- From: Peter Williams <home_pw@msn.com>
- Date: Thu, 22 Dec 2011 07:39:57 -0800
- CC: "public-xg-webid@w3.org" <public-xg-webid@w3.org>
- Message-ID: <SNT143-W54E65EA8082C88C62949B192AA0@phx.gbl>
I dont care about XRIs. I care about the argument being made - that URIs needed a persistent URI, since the ownser of a URI changes. The theorem of webid is that the user controls the URI, and its increasingly not true. As big as it is, the web has not actually used URIs for personal identities. SO arguments about how bit the resource URI pool are are irrelevant. By and large, its a giant mess (that works at 80%). For personal privacy, we have to do better than 80%. (remember the University of Kent proved, in a $80k study that nobody wanted openid, becuase it was too crap, just before Google introduced it to Google Apps for academia :-) ). Now, if you look at the last years of history on CRL DP URI used in windows, folks were concerned that they didnt want what paypal objected to about webid - having a large server farm's threads dependent on pinging an untrustworthy/untrusted server. in the CRL pulling world (given introduction of the CRLs URI by a cert, similarly to a SAN URI in a cert) windows servers doing email, web, and PPP EAP-TLS with client certs bearing URIs can be told to only ever pull the (CRL) resource from a cache (and never attempt to resolve (i.e. fully de-reference) the URI, that is). This was essentially the statement that the kernel's load balancer's cache was the persistent URI, and the value of the CRL DP URI in the cert a mere "hint". The cert checking engine doing validation had a trust point (its kernel, and its trusted computing base delivered by the CPU rings and the TPM chip for safe boot) for the cache identifiers. The local cache was the mapping from an URI onto its persistent URI. Im looking againt for Henrys server. I moved my RDFa html card to azure blog storage, on an https endpoint, and reminted the cert (with the same key). lets see how his software does with CRL DP URIs. From: henry.story@bblfish.net
Date: Thu, 22 Dec 2011 10:37:09 +0100
CC: public-xg-webid@w3.org
To: kidehen@openlinksw.com
Subject: Re: [foaf-protocols] Redirects continued -- was: Problem with certificate on home-grown WebID
On 21 Dec 2011, at 20:34, Kingsley Idehen wrote:
On 12/21/11 2:12 PM, Peter Williams wrote:
let me summarize the OASIS position (stripping out the
technology).
a URI depends on an authority field, in which the owner of the
domain-name can change tomorrow (by court order, or US
government seizure, or bankcrupcy, or ICANN wants money). Thus
URIs are not authoritative per se. Something must be done, since
that world on which we are relying is not stable.
This sounds like the kind of thing you would call on other occasions an "academic" problem, and in that mood you would argue that the web has been around with this type of issue and has grown very big without it.
Thus, have a persistent URI, that many temporary URIs using
domain-names can refer to. Only the persistent form of URI is
usable for security purposes. If presented with a non-persistent
URI, a verifier must use a trusted service to determine the
persistent "synonym".
And so have you not then just moved your trust to another system? Now you need to decide who is going to be your trusted service. It's no longer DNS or something else, it's the company you decide to trust, or what not.
Perhaps that is a viable solution. But given that people are having problems even with any kind of identifier, it seems to me that we can get some way without this issue appearing. That is at present I don't think that the issue for people is the longevity of their URIs. It is the problem of having too many, because these don't communicate. Too many URIs can be dealt with by owl:sameAs between the different Ids and redirects. That solves the problem of having to change URIs. Essentially in the semantic web we don't get tied up with the idea of needing ONE UNIQUE identifier per person.
Then all that is left for XRIs is the longevity issue. But perhaps there are simpler solutions to that. I think it's something to think about.
Then, go on as normal.
Now the challenge for webid:- How do we determine the persistent
id, and how does one discover the provider of authority (for the
claimed persistent URI).
You look at the relations towards it. It is a bit what happens if someone takes a site and changes the meaning of the URIs on it. Slowly all links to that site will disappear. You can also tell by looking when links to pages were made, when the document was originally published.
The problem with XRIs is that they require a big infrastructure to get going. We already have HTTP so we can get going there with some limitations, but with tools everybody understands.
