W3C home > Mailing lists > Public > public-xg-webid@w3.org > June 2011

ldap = Re: [foaf-protocols] WebID test suite

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 30 Jun 2011 00:00:01 +0200
Cc: Peter Williams <home_pw@msn.com>, "public-xg-webid@w3.org" <public-xg-webid@w3.org>
Message-Id: <4035B49F-C716-4691-8D6B-4329AD82B9D7@bblfish.net>
To: Mo McRoberts <mo.mcroberts@bbc.co.uk>

On 29 Jun 2011, at 23:17, Mo McRoberts wrote:

> 
> On 29 Jun 2011, at 21:59, Henry Story wrote:
> 
>> yes, but the attribute on one web site will not necessarily, and indeed usually will not have the meaning of an attribute on another site. That is the point I am trying to make. This is true in ldap as it is of attributes in a URL.
>> 
>> The "cn" above is a string of two places. Ok, so often in ldap contexts it means Common Name, but in other places in might mean Confidentiatlity Number, and in other places it means Chinese National, or "Centre Nucleair" etc.
> 
> CN _always_ in LDAP contexts it means Common Name, just as it always means it in X.509 certs. In fact, CN, OU, C et al in an X.509 cert and in an LDAP-exposed directory aren't just equivalent, but *exactly* the same thing.

IF CN always means Common name, then we are dealing with an attempt to create a global schema without a namespace, which means centralisation of decision points and slow evolution. Perhaps not a bad thing in this case. And as it has been around for a while it will have gained a lot of adoption.

If software does indeed expect certain names to be used in ldap directories, then I can see how this ends up creating expectations that lead to conventional regularities. The consuming agents will be widely deployed software tools, and the anticipation to have directories work with new software and old software as it comes along.

> a attr=value,attr=value,attr=value Distinguished Name uses the same namespaces as the rest of the attributes and object types you'll see from any given server. The core stuff comes from the earliest specs and is well-defined and well-known  CN and DC both fall into that category.
> 
>> LDAP having evolved in closed circles, there was no need pragmatic need for these to synchronise with one another (Or at least only very few of them did) So one can predict that they did not. At least it is now an empirical task to work out if by chance everyone used these names the same way.
> 
> Aside from the fact that you generally don't need to care about the names themselves, there are specs for the commonly-used stuff (that's how it became commonly-used!)  hence my suggestion that you look at the schema files in an OpenLDAP installation.
> 
> ITU-land has a huge number of faults, but as the whole point of X.500 was a globally-connected telephone directory on steroids, they were pretty keen to ensure interop. LDAP follows along that path, but with the added benefits of having IETF input along the way.

(Not everything the IETF does succeeds to the degree they initially hope it will.)

> 
> Believe me, if *that* stuff didn't interop properly, then X.509 certs wouldn't have ever managed to either, and WebID wouldn't exist  it's all part of the same family :)

Well X509 certs use OIDs, and you can even read those OIDs in the document. 

Ok. So lets move on then. Here are some thoughts:

LDAP->Semweb proxy
------------------

It should be easy to write extractors of ldap for the semweb that work on a very large number of ldap dbs out of the box. So one could write a quick ldap->semweb proxy. I can see this being immediately beneficial for any WebID enabled Social Web server to have. 

LDAP in semweb
--------------

Following up on the idea of ldap urls in WebID endpoints.

- What does such an ldap url look like btw? (the one we want to put in the X509 cert and that points to a dereferenceable resource)
- can one put a public key in there? Is there a attribute pair for those? (I guess there will be)

That is all that is needed for ldap URL authentication

- does ldap allow for linking between ldap directories? a kind of ldif version of linked data? Can we have a foaf:knows relation in ldap so that someone can store her friends there? Or is it perhaps better just to have a see:also link to point to an http resource which can describe relations between people and things more flexibly?
- How many ldap endpoints are open to the world? Do they usually allow global access to anyone, as web pages servers usually give access to anyone? Or are they mostly just closed to the company employees behind a firewall? 
  (trying to evaluate the market size here)
 -> those that do could allow webid type url dereferencing
     + but what is the proportion of those?
     + how many have access control mechanisms, so that if I am a friend of ldap://orange.fr/@cn=Barbara Doe,dc=example,dc=com I would be able to access more of her ldap entries?
     + what is the interest of those in ldap land to open up their ldap servers this way? Why would they be interested? Who are they? Are they willing to work on WebID implementations for this, and write specs for it? (Apart from OpenLink of course)
     
   Henry


> 
> M.
> 
> -- 
> Mo McRoberts - Data Analyst - Digital Public Space,
> Zone 1.08, BBC Scotland, 40 Pacific Quay, Glasgow G51 1DA,
> Room 7066, BBC Television Centre, London W12 7RJ,
> 0141 422 6036 (Internal: 01-26036) - PGP key 0x663E2B4A
> 

Social Web Architect
http://bblfish.net/
Received on Wednesday, 29 June 2011 22:00:32 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:24 UTC