W3C home > Mailing lists > Public > public-xg-webid@w3.org > January 2012

Re: what are claims mirrors?

From: Henry Story <henry.story@bblfish.net>
Date: Mon, 16 Jan 2012 19:34:46 +0100
Message-Id: <C92BBE36-0FA6-43CE-BA6E-571D35E2426B@bblfish.net>
To: WebID XG <public-xg-webid@w3.org>

On 16 Jan 2012, at 17:00, Peter Williams wrote:

> Ive tried three times to get off this list using the declared process, and am still getting endless mail. 
>  
> I have both evidence and proof that Ive sent the confirmation tokens acknolwedging that I, as registered email account user, authorize and require W3C to stop distributing the mailing lists mail to my emailbox. 
>  
> Help me, leave. I have things to do (and this stuff is too much fun).

yes. Reading this I know what you mean by fun: inventing new words at a speed greater than you can define them. So one asks what a mirrored claim is and you come up with the following words:

 - multi-master
 - master record
 - classical multi-master-clustering
 - mutli-master-endpoint
 - mutli-masert partner
 - slave secondary
 - proxy profile

are just some of those I discovered here.  But I don't find a clean definition of "claim mirrors" which was what my question was initially.

>  
> While Im suffering, Kingsley means for claims mirror that the certificate and and master record can be mirrored in a seconday master, as in classical multi-mastering clustering.

Ok, so according to you, Kingsely then means something different from what he said he means in his first post here. That is why I was asking for this to be defined.

By Master Record I suppose you mean the WebID Profile. 

So according to you a mirror is an exact duplicate then of the WebID PRofile, placed somewhere else?


>  I made a yorkporc2.blogspot.com dataspace (known as a blog site). It has a author-centric profile page (whose vcard/hcard I ignore).
> It has a RSS-feed Person object (which I ignore). they are ignored becuase I have little or no control over their values (due to blogspot's user control concept). It has 1 post, that is bookmarked as the lead post on the home page. Said post publishes an RDFa Webid Profile (using the Foaf ontology). It also publishes an owl:sameAs relation noting a particular linkeddata.uriburner.com URI as a potential multi-mastering endpoint.

The only sameAs I see are here yorkporc2.blogspot.com are these

<a rel="owl:sameAs" href="http://rapstr1.blob.core.windows.net/ods/user.ttl#me" title="OWL">http://rapstr1.blob.core.windows.net/ods/user.ttl#me</a>
<a rel="owl:sameAs" href="https://rapstr1.blob.core.windows.net/ods/users.ttl#me" title="OWL">https://rapstr1.blob.core.windows.net/ods/users.ttl#me</a>
<a rel="owl:sameAs" href="http://idweb.cloudapp.net:8080/Home/About#me" title="OWL">http://idweb.cloudapp.net:8080/Home/About#me</a>
<a rel="owl:sameAs" href="https://idweb.cloudapp.net/Home/About#me" title="OWL">https://idweb.cloudapp.net/Home/About#me</a>
<h2>

> linkeddata.uriburner.com is my preferred multi-mastering partner. I induce that linked data space to mirror both my webid profile and my certificate (which is just a second owl:sameAs identity property in my webid profile). 

Good so what does that mean mirror here? uriburner fetches your profile and just republishes exactly the same statements as you have in your profile right?

I got to 
http://uriburner.com/describe/?uri=http%3A%2F%2Fbblfish.net%2Fpeople%2Fhenry%2Fcard

and it gives me a web page back describing what I have on 

 http://bblfish.net/people/henry/card 

We can imagine it would just return the same triples.

Is that now a claim mirror? Or is that a proxy? Or is it a multi-mastering partner? Or is that a cache? How is that different from Google Cache?


>  
> once the mirror exists,  I "acknowlegde" to the world that the linkeddataluriburner.com is actually an authoritative multi-mastering partner by puttings it proxy URI in my cert, as SAN URI #2. I update my webid profile changing the owl:sameAs identity relation to be a renewed cert (now with 2 SAN names).

So is this proxy/multi-mastering partner/cache/claim mirror not just republishing the exact same triples but creating some new ones too, and replacing some other ones? I mean it must have a new one if you are going to have 2 SANs right?


>  
> When I perform the SSL handshake, I assert the SAN array of names and a modulus to a relying party. This is a statement of authority, and locates endpoints and identifies entities. The webid validation agent verifies and validates, eventually acting as a temporary claims mirror itself,

Here you are speaking of a cache. I don't think there is an obligation on anyone publishing information about other agents who wished to authenticate to their server again, let alone creating new URIs for every entity that logs into them..

> by creating a web session between browser and site based on the relied upon nameidentifier, computed using Kingsley's/Jurgens URI "nameidentifier" management rule (#URIs, 303 for /URIs etc).