I dont know of any web architecture proposal. the web
architecture punts, and denies there is an issue. The issue is
not really about rediercts, its about the fidelity of the URI's
authority field, and who speaks to it. I solved it (recall) by
cheating. I trusted the CA as the source of authority, but this
denied a core use case of webid - self-signed client certs. I
thus failed the exam.
Self signed server certs will be easier to deploy with DNSsec. And DNSsec can then itself be verified by other services. And perhaps there is a role for XRIs later, or perhaps that can be simplified into something else.
The greatest thing about this insight is the context for a little
know reality:
Linked Data somewhat came to the fore at the expense of OWL.
Basically, OWL sadly became the reason why the Semantic Web didn't
take off in the eyes of many. In reality, OWL was just another
Semantic Web Project component that suffered from the verbosity,
special treatment, and bottomless intransigence surrounding RDF/XML.
For the Semantic Web to manifest, RDF/XML had to get out of the
front door (DBpedia and the Linked Open Data project took care of
that), Linked Data had to emerge as the Semantic Web Project's
foundation layer, and eventually OWL as the sanitizer. After all,
this is a story about logic, structured data, hyperlinks, relations,
and semantic fidelity exploited at InterWeb scale.
There is something big here! Really big, but we cannot compromise
the AWWW. Do that, and everything crumbles fast!
Kingsley
From: home_pw@msn.com
To: henry.story@bblfish.net
CC: public-xg-webid@w3.org;
foaf-protocols@lists.foaf-project.org
Subject: RE: [foaf-protocols] Redirects continued -- was:
Problem with certificate on home-grown WebID
Date: Wed, 21 Dec 2011 09:52:23 -0800
The first point to recognize is THAT FOLKS ARE GOING TO DO
IT, regardless of what some book says. verifiers can view
that as an attack, or just bad software. But either way, it
has to be handled.
The seecond point is to recall my original reasoning - that
was by analogy. I know what openid spec says, when doing a
similar task. I know webid says nothing. What SHOULD webid
be saying, I asked? is its silence revealing? What did
openid base its logic on, anyways?
Now, openid leveraged a comprehsive security model for
discovery (one designed by engineering folks who then wrote
a large security section and specific threat model in the
XRD spec).
And, that is where you start Henry. Go read the security
sections and threat model of XRDS (and thus understand
"secure discovery" in openid, along with its redirects and
cross-references). Go see how an engineered spec addresses
the same class of underlying topics ...as you face here. Go
and understand WHY "pure" web architecture was insufficent,
and they constructed an entirely new framework (that
overlayed the web). Ths folk entirely understood RDF, in its
full academic glory. Then, they went further (as engineers).
---
Yes, its going to take a while to understand the trusted
resolution model of XRD. I ended up having to program an XRD
server, to get inside the head of the writer of those specs.
but, at the end there was a comprehsnvie model of secure
discovery, and de-referencing, that pertains both to simple
objects (an array of service access points, say) and graphs.
I learned (and it went beyond what I already knew from the
secure chaining models of X.500 and H323)
Dont listen to me; Im far to stupid to be in anything other
thant the security space, trawling through checklists and
tick sheets addressing simple (but effective) audit,
control, and correctness goals. My code is nothing other
than a rewrite of a spec, to fit the needs of a stupid
machine. Go and look in detail at some other web
engineering, and the OASIS engineering outputs in
particular. There you will enconter work from folks in the
top rank of the class, and its WORTH comprehending, if you
accept my recommendation. Once you dominate their model,
then figure what webid needs.
Here is a good start: http://middleware.internet2.edu/idtrust/2008/slides/01-reed-openid-xri-xrds.ppt
Dont go into dismissal mode, and start politicking that its
all hogwash (or ungodly, or some other punt). Read and
understand what your betters have already done (and THEN do
better than them). I have total faith in you, on this. You
and you only can break this impasse, anbd still say
reasonably consistent with the "web architecture". You are
exactly the right person, to find the "right" solution to
the redirect problem in a name resolution protocol.
Subject: Re: [foaf-protocols]
Redirects continued -- was: Problem with certificate on
home-grown WebID
From: henry.story@bblfish.net
Date: Wed, 21 Dec 2011 18:12:52 +0100
CC: public-xg-webid@w3.org; sebastian@trueg.de;
foaf-protocols@lists.foaf-project.org
To: home_pw@msn.com
On 21 Dec 2011, at 18:05, Peter Williams wrote:
Our colleague from the BBC already
made the case for redirects.
