W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

Re: Authentication workflow draft.

From: Henry Story <henry.story@bblfish.net>
Date: Tue, 12 Apr 2011 22:26:53 +0200
Cc: "'Martin Gaedke'" <martin@gaedke.com>, "'Akbar Hossain'" <mail@akbarhossain.com>, "'WebID XG'" <public-xg-webid@w3.org>
Message-Id: <F1DA0C6B-28E3-4A25-B189-0ED897FF5546@bblfish.net>
To: peter williams <home_pw@msn.com>
Ok, sounds more like we are on the same channel here.

I am sure we can integrate with SOAP in many ways. The Univ of Manchester
has shows it can be done.  It's just that there is also only
so much bandwidth we have here. And SOAP is just too big a beast to take on here.

I think when we have the tests down, some good social web examples for by 
the Berlin conf, then we can start spending time looking more at SAML 
integration. Hopefully we'll just have a few libs and working systems that
are well enough documented that they can show us how this integration is done.

If people are interested in a binary/pem based proposal I am for it, because I think
it could be a very nice way to show how we can tie the old into the new. But we
do have time constraints, and I want to know from people in the field if they
think that is something they want to put effort to.


On 12 Apr 2011, at 22:12, peter williams wrote:

> I already build a minor variant of an STS that takes "webid". It took about
> an hour. Webid at its core just SSL client authn, with custom validation
> logic for the cert [chain]. Its more than that WHEN the pedantic web gets
> past its academic bent (which Im hoping is soon...having watched RDF for
> nearly 15 years now...)
> But, shush! All I did was take existing STS code that takes an https
> connection (and its client cert) and mint a SAML2 token in the response. I
> had the STS use my webid validation class (all of 1 hour to figure that), to
> decide whether or not to issue the token. Then, I populated the token
> attributes with the contents of the foaf card (so its signed). The token has
> short life, assigning short life to this copy foaf card copy and its
> triples.
> Any ws* or ws-fedp protocol can then invoke webid by proxy, at the IDP.
> But, we are not allowed to talk about SOAP, ws*, websso etc. I do this
> offline, when making production systems. To be fair, its not per the
> architecture. And I respect the differences.
> As Henry says, we are here to PUSH the envelope on REST and semweb, and
> read/write semweb in particular. Here I agree with him. Its the mission.
> There is no point working in W3C in this year's production problems (one
> does that on the side, for the making money goal to pay salaries of folks,
> etc.). There will come a point in years 5-10 from now where it's just not
> sustainable to keep use X.509 cert chains in ASN.1/DER, for discovery. I
> need semweb to be filling in, at that point, at commodity status. I have 1
> million users to support, and they talk to about 50 million members of the
> public. What works in link chains of keys has to be COMMODITY! Furthermore,
> the whole thing has to showcase decentralization (sinced in my reality, I
> cannot impose security policy on anyone!)
> Meantime, Im happy with just using the results of the foaf project as
> augmented with webid validation per the spec, mixed with commodity
> techniques (like ws*). This allows RDFa files with pubkeys to be used a
> validation sources for certs pubkeys, today. And, it supports furtherhenace
> of the bigger picture (which I trust Henry to get right, eventually!)
> -----Original Message-----
> From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
> On Behalf Of Martin Gaedke
> Sent: Tuesday, April 12, 2011 12:28 PM
> To: peter williams; Akbar Hossain
> Cc: WebID XG
> Subject: RE: RE: Authentication workflow draft.
> Hi,
> wouldn’t it be possible in case of WS-federation that the STS (when
> redirected from the protected resource to the STS) asks the client for a
> WebID instead of redirecting the client to the IP? The STS would act as the