( That is not Kingsely's or Jürgens. It is defined by HTTP )
And the editor's spec even has a pointer to those. 
http://www.w3.org/TR/2008/NOTE-swbp-vocab-pub-20080828/

> Note the term used for the consturct "nameidentifier" - which comes from SAML2 and ws-fedp. Its very similar to the openid claimedid/identifier.
>  
> I also have an openid.delegation relation in my webid profile outer HTML, though not in the graph. In the multi-mastered claim mirror in linkeddata.uriburner.com, this is prsent in my entity graph. It enables one to make coherent inferences between the Person in the RSS stream alternative of the webid profiles site, with the vcard in the same site, with the webid profile bookmarked on the home page of said site, and the mirrored claims on the authoritative multi-mastering endpoints, in my cluster.


But you never defined the "coherent inferences" you were going to make, nor how you make them, nor exactly what a mirrored claim is, nor why it works.



> 
> This is all very good, and very webby. Its similar to but  different to my making a conenction between my second webid profile (in ODS) to my Facebook graph, connected via the OAUTH handshake and not the owl:sameAs semantics. The connection is not the same however; as a a conenction between a profile and a data graph service of another (Facebook) user is not the same as linkeddata.uriburner being an authoritative multi-master for either of my profiles.

When we know what exactly an authoritative multi-master is I suppose I'll be able to tell.


> Yes, linkeddata.uriburner.com is an multi-master (and not a slave secondary)

New word: slave secondary!

> becuase it collates and infers (vcard, Person, and openid properties) that are not present in the pure webid profile I typed and enterred as a blog post. Its inferences are authoritative, as I acknowledged said property by adding the proxy profile URI

Oh, new word. A Proxy Profile!


> to the SAN URI list, as entry #2. My cert is signed, and has cert-using controls and copyrights requiring an act of reliance that governs any webid validation agent.
>  
> The authority authorized the openid proxy run by OpenLinkId to bridge the openid identifier world used by the entire Windows/Azure world to webid to the world of linked data and webid. An openid relying party will be relying upon my blogspot site URI (a slash form URI) as an openid identifier, which has a webid URi in its proof theorems (hidden from the openid relying party). In establishing the proof, the openid proxy OP uses my cert and the openid identifier_select mode of the openid auth v2 protocol, to assert that the proxy URI is under my control (and is authoritative), and that it is furthermore an Authorized openid OP for my openid identifier delivered to openid consumers.
>  
> Now, can I get off this list, please? I need to work on today's problems. If I have time, Ill work on stting up an instance of Virtuoso and its odata endpoint, so via ADO.NET I can link to linkeddata entities as I do to Azure CRM Online entitites. I can justify that use of time.

>  
> > From: henry.story@bblfish.net
> > Date: Mon, 16 Jan 2012 14:47:33 +0100
> > CC: public-xg-webid@w3.org
> > To: kidehen@openlinksw.com
> > Subject: Re: what are claims mirrors?
> > 
> > 
> > On 16 Jan 2012, at 13:11, Kingsley Idehen wrote:
> > 
> > > On 1/16/12 6:20 AM, Henry Story wrote:
> > >> Kingsley keeps speaking of "Claims mirrors" in support of his arguments. What are they? How do they work?
> > >> 
> > >> Henry
> > >> 
> > >> Social Web Architect
> > >> http://bblfish.net/
> > >> 
> > >> 
> > >> 
> > > I mean the graph that is created in the IdP space.
> > 
> > So you mean the WebID Profile, as specified in 
> > http://www.w3.org/2005/Incubator/webid/spec/#publishing-the-webid-profile-document
> > ?
> > 
> > In that illustration it would be <https://bob.example/profile> ?
> > 
> > What is the IDP in this scenario? IDP is a word that comes from OpenId. In OpenID the IDP is the service one links to from one's profile page. But in WebID we don't have an IDP in that sense. 
> > 
> > 
> > > It holds a mirror of claims in the x.509 certificate in a local key store.
> > 
> > You mean the WebID Profile is mirroring the claims in the X509 certificate?
> > 
> > > 
> > > We make certificates and persist them to a local keystore. We then make a set of claims via triples in Idp oriented data space that mirrors whats in the local key store.
> > 
> > So given that WebID does not require an IdP, it is even more mysterious what an "IDP oriented dataspace" is.
> > 
> > > 
> > > If you have a relation associating a subject with a public key in a certificate that resides in your local store, having the same relation in your idp oriented data space via triples implies a mirror.
> > 
> > In that case can we just use the word from the spec namely the WebID Profile?
> > 
> > > 
> > > I hope that clears up the matter of "mirrored claims" re. WebID.
> > > 
> > > btw -- some Idp spaces will mirror other claims too e.g. fingerprints, some can even hold a complete carbon copy of the x.509 certificate.
> > > 
> > > 
> > > -- 
> > > 
> > > Regards,
> > > 
> > > Kingsley Idehen	
> > > Founder& CEO
> > > OpenLink Software
> > > Company Web: http://www.openlinksw.com
> > > Personal Weblog: http://www.openlinksw.com/blog/~kidehen
> > > Twitter/Identi.ca handle: @kidehen
> > > Google+ Profile: https://plus.google.com/112399767740508618350/about
> > > LinkedIn Profile: http://www.linkedin.com/in/kidehen
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > 
> > Social Web Architect
> > http://bblfish.net/
> > 
> >

Social Web Architect
http://bblfish.net/
Received on Monday, 16 January 2012 18:35:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 16 January 2012 18:35:21 GMT