The case is just normal, in larger websites. The
content producer and the content manager are
different parties, in the publishing world.
Content manager get to reorganize links, as they
control when and if content gets un/published,
and where it gets re-published.
The question is, what does the spec say about
the security threats, and what are the counter
measures?
Well since you have been in the security space for
so long, can you come up with some security
threat scenarios? Start with simple ones, that we
can answer, and lets see if we can build
more complex ones that are problematic.
Henry
> From: henry.story@bblfish.net
> Date: Wed, 21 Dec 2011 17:19:36 +0100
> To: pierre-antoine.champin@liris.cnrs.fr
> CC: foaf-protocols@lists.foaf-project.org; public-xg-webid@w3.org; sebastian@trueg.de
> Subject: Re: [foaf-protocols] Redirects
continued -- was: Problem with certificate on
home-grown WebID
>
>
> On 21 Dec 2011, at 16:57, Pierre-Antoine
Champin wrote:
>
> > Hi,
> >
> > I had the same misunderstanding as
Sebastian, creating WebID
> > http://champin.net/pa
> >
> > I now created
> > http://champin.net/#pa
> > (which I too prefer, btw).
> >
> > But that one does not work with foafssl.org
:-(
>
> That's because at present it does not
have redirection implemented and you resource
redirects
>
> $ curl -i http://champin.net/
> HTTP/1.0 302 Found
> Server: BaseHTTP/0.3 Python/2.5.2
> Date: Wed, 21 Dec 2011 16:15:10 GMT
> Location: http://liris.cnrs.fr/~pchampin/
> Content-type: text/html
> Vary: Host
>
>
> > I attach the result page. It says
> >
> > The WebId Profile must be parseable
Content and transformable to an
> > RDF graph
>
> yep, if I were to be serious about
redirects I'd have to change that to say: we
don't work with
> redirects....
>
> Since we are looking for use case for
webids that redirect, let me ask you: why did
you find
> it important to have your webid redirect?
>
>
> Henry
>
> >
> > but RDF Validator is happy with it:
> >
> > http://www.w3.org/RDF/Validator/ARPServlet?URI=http%3A%2F%2Fchampin.net%2F&PARSE=Parse+URI%3A+&TRIPLES_AND_GRAPH=PRINT_TRIPLES&FORMAT=PNG_EMBED
> >
> > and it is recognized by https://auth.fcns.eu/
> >
> > pa
> >
> >
> > On 12/21/2011 02:30 PM, Henry Story
wrote:
> >>
> >> On 21 Dec 2011, at 14:05,
Sebastian Trüg wrote:
> >>
> >>> On 12/21/2011 11:19 AM,
Henry Story wrote:
> >>>>
> >>>> On 21 Dec 2011, at
09:55, Sebastian Trüg wrote:
> >>>>
> >>>>> Attached you find
the result from https://foafssl.org/test/WebId.
To be
> >>>>> honest I am not sure
if it succeeded or not, the output confuses
me. :/
> >>>>
> >>>> yes, the output of this
test suite is not as well finished as the
previous
> >>>> one. And there is a bug
there, I'll fix.
> >>>>
> >>>> Ok, so you are using a
WebID that redirects. I would suggest against
it for
> >>>> two reasons:
> >>>>
> >>>> -1. It increases the
verification time for the verifier: the
verifier has
> >>>> to potentially do 2 HTTP
connections, and in any case it has to do back
> >>>> and forth
> >>>> -2 It is possible that
some implementations don't support redirect,
as it is
> >>>> one of these less
obvious features of the web. As soon as you
add complexity
> >>>> you add ways things can
go wrong, and your identity is perhaps
important
> >>>> enough for you not to
want these things to go wrong
> >>>> (In this case my
implementation does not support it. But I can
add it)
> >>>> -3 We believe we have
worked out the security characteristics of
redirects,
> >>>> but they are less
obvious than the simple GET and will require
more work,
> >>>> so we have no language
in the spec at present covering those - it's
undefined
> >>>> one might say. In any
case they confuse Peter Williams, and risk
confusing
> >>>> military grade security
people a lot more. So if you want to log in to
higher
> >>>> security sites you may
find redirects create confusion with those
people
> >>>> implementing them. This
comes up in ISSUE-64
> >>>> http://www.w3.org/2005/Incubator/webid/track/issues/64
> >>>>
> >>>> Does that make sense?
