W3C home > Mailing lists > Public > public-webid@w3.org > May 2013

Re: TestSuite to verify WebID authentication services

From: Henry Story <henry.story@bblfish.net>
Date: Mon, 6 May 2013 09:52:25 +0200
Cc: public-webid@w3.org
Message-Id: <CFAE6394-77AD-4C43-94DD-954CA8202118@bblfish.net>
To: Angelo Veltens <angelo.veltens@online.de>
Thanks Angelo, your proposal below is exactly what we were hoping to 
do with the Test Suite. I think we erred trying to build something
a bit too complicated requiring the authentication endpoint to return 
information about the reasons for the failure. It is probably best
to start with something very simple like what you are proposing, and 
then make proposals on how endpoints that get false negtives can
enhance their score.

On 5 May 2013, at 11:01, Angelo Veltens <angelo.veltens@online.de> wrote:

> Hi all,
> 
> since I am still a little uncertain about what a WebID authentication
> service has to consider, I am looking for test cases to verify the
> correct behavior of such a service.
> 
> I found the "Test Suite" wiki page [1], which seems to focus on
> verifying certificates and profile pages, but not authentication services.
> 
> Are there any formalised test cases to verify the correct behaviour of a
> WebID authentication service? If not, I suggest to phrase them down,
> e.g. in the gherkin language used by cucumber [2] (examples below).
> 
> Based on this I am going to write an automated test suite that can be
> run against any implementation of WebID authentication to verify it's
> correct behaviour.
> 
> [1] http://www.w3.org/2005/Incubator/webid/wiki/Test_Suite
> [2] http://cukes.info/
> 
> Example scenarios in gherkin:
> 
> Feature: WebID Authentication Service
> 
>  Background:
>    Given a website provides a WebID authentication at a login URL
> 
>  Scenario: Client authenticates with an invalid certificate
>    Given I own a certificate C
>    And the private key of C does not belong to the public key of C
>    When I visit the login URL
>    And provide the certificate C for authentication
>    Then the service responds  ...
> 
>  Scenario: Client authenticates with an expired certificate
>    Given I own an expired certificate C
>    When I visit the login URL
>    And provide the certificate C for authentication
>    Then the service responds ...
> 
>  ...
> 
> What do you think of it?
> 
> Best regards,
> Angelo
> 

Social Web Architect
http://bblfish.net/
Received on Monday, 6 May 2013 07:53:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:54:43 UTC