Re: Authentication workflow draft. from Henry Story on 2011-04-12 (public-xg-webid@w3.org from April 2011)

From: Henry Story <henry.story@bblfish.net>
Date: Tue, 12 Apr 2011 22:05:19 +0200
To: peter williams <home_pw@msn.com>
Cc: "'Akbar Hossain'" <mail@akbarhossain.com>, "'WebID XG'" <public-xg-webid@w3.org>
Message-Id: <F5C3A5E4-63A2-4DC7-8521-CB43A7613172@bblfish.net>
On 12 Apr 2011, at 21:45, peter williams wrote:

> Its not complex thinking; I simply try to use libraries I have from major vendors, rather than do any programming (Im a crap programmer, limited to visual basic programming, or similar).

So do I of course.

> Where possible I also use security standards, rather than invent my own stuff (because I’m limited at security eval, since it takes years to get it right).  Where possible, I use services (since they tend to be delivered by folks cleverer than me). Its my personal limits that drive my choices. Working in realty, I have work within commodity and legacy constraints (which is not the case if one is doing research, or building the very platform): I don’t have any choice. If IE6 has bugs, I code around them…if 30% of my users use IE6!

So does everyone.  But tools by themselves are not enough. How you use them is very important. How you put them together. That is architecture. And in a global distributed information space, things don't just work like they do in even very large companies. For one there is no center of control.

What we do care about is Web Architecture here, and that is not a minor matter to skirt.  It is core to why we think we have an advantage. 


<aside topic="rest-vs-soap">
 Btw. REST tools are even more widespread that SOAP or xmlrpc tools, and they are even more widely understood.  Amazons REST services was used 85% more in 2003 http://www.oreillynet.com/pub/wlg/3005
And if you ask developers they prefer REST 
   http://stackoverflow.com/questions/76595/soap-or-rest

Here is a very good presentation btw on REST btw 
:
http://t.co/l1bmeeZ

It's not really worth having arguments on this here. 
</aside>



>  
> I think we do this outside W3C, between uriburner and others interested parties. It’s pointless arguing about architecture. You don’t want a web service, intermediating (whereas I do and need it simply to lessen the burden, and isolate specialized security enforcement to a data service). I want correctness, and am happy to delegate.
>  
> Forcing folks to do what they don’t want just produces resistance,  manifest in hinderances, ad hominem. Now, youv’e admitted before that your own implementation uses such a webservice behind the scenes. We can do this as an implementation project, not a W3C project. It can become a defacto standard, if that’s the way the world goes.
>  
> Im not sure where x-509 MIME types are defined (its been a decade or more since I did IETF stuff). I’m passed caring, since its de facto status now (like most good standards). It works in a billion PCs, and that really matter. PEM format is even defined, but we talk about it all the time!

Yes, but it would be helpful to have the references here, because we are trying to build protocols. We are not just trying to give people on this mailing list work. We are interested in standard based adoptions.

>  
> From: Henry Story [mailto:henry.story@bblfish.net] 
> Sent: Tuesday, April 12, 2011 12:24 PM
> To: peter williams
> Cc: 'Akbar Hossain'; 'WebID XG'
> Subject: Re: Authentication workflow draft.
>  
>  
> On 12 Apr 2011, at 21:14, peter williams wrote:
> 
> 
> If we wanted to use W3C standards (even partly), we could even post
>  
> <wsse: BinarySecurityToken Id="myX509Token"
>         ValueType="wsse: X509v3"
>         EncodingType="wsse: Base64Binary">
> NIFEPzCCA9CrAwIBAgIQEmtJZc0 . .. The rest of the X. 509 base 64 data FExErTECA .. .
> </wsse:BinarySecurityToken>
>  
> over https (with client authn + SSL Sessionid).
>  
> All it has to be is something like (ignoring the SOAP bit):
> http://msdn.microsoft.com/en-us/library/ms996951.aspx (Adding the X.509 Certificate Token to a SOAP Message)
>  
> could we be allowed JUST a tiny wee bit of SOAP (since java, and dotNet and … all do the above, being so ancient a spec)? If not, then we are back to fussing with mime types and encoding headers etc, per my last message
>  
> No this is a RESTful list. We are working on hypermedia applications here. 
>  
> I do notice a very strong tendendency with you to always seek out the more complicated solutions, rather than the simpler ones, to seek complexity rather than simplicity... 
>  
>  
> 
> 
>  
>  
> From: akkiehossain@gmail.com [mailto:akkiehossain@gmail.com] On Behalf Of Akbar Hossain
> Sent: Tuesday, April 12, 2011 11:04 AM
> To: peter williams
> Cc: WebID XG; Andrei Sambra; Kingsley Idehen
> Subject: Re: RE: Authentication workflow draft.
>  
> Perhaps a small variant of the delegated service as per foafssl.org
> 
> On 12 Apr 2011 18:03, "peter williams" <home_pw@msn.com> wrote:
> > Yes, it's time for a restful web service (supported by https client authn and SSL session management) that takes a base64 encode cert as input, and returns YES/NO 
> > 
> > The input parser should assume the worst: strange CRLF or LR or CR, random header text, variable number of dashes, missing final EOL, UTF header bytes, web friendly char sets or ascii - so as to deal with the realty of "PEM encoding"
> > 
> > Another variant would take a cert sha1 fingerprint, rather than the cert.
> > 
> > -----Original Message-----
> > From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org] On Behalf Of Kingsley Idehen
> > Sent: Tuesday, April 12, 2011 9:29 AM
> > To: peter williams
> > Cc: 'Andrei Sambra'; 'WebID XG'
> > Subject: Re: Authentication workflow draft.
> > 
> > On 4/12/11 12:14 PM, peter williams wrote:
> >> This is relevant to me, as it means for each URI in the SAN, I do a uriburner query, which (remotely) looks for a cert:identity match for 1 card at a time.
> >>
> >> Can sparql have multiple FROM lines? Perhaps?
> > 
> > Yes, re. Virtuoso's SPARQL support.
> > 
> >> Can the query be modified so Id know which URI matched, if one could specify multiple matches?
> > 
> > Yes.
> > 
> > I am guessing its time for a WebID verification service. Ditto email verification service as spec'd by Toby a while back.
> > 
> > -- 
> > 
> > Regards,
> > 
> > Kingsley Idehen 
> > President& CEO
> > OpenLink Software
> > Web: http://www.openlinksw.com
> > Weblog: http://www.openlinksw.com/blog/~kidehen
> > Twitter/Identi.ca: kidehen
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >
>  
> Social Web Architect
> http://bblfish.net/
>  

Social Web Architect
http://bblfish.net/
Received on Tuesday, 12 April 2011 20:05:52 UTC