> >>>
> >>> Well, yes. However, I am
confused. You directed me to the site which I
> >>> took this setup from.
> >>
> >> http://www.w3.org/TR/2008/NOTE-swbp-vocab-pub-20080828/
> >>
> >> Yes, it is true that the "Best
Practice Recipes for Publishing RDF
Vocabularies"
> >> covers two cases one of which
uses a redirect. The redirect is as we
mentioned
> >> may require us to think things
through in a bit more detail, though I don't
think
> >> it is a big issue.
> >>
> >>> Also you mentioned that it
would be nicer to have
> >>> web ids like http://www.trueg.de/sebastian
instead of something like
> >>> http://www.trueg.de/sebastian/foaf[#me].
> >>
> >>> So which is it? :)
> >>
> >> I think I mentioned WebIDs like
> >>
> >> http://www.trueg.de/sebastian#me
> >>
> >> rather than
> >>
> >> http://www.trueg.de/sebastian.rdf#me
> >>
> >> not
> >>
> >> http://www.trueg.de/sebastian
> >>
> >> with a redirect.
> >>
> >> I think there is a pragmatic
consideration in favour of the # one to do
with reduction
> >> in communication costs.
> >>
> >> But you are right that this
would do well to be more clearly specified in
the
> >> spec.
> >>
> >>>
> >>>> So having said that
there are a number of redirect types,
> >>>> http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
> >>>>
> >>>> 300 Multiple Choices
> >>>> 301 Moved Permanently
> >>>> 302 Found // we can
ignore this one
> >>>> 303 See Other
> >>>> 304 Not Modified
> >>>> 305 Use Proxy
> >>>> 307 Temporary Redirect
> >>>>
> >>>> and one needs to
consider which of these have what types of
security implications, if any.
> >>>> Perhaps there is not
much more to do here than to just think it
though. But if we want to
> >>>> help implementors
implement the WebId protocol so that you get a
consistent experience between
> >>>> each verification
service, and so that you are not left out in
the cold inexplicably
> >>>> some places and not
others, then we need to work this out. As you
see it is easier and more
> >>>> efficient to stick to
#urls.
> >>>>
> >>>> The question is if there
are any good rason for non #urls in our
authentication use case.
> >>>
> >>> Only the prettyness of the
URL which should be irrelevant in the end
> >>> since the point is to not
show it to the user, right.
> >>
> >> yes, that alone would not make
for a very good reason. Perhaps there are
others. It would
> >> be good to collect them.
> >>
> >>> I simply followed your
advise, or maybe misunderstood your advise...
> >>
> >> No you are doing well :-) You're
helping us think about this issue 2^6 here.
It's an important
> >> one.
> >>
> >> Henry
> >>
> >>>
> >>> Cheers,
> >>> Sebastian
> >>>
> >>>> Henry
> >>>>
> >>>>>
> >>>>> Cheers,
> >>>>> Sebastian
> >>>>>
> >>>>> On 12/20/2011 10:44
PM, Henry Story wrote:
> >>>>>> Ok, I have
updated the server to the new scala version.
> >>>>>>
> >>>>>> I hope it
remains up until you read this e-mail. I am
still working on the details
> >>>>>> of how to
release it. But if it is still up please let
me know if it works now
> >>>>>> with your key.
> >>>>>>
> >>>>>> Henry
> >>>>>> [snip]
> >>>>
> >>>> Social Web Architect
> >>>> http://bblfish.net/
> >>>>
> >>>>
> >>
> >> Social Web Architect
> >> http://bblfish.net/
> >>
> >>
> >
> > <WebId.html>
>
> Social Web Architect
> http://bblfish.net/
>
>
_______________________________________________
> foaf-protocols mailing list
> foaf-protocols@lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
_______________________________________________
foaf-protocols mailing list
foaf-protocols@lists.foaf-project.org
http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
Social Web Architect
http://bblfish.net/
--
Regards,
Kingsley Idehen
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen
Social Web Architect
http://bblfish.net/
Received on Thursday, 22 December 2011 15:40:38 UTC