W3C home > Mailing lists > Public > public-xg-webid@w3.org > December 2011

Re: neither FCNS nor FOAFSSL can read a new foaf card (hosted in Azure). RDFa validators at W3C and RDFachecker say its fine...

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Wed, 28 Dec 2011 13:38:26 -0500
Message-ID: <4EFB6222.9030000@openlinksw.com>
To: public-xg-webid@w3.org
On 12/28/11 2:08 AM, Peter Williams wrote:
>
> Your tester fails against 
> http://b3d0c8f68475422784748b65f76b1642.cloudapp.net:8080/Aboutrel.aspx#me
>
> The stream is literally the RDFa card from the spec (with the modulus 
> changed).
>
> (The endpoint will provide an error response, should the GET bear a 
> fragment in the URI request arg.)

What should happen is as follows:

1. the URI above is de-referenced
2. data stored
3. query/lookup applied to graph for relations connecting URI to Public 
Key from SSL/TLS handshake.

Quick lookup of your profile data:

1. 
http://id.myopenlink.net/describe/?url=http%3A%2F%2Fb3d0c8f68475422784748b65f76b1642.cloudapp.net%3A8080%2FAboutrel.aspx%23me&urilookup=1  
-- showing WebID is the subject of 4 relations associated with Public 
Key components.

State of graph:

1. 
http://id.myopenlink.net/sparql?default-graph-uri=&query=PREFIX+%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Fcert%23%3E%0D%0APREFIX+xsd%3A+%3Chttp%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23%3E%0D%0A%0D%0A%0D%0ASELECT+*++WHERE+%7B%0D%0A%3Chttp%3A%2F%2Fb3d0c8f68475422784748b65f76b1642.cloudapp.net%3A8080%2FAboutrel.aspx%23me%3E++%3Akey+%5B%0D%0A%3Amodulus+%3Fmod+%3B%0D%0A%3Aexponent+%3Fexp+%3B%0D%0A%5D+.%0D%0A%7D+&should-sponge=&format=text%2Fhtml&timeout=0&debug=on    
- SELECT Query Results

2. 
http://id.myopenlink.net/sparql?default-graph-uri=&qtxt=PREFIX+%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Fcert%23%3E%0D%0APREFIX+xsd%3A+%3Chttp%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23%3E%0D%0A%0D%0A%0D%0ASELECT+*++WHERE+%7B%0D%0A%3Chttp%3A%2F%2Fb3d0c8f68475422784748b65f76b1642.cloudapp.net%3A8080%2FAboutrel.aspx%23me%3E++%3Akey+%5B%0D%0A%3Amodulus+%3Fmod+%3B%0D%0A%3Aexponent+%3Fexp+%3B%0D%0A%5D+.%0D%0A%7D+&should-sponge=&format=text%2Fhtml&timeout=0&debug=on  
-- SELECT Query Text

3. 
http://id.myopenlink.net/sparql?default-graph-uri=&query=PREFIX+%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Fcert%23%3E%0D%0APREFIX+xsd%3A+%3Chttp%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23%3E%0D%0A%0D%0A%0D%0AASK+WHERE+%7B%0D%0A%3Chttp%3A%2F%2Fb3d0c8f68475422784748b65f76b1642.cloudapp.net%3A8080%2FAboutrel.aspx%23me%3E++%3Akey+%5B%0D%0A%3Amodulus+%3Fmod+%3B%0D%0A%3Aexponent+%3Fexp+%3B%0D%0A%5D+.%0D%0A%7D+&should-sponge=&format=text%2Fhtml&timeout=0&debug=on 
-- SPARQL ASK results

4. 
http://id.myopenlink.net/sparql?default-graph-uri=&qtxt=PREFIX+%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Fcert%23%3E%0D%0APREFIX+xsd%3A+%3Chttp%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23%3E%0D%0A%0D%0A%0D%0AASK+WHERE+%7B%0D%0A%3Chttp%3A%2F%2Fb3d0c8f68475422784748b65f76b1642.cloudapp.net%3A8080%2FAboutrel.aspx%23me%3E++%3Akey+%5B%0D%0A%3Amodulus+%3Fmod+%3B%0D%0A%3Aexponent+%3Fexp+%3B%0D%0A%5D+.%0D%0A%7D+&should-sponge=&format=text%2Fhtml&timeout=0&debug=on 
-- SPARQL ASK query text .


