ACL vocabulary

Finally to check if a certain logged in OpenID is part of a group which is allowed to GET anything, it is enough to find that user in the foaf.rdf resource and check that it is tagged accordingly as a family member.

Adoption problems include of course the fact that it requires more code on the server, it requires people to use OpenID (but this might not be such a big problem now that it's backed by Microsoft and The Mozilla Foundation.