Re: needs someone to replicate a windows validator, done in non native (i.e. user mode) SSL.

The issue is that my codes older sparql engine distinguishes between int and integer (as syntaxes imposed on strings in xsd land).

Henry sea to want conforming engines to have some more modern feature that makes the issue go away. My Ciso gut complements the software engineering viewpoint. Standards have to fit reality, and deal with the dross out there.

This is where we get to set tone. Are we researchers using the latest tools, or folks making a commodity market (preparing for legacy)

Sent from my iPhone

On Dec 30, 2011, at 12:07 PM, "Kingsley Idehen" <kidehen@openlinksw.com> wrote:

> On 12/30/11 1:34 PM, Peter Williams wrote:
>> 
>> yes its another day, and the web is not cooperating (as usual). But, it can be made too, at least for one trial. Someone with windows programming tools is sought, to replicate a working validation of an ODS client cert.
>>  
>> Ive abandoned native windows SSL (if you recall), and native windows serving of RDFa files (if you recall). Ive even abaonded trying to use the RDFa examples in the spec, as definitive test cases. None of this was productive.
>>  
>> I have built a command-line tool on dotnet (on win32) that is a https listener, courtesy of Mentalis (a "no GPL" site). Since its source code SSL, it now accepts any client cert and lets me control 100% issue of validity.
>>  
>> I built the custom command window command-line browser tool, that does https to said command window web server, listening on a socket. it sends and receives fragments on the wire however I want them to be, since its source code. It uses an ODS provisioned .p12  file for client keying, exported from Opera.
>>  
>> Both tools have been set to do https mutual auth with SSL3, and they use and consume a .p12 and associated certs exported from a webid/profile issued by id.myopenlink.net. THe latter serves the webid profile resource publicly, and it also keyed the cert in the particular trial. Yes, you can now also logon with webid to that account, with admin privs...
>>  
>> Using my webid validator from a month ago (moved over from IIS, to my command tool web server now assured to have webid-friendly SSL and http message handling), it uses the appspot translator now, rather than talis. This is to avoid talis' propensity to scrape facts I didnt assert, while putting any users document format in my readers preffered reading format. It now also strips the fragment (if present) from the SAN URI, before using         it to collect triples via a translator service.
>>  
>> http://rdf-translator.appspot.com/parse?url=http%3a%2f%2fid.myopenlink.net%3a80%2fdataspace%2fperson%2fhome_pw&of=xml&html=1 DOES succeed to becomes a memory store of triples (when you remove the final querystring html=1). Its easy to see the cert:key predicate (s) for the right subject, in the right form. This is good.
>>  
>> I then do the required ASK (the same one as used to work against my own yorkporc RDFa card). 
>> "PREFIX : <http://www.w3.org/ns/auth/cert#>\nPREFIX xsd: <http://www.w3.org/2001/XMLSchema#>\nASK 
>> {\n<http://id.myopenlink.net/dataspace/person/home_pw#this> :key [\n:modulus \"a33d6be6af1abe197d1b9ce9f03b423ba90a264634e425be0f6ce237906784ec15c5d5de0fdbcb99fae0d6cf4ff5c4123187e3c19b2f55e9ce5bb5902485866ca6e60304458effe823837cc430b2d40369c7d2dcc3beaa4e22e094446b66f213b41a0c02ae17cbbc1ec863b1797624df36b307a270f162ef6358f48b4f0a447db50c477038b936b7b37e496af51f67156813e2372cf11abca89b615eba033d7cf932586794b96d7940ad61e0c516fdb0c07d2e1bb7cedb54fcd4c466c196d8db\"^^xsd:hexBinary ;\n:exponent \"65537\"^^xsd:integer ;\n] .\n}\n"
>>  
>> Guess what, it fails. Heys, it's the web.
>>  
>> I notice the resource provider uses the int (not the integer) form of data format for the string type of the modulus. Im going to guess thats the issue.
>>  
>> Whats the right thing to do, with my (older) class of Sparql engine? What does the spec advise, to real world engineers with realworld tools (of various vintages)? Not a lot.
>>  
>>  
>> For now, I just do 2 ASK queries one assuming ^^xsd:integer and the other assuming ^^xsd:int. 
>>  
>> That done, I can say I built a validator on windows. Of course, its unassured (being crypto in user space, and does a funky logic for verification). But, it soft of maps to the spec, in engineering terms. Being all source, one works around "issues". It could be using hardware crypto, given the excellent engineering Mentalis did.
>>  
>> With that fix, I "validated" an ODS cert. There is only a rdfs reasoner loaded, so I dont know how "well" I validated, though, in terms of any owl statements.
>>  
>> The zip file, with source and binaries, is https://skydrive.live.com/redir.aspx?cid=05061d4609325b60&resid=5061D4609325B60!944&parid=5061D4609325B60!863&authkey=!ABbY7w72PSO17u4
>>  
>> Obviously, all the usual rules apply (its as is, who knows about rights and licenses Ive abused, and have fun coding). A windows programmer should be able to replicate the experiment in an hour - since it has all test inputs provided (server certs, client certs to ODS, passwords, etc.). I used .Net 4 and Windows 2008 R2, well patched. Its likely to rebuild and work on really 10 year old .NET and windows platforms, too. 
>>  
>> Its all rather RSA focussed, due to the orientation of Mentalis.
>>  
>> I didnt try TLS, and TLS 1.2 doesnt look like its offered.
>>  
>>  
>>  
>>  
>>  
>>  
> Peter,
> 
> Basic tests again the RDF resource using URIBurner's SPARQL endpoint: 
> 
> 
> 1. http://uriburner.com/c/IAMR6C   -- SPARQL SELECT results
> 
> 2. http://uriburner.com/c/IAMR56 -- SPARQL SELECT Query Text
> 
> More specific queries based on modulus component of Public Key via SPARQL ASK:
> 
> 1. http://uriburner.com/c/IAEAAM -- Query Results
> 
> 2. http://uriburner.com/c/IAMR5Z -- Query Text. 
> 
> Do you have a .p12 file I can look at? Or just confirm the URIs used in your Certs. SAN. 
> 
> -- 
> 
> Regards,
> 
> Kingsley Idehen	      
> Founder & CEO 
> OpenLink Software     
> Company Web: http://www.openlinksw.com
> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
> Twitter/Identi.ca handle: @kidehen
> Google+ Profile: https://plus.google.com/112399767740508618350/about
> LinkedIn Profile: http://www.linkedin.com/in/kidehen
> 
> 
> 
> 

Received on Friday, 30 December 2011 20:59:56 UTC