Based on the above, our verifier shouldn't fail (bar a bug). Thus, you 
might have to provide information about what's actually in your cert. of 
send a .p12 if the prior one doesn't reflect latest tests.


Kingsley
>
> While the "snippet" of that spec card works fine in blogger with all 
> test sites, none of the 3 testing sites work with what is actually 
> given. This suggests the spec needs to change its example.
>
> One notes how the Turtle example is absolutely anchored (unlike the 
> RDfa example). Advise that the spec have identical triples (in 
> different representations)
> > From: home_pw@msn.com
> > To: kidehen@openlinksw.com; public-xg-webid@w3.org
> > Date: Tue, 27 Dec 2011 21:37:48 -0800
> > Subject: RE: neither FCNS nor FOAFSSL can read a new foaf card 
> (hosted in Azure). RDFa validators at W3C and RDFachecker say its fine...
> >
> >
> > I have spent a few hours getting really to grips with both ODS and 
> linkburner.
> >
> > Certain things are VERY straightforward.
> >
> >
> >
> > I logon with a password, and then map a cert to the account (just 
> like in windows). And, I can use the ODS builtin CA, to mint a second 
> cert with a variety of browser plugins/keygentags. The net result is I 
> can do https client auhn to ODS, replacing the password challenge. 
> Technically, a cert-based login to ODS may even count as an act of 
> webid validation (rather than mere https client authn based on 
> fingerprint matching).
> >
> >
> >
> > Next, the account gives me a profile page. For any n certs 
> registered (with logon privileges, or not), the profile publishes 
> cert:key. Well done. From cert, infer cert:key. For a third party 
> cert, I can now reissue it (same pubkey) adding the ODS profile URI.
> >
> >
> >
> > Then I got a real feel for sponging an html/rdfa resource. The proxy 
> prpofile/URI is essentially a new profile, borrowing bits from the 
> "data source" that it screen scrapes. It has nothing to do with the 
> accounts' own profile page. The resultant profile has a proxy URI, and 
> one can put this in the SAN URI set of the cert whose pubkey was in 
> the the original data source (and now in the proxy profile).
> >
> >
> >
> > I altered by http://yorkporc2.blogspot.com/ template/page. It now as 
> a webid.cert relation/link. Its a data URI, of type cert... with 
> base64 blog content. Ideally, sponger would now infer cert:key from 
> that link (but not any webid/foaf material), much like ODS profile 
> inferred cert:key from its store of mapped certs/accounts. It would 
> sponge the rest of the foaf card as normal.
> >
> >
> >
> > I was able to use the ODS webid validator to validate against my 
> cloud/azure hosted TTL card.
> >
> >
> >
> > I was able to run sparql queries on my yorkporc HTML and TTL 
> resources. I now understand (finally, after 2 years) why the sparql 
> query for HTML gives the proxy name for the subject (with cert:key) 
> rather than the data sources URI. Im really doing sparql against the 
> proxy profile (not the data source), despite the FROM clause in the 
> sparql identifying the data source. When one uses a non sponged 
> resouce (TTL), the sparql result is more insituitive as to subject names.
> >
> >
> >
> > i went through all the product documentation.
> >
> >
> >
> > I learned that you are using the foaf:account as a mapping mechanism 
> (not merely a publication device). If one uses facebook websso to 
> authenticate, it maps to an ODS account whose foaf profile publishes 
> said foacebook account name in a foaf:account property.
> >
> >
> >
> > I suspect (but could not confirm) that the foaf:openid similarly 
> enables an openid identifier presented in openid websso to mapto a ODS 
> profile, on login authentication. O failed at any UI to get the system 
> to act as an openid relying party, talking to my 
> http://yorkporc.wordpress.com's openid server.
> >
> >
> >
> > The built in openid server (that uses a webid challenge) is 
> confusing. I dont know if the webids and profiles that it vouches for 
> are limited to those in an ODS profile, in a proxy profile, or are for 
> any other public webid (for which a proxy profile is immediately created).
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >


-- 

Regards,

Kingsley Idehen	
Founder&  CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen








Received on Wednesday, 28 December 2011 18:39:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 28 December 2011 18:39:00 GMT