RE: Authentication workflow draft. from peter williams on 2011-04-12 (public-xg-webid@w3.org from April 2011)

From: peter williams <home_pw@msn.com>
Date: Tue, 12 Apr 2011 12:45:28 -0700
To: "'Henry Story'" <henry.story@bblfish.net>
CC: "'Akbar Hossain'" <mail@akbarhossain.com>, "'WebID XG'" <public-xg-webid@w3.org>
Message-ID: <SNT143-ds17519D073968EDCDAE93FB92AB0@phx.gbl>
Its not complex thinking; I simply try to use libraries I have from major
vendors, rather than do any programming (Im a crap programmer, limited to
visual basic programming, or similar). Where possible I also use security
standards, rather than invent my own stuff (because I'm limited at security
eval, since it takes years to get it right).  Where possible, I use services
(since they tend to be delivered by folks cleverer than me). Its my personal
limits that drive my choices. Working in realty, I have work within
commodity and legacy constraints (which is not the case if one is doing
research, or building the very platform): I don't have any choice. If IE6
has bugs, I code around them.if 30% of my users use IE6!

 

I think we do this outside W3C, between uriburner and others interested
parties. It's pointless arguing about architecture. You don't want a web
service, intermediating (whereas I do and need it simply to lessen the
burden, and isolate specialized security enforcement to a data service). I
want correctness, and am happy to delegate. 

 

Forcing folks to do what they don't want just produces resistance,  manifest
in hinderances, ad hominem. Now, youv'e admitted before that your own
implementation uses such a webservice behind the scenes. We can do this as
an implementation project, not a W3C project. It can become a defacto
standard, if that's the way the world goes.

 

Im not sure where x-509 MIME types are defined (its been a decade or more
since I did IETF stuff). I'm passed caring, since its de facto status now
(like most good standards). It works in a billion PCs, and that really
matter. PEM format is even defined, but we talk about it all the time!

 

From: Henry Story [mailto:henry.story@bblfish.net] 
Sent: Tuesday, April 12, 2011 12:24 PM
To: peter williams
Cc: 'Akbar Hossain'; 'WebID XG'
Subject: Re: Authentication workflow draft.

 

 

On 12 Apr 2011, at 21:14, peter williams wrote:





If we wanted to use W3C standards (even partly), we could even post

 

<wsse: BinarySecurityToken Id="myX509Token"

        ValueType="wsse: X509v3"

        EncodingType="wsse: Base64Binary">

NIFEPzCCA9CrAwIBAgIQEmtJZc0 . .. The rest of the X. 509 base 64 data
FExErTECA .. .

</wsse:BinarySecurityToken>

 

over https (with client authn + SSL Sessionid).

 

All it has to be is something like (ignoring the SOAP bit):

http://msdn.microsoft.com/en-us/library/ms996951.aspx (Adding the X.509
Certificate Token to a SOAP Message)

 

could we be allowed JUST a tiny wee bit of SOAP (since java, and dotNet and
. all do the above, being so ancient a spec)? If not, then we are back to
fussing with mime types and encoding headers etc, per my last message

 

No this is a RESTful list. We are working on hypermedia applications here. 

 

I do notice a very strong tendendency with you to always seek out the more
complicated solutions, rather than the simpler ones, to seek complexity
rather than simplicity... 

 

 





 

 

From: akkiehossain@gmail.com [mailto:akkiehossain@gmail.com] On Behalf Of
Akbar Hossain
Sent: Tuesday, April 12, 2011 11:04 AM
To: peter williams
Cc: WebID XG; Andrei Sambra; Kingsley Idehen
Subject: Re: RE: Authentication workflow draft.

 

Perhaps a small variant of the delegated service as per foafssl.org
<http://foafssl.org/> 

On 12 Apr 2011 18:03, "peter williams" <home_pw@msn.com> wrote:
> Yes, it's time for a restful web service (supported by https client authn
and SSL session management) that takes a base64 encode cert as input, and
returns YES/NO 
> 
> The input parser should assume the worst: strange CRLF or LR or CR, random
header text, variable number of dashes, missing final EOL, UTF header bytes,
web friendly char sets or ascii - so as to deal with the realty of "PEM
encoding"
> 
> Another variant would take a cert sha1 fingerprint, rather than the cert.
> 
> -----Original Message-----
> From: public-xg-webid-request@w3.org
[mailto:public-xg-webid-request@w3.org] On Behalf Of Kingsley Idehen
> Sent: Tuesday, April 12, 2011 9:29 AM
> To: peter williams
> Cc: 'Andrei Sambra'; 'WebID XG'
> Subject: Re: Authentication workflow draft.
> 
> On 4/12/11 12:14 PM, peter williams wrote:
>> This is relevant to me, as it means for each URI in the SAN, I do a
uriburner query, which (remotely) looks for a cert:identity match for 1 card
at a time.
>>
>> Can sparql have multiple FROM lines? Perhaps?
> 
> Yes, re. Virtuoso's SPARQL support.
> 
>> Can the query be modified so Id know which URI matched, if one could
specify multiple matches?
> 
> Yes.
> 
> I am guessing its time for a WebID verification service. Ditto email
verification service as spec'd by Toby a while back.
> 
> -- 
> 
> Regards,
> 
> Kingsley Idehen 
> President& CEO
> OpenLink Software
> Web: http://www.openlinksw.com <http://www.openlinksw.com/> 
> Weblog: http://www.openlinksw.com/blog/~kidehen
> Twitter/Identi.ca: kidehen
> 
> 
> 
> 
> 
> 
> 
>

 

Social Web Architect
http://bblfish.net/
Received on Tuesday, 12 April 2011 19:46:00 UTC