RE: WebID Test Suite

1. Does the (clerezza) validator insist that a self-signed client cert has
an good signature? Or does it not matter?

2. Which server cert issuers can I use with a standard validator doing unit
tests (e.g. clerezza), if I try an https webid? 

On https further:-

3 Presumably, the list of issuers for server certs depends on whichever
linux platform such as clerezza is operating. Should the unit tests define a
set of authorized issuers?

We just have to be careful that two installs (of such as clerezza) could
have a different set of unit test results, simply because the linuxes used
might differ or different versions  of apache are used (and thus the list of
linux/apache endorsed SSL server cert issuers MIGHT differ moment to moment,
leading to different validation results when https webids are used).

4 If a server cert is revoked, _should_ the webid be viewed as invalid?

5 Should a unit tester bother checking revocation status, of the server cert
and/or the CA certs in the chain?

6 If the server cert has v3 extensions that are critical, should the chain
checker of the server enforce the criticality rules (and refuse the
connection, if the critical extension is unsupported)? For example, if the
cert says it for client authn only (denying server authn) and the extension
is marked critical, will the test suite detect this? Is the webid valid or

7. If the same extension is marked NON-critical (but still says client authn
only), what is the correct validity of the webid?

For both client cert CHAINS, and server cert CHAINS:

8. if a CA cert has a critical basicContraints extension that says the max
length of the cert chain is 3 (say), and its actually 4 in the SSL messages,
is this valid or invalid?

9. if the clerezza validator has marked in its local root store an
_intermediate_ CA certificate, does the validator check the cert chain
delivered in the SSL message or the cert chain that terminates at its local
root store (with the trusted intermediate cert)?

10. if the issuer of an intermediate cert revokes it, but the local trust
store marks it trusted, which carries more weight - when determining the
validity of the webid?

11. if the CN name in a server name is not present in DNS, what is the
validity of the webid?

12. If there is no CN name in a server cert AND/OR SAN DNS field, is the
webid automatically invalid?

-----Original Message-----
From: []
On Behalf Of Kingsley Idehen
Sent: Tuesday, April 05, 2011 6:27 AM
To: Henry Story
Cc: bergi; WebID XG;
Subject: Re: WebID Test Suite

On 4/5/11 5:09 AM, Henry Story wrote:
> I  put an initial Clerezza servers up on with the WebId test
endpoint running here:
> [1]
> This will show you
>   - the public key from the certificate you used, if any
>   - for each claimed WebId:
>      which were verified, failed or are still unverified
>      (that last option is to allow for asynchronous WebId checking )
> The code for this component is in the Subversion repository here
> Currently the User Interface for the WebID test component is not good 
> looking and it is not machine readable. What is most needed to be able 
> to run automated WebID tests is to make the responses machine readable 
> (excepting core SSL/TLS errors thrown when for example the private key 
> does not match the public key)
> So we can use
>   - the cert ontology to describe the certificate
>   - the test ontology to describe the tests on each webid
> That is the next piece I will work on.
> It will then be possible for someone to put together a test agent  for 
> ISSUE-9 to try out things such as, connecting with
>    - a certificate that works
>    - a certificate with no webid that works
>    - a certificate with some webids that work
>    - certificates with WebIDs whose profile is in only one of a number of
>      + RDFa representation
>      + rdf/xml
>      + turtle
>       ( This can then be used to build a profile of server and see what
representations it understands)
>    - certificates that have expired, or that are too early
>    - testing of support for HTTP redirects of WebIDs (when we have an idea
what the behaviour should be)
>    - profiles using old and new ontology
>    - Profiles with short cache control directives (servers should do a new
http GET at some point - my server won't and I don't think many will
>    - others
> It could then use this to put up a report on the servers abilities.
Perhaps this report could also be in machine readable format, so that test
suites can be compared automatically.
>    I'll work next on making my test endpoint machine readable.
> Henry
> [1] when it is more stable I'll move the whole instance to port 443. 
> The 8443 port is there as a reminder that any data placed on this 
> instance will be lost in a not too distant future [2] The more fine 
> tuned clerezza ui is


Works fine with my "http:" scheme based WebID but doesn't seem to do so with
my "mailto:" and "acct:" scheme based WebIDs. Anyway, I'll double check a
few things on my side re. these non "http:" scheme based WebIDs just in case
something else is amiss.

> On 22 Mar 2011, at 23:20, bergi wrote:
>> Hi,
>> I have created a little WebID test suite. It's based on JUnit and 
>> apache HttpClient. To test your own webid implementation you have to 
>> create an endpoint which outputs all valid agents comma seperated. In 
>> the file you have to change the endpoint to your 
>> own url, the endpoint certificate to your own certificate in pem 
>> format. The publish base url and path must point to a folder which is 
>> accessable via your local file system and http. I'm using a local 
>> apache with a hacked hosts file. Currently the following tests are
>> 	- Default (single entry in subjectAtlNames)
>> 	- MissingRdf (404 http error)
>> 	- MultipleIDs (two entries in subjectAltNames)
>> 	- WrongModulus (wrong modulus in rdf)
>> 	- WrongPublicExponent (wrong public exponent in rdf)
>> Issue:
>> Download:
>> Regards,
>> the bergi
> Social Web Architect



Kingsley Idehen	
President&  CEO
OpenLink Software
Twitter/ kidehen

Received on Wednesday, 6 April 2011 01:05:10 UTC