Re: WebID Frustration

https://my-profile.eu/certgen


On 6 Aug 2013, at 22:49, Martynas Jusevičius <martynas@graphity.org> wrote:

> Was following the thread, decided to jump in :) So how do I create a
> certificate? I have a FOAF profile and want to add it there.
> As Hugh pointed out,
> http://webid.myxwiki.org/xwiki/bin/view/WebId/CreateCert doesn't work.
> Is it still maintained?
> 
> Martynas
> graphityhq.com
> 
> On Tue, Aug 6, 2013 at 11:17 PM, Hugh Glaser <hg@ecs.soton.ac.uk> wrote:
>> Thank you all very much - all really helpful.
>> I think it turned out I had succeeded, but the WebID login on the site wasn't working.
>> Or something. :-)
>> 
>> So then I thought I would try again, by clearing out things - I had at least two certs by now. :-)
>> Typical errors I seemed to hit from pages were things like:
>> http://data.turnguard.com/java/1.6.0_29/com/turnguard/webid/exceptions/ModulusMismatchException is thrown by http://www.glasers.org/hugh.rdf#me (https://webid.turnguard.com/WebIDTestServer/onlywithcert)
>> Failed to execute the [velocity] macro (http://www.w3.org/wiki/WebID -> http://webid.myxwiki.org/xwiki/bin/view/WebId/CreateCert)
>> 
>> Because I am on a mac, I knew that the "right" way to do things is Keychain.
>> So I followed Kingsley's excellent instructions, which gave me the crucial parameters.
>> I needed to find the Public Key, which I eventually found in the info, by actually clicking on, even though it doesn't look like a link.
>> 
>> *Conclusion*
>> So, as a mac user, the pages I found most useful were
>> https://plus.google.com/112399767740508618350/posts/62pFBxAm7Ev

>> to generate the cert
>> and
>> https://webid.turnguard.com/WebIDTestServer/debug

>> to check I had it right.
>> Also, http://www.w3.org/wiki/WebID told me what the RDF should look like.
>> 
>> It still seems to me that this is not a technology that is very useable - it really shouldn't have taken so many messages to help me!
>> I was thinking of setting up for my users to use WebID on a little social networking site I have, but I think I will give it a miss for the moment!
>> 
>> And yes, now I am logged in at RWW.IO!
>> 
>> So thank you all for the time and very detailed messages - they all contributed to my success!
>> Hugh
>> 
>> On 6 Aug 2013, at 16:54, Norman Gray <norman@astro.gla.ac.uk>
>> wrote:
>> 
>>> 
>>> Hugh and Kingsley, hello.
>>> 
>>> On 2013 Aug 6, at 14:27, Kingsley Idehen wrote:
>>> 
>>>> In reality though, for your particular user profile I would encourage you to simply manually add insert the relations required by the WebID+TLS protocol into your existing profile, after you've generated an X.509 certificate using in-built OS utilities [1].
>>> 
>>> I've just done this, prompted by your message, Hugh, and it was oddly easy, _with_ Kingsley's hints.  The following fills in a couple of elided steps.
>>> 
>>>> 1. Create a Profile Document -- this gets you a Personal HTTP URI (or WebID) that denotes entity "You"
>>> 
>>> I already have a FOAF file <http://nxg.me.uk/norman/>.  Tick!
>>> 
>>>> 2. Generate an X.509 Certificate -- as part of the process, place your WebID in the SAN (Subject Alternative Name) slot
>>> 
>>> I did that, using Kingsley's walkthrough of the OS X Certificate Assistant (within Keychain Access) at <https://plus.google.com/112399767740508618350/posts/62pFBxAm7Ev>.
>>> 
>>> This took two goes, because I decided that I should create a certificate with CN "Norman Gray (WebID)", adding the "(WebID)" to avoid confusing myself.
>>> 
>>>> 3. Add a relation to your Profile Document that associates your WebID with the Public Key (exponent and modulus) from the Cert. generated in step #3.
>>> 
>>> If you use OS X Keychain Access, then 'Get Info' on the certificate will show the exponent and modulus.  The wrinkle here is that the Get Info display names the modulus as 'Public Key' (which I suppose one could quibble with).
>>> 
>>> If you want to do it the hard way (as I had to do, to work out that that _was_ what they meant by 'Public Key'), then export the certificate as a .cer file, and
>>> 
>>> % openssl x509 -inform DER -modulus -noout -in ~/Desktop/norman-webid.cer
>>> 
>>> I added this to my FOAF file with:
>>> 
>>>   cert:key [
>>>       cert:exponent 65537;
>>>       cert:modulus "B1CF550703951EE7DFAC2E32DF1FDF8986F17B1167FFB2780109DD7D77C109F37BB558E67F031C41BD224B98CFA04F6265F02FB88C9F392CAC6C02A712B0091C63267ACDD155CCE4631EA0B177023F9C3DD898A7EEA14F72CACC4A5F64677566F36C3D98BF9492691711E1BA181667D159AEBD8B02DDBCAAD8E80451F41F9D389185533D9A6FB5316039A21494EDBE4A71DA212F91C57D66B8307E395605E02017BF3398132383928F0F36D1BC6EE9F68F03BE9C38A52180937F868869DF0FBEF1FEB8A5D799C67CCEE70C4DA7458CB9B9B73BE2614B922E2747CA6FEBB1519328C2CCEA8355873AC6790624C3A05922797319F55E146F76EEE2230FFBD46147"^^xsd:hexBinary;
>>>   ];
>>> 
>>> I got the details of that from <http://www.w3.org/wiki/WebID>.
>>> 
>>> Then I put it on the web.
>>> 
>>>> 4. Verify your WebID
>>> 
>>> I went to <http://webid.turnguard.com/WebIDTestServer/> and clicked on 'OnlyWithCert'.  I was asked to trust the server (because its certificate wasn't signed by a CA), and to choose which certificate to use, and ... it worked.  That was with both Chrome and Safari.
>>> 
>>>> 5. Start authenticating against apps and services that support WebID+TLS based authentication.
>>> 
>>> Right... where can I use this that _isn't_ just for testing, and will actually be (you know) useful?
>>> 
>>> No, this isn't the route I'd suggest to my Mum, but getting her a by-hand WebID might be a little premature in any case.
>>> 
>>> All the best,
>>> 
>>> Norman
>>> 
>>> 
>>> --
>>> Norman Gray  :  http://nxg.me.uk

>>> SUPA School of Physics and Astronomy, University of Glasgow, UK
>>> 
>> 
>> 

Received on Tuesday, 6 August 2013 22:02:16 UTC