W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

RE: RE: Authentication workflow draft.

From: peter williams <home_pw@msn.com>
Date: Tue, 12 Apr 2011 13:12:18 -0700
Message-ID: <SNT143-ds8A9F6831F51C543FE71ED92AB0@phx.gbl>
To: "'Martin Gaedke'" <martin@gaedke.com>, "'Akbar Hossain'" <mail@akbarhossain.com>
CC: "'WebID XG'" <public-xg-webid@w3.org>

I already build a minor variant of an STS that takes "webid". It took about
an hour. Webid at its core just SSL client authn, with custom validation
logic for the cert [chain]. Its more than that WHEN the pedantic web gets
past its academic bent (which Im hoping is soon...having watched RDF for
nearly 15 years now...)

But, shush! All I did was take existing STS code that takes an https
connection (and its client cert) and mint a SAML2 token in the response. I
had the STS use my webid validation class (all of 1 hour to figure that), to
decide whether or not to issue the token. Then, I populated the token
attributes with the contents of the foaf card (so its signed). The token has
short life, assigning short life to this copy foaf card copy and its

Any ws* or ws-fedp protocol can then invoke webid by proxy, at the IDP.

But, we are not allowed to talk about SOAP, ws*, websso etc. I do this
offline, when making production systems. To be fair, its not per the
architecture. And I respect the differences.

As Henry says, we are here to PUSH the envelope on REST and semweb, and
read/write semweb in particular. Here I agree with him. Its the mission.
There is no point working in W3C in this year's production problems (one
does that on the side, for the making money goal to pay salaries of folks,
etc.). There will come a point in years 5-10 from now where it's just not
sustainable to keep use X.509 cert chains in ASN.1/DER, for discovery. I
need semweb to be filling in, at that point, at commodity status. I have 1
million users to support, and they talk to about 50 million members of the
public. What works in link chains of keys has to be COMMODITY! Furthermore,
the whole thing has to showcase decentralization (sinced in my reality, I
cannot impose security policy on anyone!)

Meantime, Im happy with just using the results of the foaf project as
augmented with webid validation per the spec, mixed with commodity
techniques (like ws*). This allows RDFa files with pubkeys to be used a
validation sources for certs pubkeys, today. And, it supports furtherhenace
of the bigger picture (which I trust Henry to get right, eventually!)

-----Original Message-----
From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of Martin Gaedke
Sent: Tuesday, April 12, 2011 12:28 PM
To: peter williams; Akbar Hossain
Cc: WebID XG
Subject: RE: RE: Authentication workflow draft.


wouldn’t it be possible in case of WS-federation that the STS (when
redirected from the protected resource to the STS) asks the client for a
WebID instead of redirecting the client to the IP? The STS would act as the
Verification Agent for all WS-Federation-oriented protected resources,
creating the token and redirecting the Identification Agent back to the
protected resource.

In this context, we could easily extend WS-Federation with WebID, right?


Prof. Dr.-Ing. Martin Gaedke
Chemnitz University of Technology
Faculty of Computer Science
Distributed and Self-organizing Computer Systems Group Straße der Nationen
D-09107 Chemnitz

Phone:    +49 (371) 531-25530
E-Mail:   martin.gaedke@informatik.tu-chemnitz.de
Web Site: http://vsr.informatik.tu-chemnitz.de
XING:     https://www.xing.com/profile/Martin_Gaedke
LinkedIn: http://www.linkedin.com/in/gaedke

For further information on Web Engineering:
* International Society for Web Engineering http://www.iswe-ev.de/
* Int. Conf. on Web Engineering 2011: http://icwe2011.webengineering.org/

* Journal of Web Engineering: http://www.rintonpress.com/journals/jwe/

From: public-xg-webid-request@w3.org
[mailto:public-xg-webid-request@w3.org] On Behalf Of peter williams
Sent: Dienstag, 12. April 2011 21:15
To: 'Akbar Hossain'
Cc: 'WebID XG'
Subject: RE: RE: Authentication workflow draft.

If we wanted to use W3C standards (even partly), we could even post

<wsse: BinarySecurityToken Id="myX509Token"
        ValueType="wsse: X509v3"
        EncodingType="wsse: Base64Binary">
NIFEPzCCA9CrAwIBAgIQEmtJZc0 . .. The rest of the X. 509 base 64 data
FExErTECA .. .

over https (with client authn + SSL Sessionid).

All it has to be is something like (ignoring the SOAP bit):
http://msdn.microsoft.com/en-us/library/ms996951.aspx (Adding the X.509
Certificate Token to a SOAP Message)

could we be allowed JUST a tiny wee bit of SOAP (since java, and dotNet and
… all do the above, being so ancient a spec)? If not, then we are back to
fussing with mime types and encoding headers etc, per my last message

From: akkiehossain@gmail.com [mailto:akkiehossain@gmail.com] On Behalf Of
Akbar Hossain
Sent: Tuesday, April 12, 2011 11:04 AM
To: peter williams
Cc: WebID XG; Andrei Sambra; Kingsley Idehen
Subject: Re: RE: Authentication workflow draft.

Perhaps a small variant of the delegated service as per foafssl.org On 12
Apr 2011 18:03, "peter williams" <home_pw@msn.com> wrote:
> Yes, it's time for a restful web service (supported by https client
authn and SSL session management) that takes a base64 encode cert as input,
and returns YES/NO
> The input parser should assume the worst: strange CRLF or LR or CR,
random header text, variable number of dashes, missing final EOL, UTF header
bytes, web friendly char sets or ascii - so as to deal with the realty of
"PEM encoding"
> Another variant would take a cert sha1 fingerprint, rather than the
> -----Original Message-----
> From: public-xg-webid-request@w3.org
[mailto:public-xg-webid-request@w3.org] On Behalf Of Kingsley Idehen
> Sent: Tuesday, April 12, 2011 9:29 AM
> To: peter williams
> Cc: 'Andrei Sambra'; 'WebID XG'
> Subject: Re: Authentication workflow draft.
> On 4/12/11 12:14 PM, peter williams wrote:
>> This is relevant to me, as it means for each URI in the SAN, I do a
uriburner query, which (remotely) looks for a cert:identity match for 1 card
at a time.
>> Can sparql have multiple FROM lines? Perhaps?
> Yes, re. Virtuoso's SPARQL support.
>> Can the query be modified so Id know which URI matched, if one could
specify multiple matches?
> Yes.
> I am guessing its time for a WebID verification service. Ditto email
verification service as spec'd by Toby a while back.
> --
> Regards,
> Kingsley Idehen
> President& CEO
> OpenLink Software
> Web: http://www.openlinksw.com
> Weblog: http://www.openlinksw.com/blog/~kidehen
> Twitter/Identi.ca: kidehen
Received on Tuesday, 12 April 2011 20:12:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:44 UTC