> Verification Agent for all WS-Federation-oriented protected resources,
> creating the token and redirecting the Identification Agent back to the
> protected resource.
> In this context, we could easily extend WS-Federation with WebID, right?
> Cheers
> Martin
> ---------------------------------------------------------------------
> Prof. Dr.-Ing. Martin Gaedke
> Chemnitz University of Technology
> Faculty of Computer Science
> Distributed and Self-organizing Computer Systems Group Straße der Nationen
> 62
> D-09107 Chemnitz
> Germany
> Phone:    +49 (371) 531-25530
> E-Mail:   martin.gaedke@informatik.tu-chemnitz.de
> Web Site: http://vsr.informatik.tu-chemnitz.de
> XING:     https://www.xing.com/profile/Martin_Gaedke
> LinkedIn: http://www.linkedin.com/in/gaedke
> For further information on Web Engineering:
> * International Society for Web Engineering http://www.iswe-ev.de/
> * Int. Conf. on Web Engineering 2011: http://icwe2011.webengineering.org/
> * Journal of Web Engineering: http://www.rintonpress.com/journals/jwe/
> From: public-xg-webid-request@w3.org
> [mailto:public-xg-webid-request@w3.org] On Behalf Of peter williams
> Sent: Dienstag, 12. April 2011 21:15
> To: 'Akbar Hossain'
> Cc: 'WebID XG'
> Subject: RE: RE: Authentication workflow draft.
> If we wanted to use W3C standards (even partly), we could even post
> <wsse: BinarySecurityToken Id="myX509Token"
>         ValueType="wsse: X509v3"
>         EncodingType="wsse: Base64Binary">
> NIFEPzCCA9CrAwIBAgIQEmtJZc0 . .. The rest of the X. 509 base 64 data
> FExErTECA .. .
> </wsse:BinarySecurityToken>
> over https (with client authn + SSL Sessionid).
> All it has to be is something like (ignoring the SOAP bit):
> http://msdn.microsoft.com/en-us/library/ms996951.aspx (Adding the X.509
> Certificate Token to a SOAP Message)
> could we be allowed JUST a tiny wee bit of SOAP (since java, and dotNet and
> … all do the above, being so ancient a spec)? If not, then we are back to
> fussing with mime types and encoding headers etc, per my last message
> From: akkiehossain@gmail.com [mailto:akkiehossain@gmail.com] On Behalf Of
> Akbar Hossain
> Sent: Tuesday, April 12, 2011 11:04 AM
> To: peter williams
> Cc: WebID XG; Andrei Sambra; Kingsley Idehen
> Subject: Re: RE: Authentication workflow draft.
> Perhaps a small variant of the delegated service as per foafssl.org On 12
> Apr 2011 18:03, "peter williams" <home_pw@msn.com> wrote:
>> Yes, it's time for a restful web service (supported by https client
> authn and SSL session management) that takes a base64 encode cert as input,
> and returns YES/NO
>> The input parser should assume the worst: strange CRLF or LR or CR,
> random header text, variable number of dashes, missing final EOL, UTF header
> bytes, web friendly char sets or ascii - so as to deal with the realty of
> "PEM encoding"
>> Another variant would take a cert sha1 fingerprint, rather than the
> cert.
>> -----Original Message-----
>> From: public-xg-webid-request@w3.org
> [mailto:public-xg-webid-request@w3.org] On Behalf Of Kingsley Idehen
>> Sent: Tuesday, April 12, 2011 9:29 AM
>> To: peter williams
>> Cc: 'Andrei Sambra'; 'WebID XG'
>> Subject: Re: Authentication workflow draft.
>> On 4/12/11 12:14 PM, peter williams wrote:
>>> This is relevant to me, as it means for each URI in the SAN, I do a
> uriburner query, which (remotely) looks for a cert:identity match for 1 card
> at a time.
>>> Can sparql have multiple FROM lines? Perhaps?
>> Yes, re. Virtuoso's SPARQL support.
>>> Can the query be modified so Id know which URI matched, if one could
> specify multiple matches?
>> Yes.
>> I am guessing its time for a WebID verification service. Ditto email
> verification service as spec'd by Toby a while back.
>> --
>> Regards,
>> Kingsley Idehen
>> President& CEO
>> OpenLink Software
>> Web: http://www.openlinksw.com
>> Weblog: http://www.openlinksw.com/blog/~kidehen
>> Twitter/Identi.ca: kidehen

Social Web Architect
Received on Tuesday, 12 April 2011 20:27:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:44 UTC