Re: Updated IdP to new spec.

Hi Kingsley,

Yeah, it looks like I forgot to limit the test for the number of public 
keys a foaf profile can have. Maybe we can have a formal discussion on 
this subject.

What would be a "best practice" in this case?

How many keys can we have in a single profile, so that it will not look 
like a DoS attack?

Andrei


On 11/28/11 22:01, Kingsley Idehen wrote:
> Andrei,
>
> Output from testing a latest WebID from our generator [1][2] against 
> your verifier. I notice you scan all six of the public key relations 
> in my graph. What happens it there were more? Wouldn't your system 
> timeout? Luckily I cleaned out the 30+ relations I had prior to this 
> test. What about performing an explicit lookup?
>
>
> * Checking ownership of certificate (public key matches private 
> key)...PASSED(Reason: GENEROUS)
>
> * Checking if certificate contains URIs in the subjectAltName 
> field...PASSED
>
> * Found 1 URIs in the certificate (a maximum of 3 will be tested).
>
> * Checking URI 
> 1(http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this)...
>   - Trying to fetch and process certificate(s) from webid profile...
>         Testing if the modulus representation matches the one in the 
> webid (found a modulus value)...
>
>           Testing modulus...- FAILED
>             WebID=f4990925e526be2.......a5c172d91fafa01
>              Cert  =994d0067dd21021.......ca1e663983345d3
>
>         Testing if the modulus representation matches the one in the 
> webid (found a modulus value)...
>
>           Testing modulus...- FAILED
>             WebID=c9cbdde371ea987.......c3d4e28dfe27423
>              Cert  =994d0067dd21021.......ca1e663983345d3
>
>         Testing if the modulus representation matches the one in the 
> webid (found a modulus value)...
>
>           Testing modulus...- FAILED
>             WebID=d633f04252a9b3f.......e719cb59227d8a7
>              Cert  =994d0067dd21021.......ca1e663983345d3
>
>         Testing if the modulus representation matches the one in the 
> webid (found a modulus value)...
>
>           Testing modulus...- FAILED
>             WebID=db0aec1b33f4909.......8ea627df06f60b3
>              Cert  =994d0067dd21021.......ca1e663983345d3
>
>         Testing if the modulus representation matches the one in the 
> webid (found a modulus value)...
>
>           Testing modulus...- FAILED
>             WebID=cd3ff1569dc66df.......e3ab848cfccd1e7
>              Cert  =994d0067dd21021.......ca1e663983345d3
>
>         Testing if the modulus representation matches the one in the 
> webid (found a modulus value)...
>
>           Testing modulus...PASSED
>             WebID=994d0067dd21021.......ca1e663983345d3
>              Cert  =994d0067dd21021.......ca1e663983345d3
>
> *Match found, ignoring futher tests!*
>
> * Authentication successful!
>
> Your certificate contains the following WebIDs:
>
>   * http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this
>
>
> The WebID URI used to claim your identity is:
>
>   * http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this
>     (your claim wasSUCCESSFUL!)
>
>
> The WebID URL suffix (to be signed) for your service provider is:
>
>   * ?webid=http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this&ts=2011-11-28UTC20:53:50+00:00
>
>
> Unless both of those strings map to the same number, your 
> identification experience will vary across clients.
>
> *Your certificate in PEM format:*
> -----BEGIN CERTIFICATE-----
> MIIDlDCCAv2gAwIBAgICALAwDQYJKoZIhvcNAQEFBQAwdjELMAkGA1UEBhMCVVMx
> FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEzARBgNVBAcUCkJ1cmxpbmd0b24xHjAc
> BgNVBAoUFU9wZW5saW5rIFNvZnR3YXJlIEluYzEaMBgGA1UEAxQRaWQubXlvcGVu
> bGluay5uZXQwHhcNMTExMTI4MjA1MDI4WhcNMTIxMTI3MjA1MDI4WjCBgzEtMCsG
> A1UEAxMkS2luZ3NsZXkgVXlpIElkZWhlbiAoTXlPcGVuTGluayBOZXcpMSswKQYD
> VQQKEyJPcGVuTGluayBTb2Z0d2FyZSAoTXlPcGVuTGluayBJZFApMSUwIwYJKoZI
> hvcNAQkBFhZraWRlaGVuQG9wZW5saW5rc3cuY29tMIIBIjANBgkqhkiG9w0BAQEF
> AAOCAQ8AMIIBCgKCAQEAmU0AZ90hAhmkSb6xhPIOpQ6ajKces9uLQl/1yPBW1PiK
> VZxhfk9LILVGNZEdRcYk1B+Ejmzfo62hpo9u3Iu9RbVBjsNsy7DAWtqNkdnCq16p
> P5gkuukObDMXmMLINCdgy0lMu9Mhg8E81Dy9wMInbGm85j9wkO3CCypN5E9WgAFu
> GeEgV76AAfOjMWHS/quH21o1Hn7aM+MHts1UonGg6kpHupOY1/ERGBIc7KcIYuhm
> cZj1/BmSQXHYdYsuHSd/c8d6DFjWKO/a3pdBhXVT6qTFTILEXwiy7xurj3RSrt57
> jjgsqcJFd2XBRRXJIVLFi93arnHPxpEcoeZjmDNF0wIDAQABo4GeMIGbMB0GA1Ud
> DgQWBBQQpXFH3GrJwhziRGoN6dvlFLF0fTBLBgNVHREERDBChkBodHRwOi8vaWQu
> bXlvcGVubGluay5uZXQvZGF0YXNwYWNlL3BlcnNvbi9LaW5nc2xleVV5aUlkZWhl
> biN0aGlzMC0GCWCGSAGG+EIBDQQgFh5WaXJ0dW9zbyBHZW5lcmF0ZWQgQ2VydGlm
> aWNhdGUwDQYJKoZIhvcNAQEFBQADgYEAuL9WUixSviSQA6AeIoTguFbam7XA/med
> eoPnQ13o0erjkAjui+5UBLIMzih4r6Ma/wMrO3HsmU3Zw9/jPyJd+sWXaeYdQOPt
> 7S+rDHLoYJrafoWA1UORCp/HuOpB2JIdX4pxAO4tNKPQr29I2GdCu3RoTgVrkdNP
> HrF0JktHuj0=
> -----END CERTIFICATE-----
>
>
> *Your certificate in text format:*
> Certificate:
>      Data:
>          Version: 3 (0x2)
>          Serial Number: 176 (0xb0)
>          Signature Algorithm: sha1WithRSAEncryption
>          Issuer: C=US, ST=Massachusetts, L=Burlington, O=Openlink Software Inc, CN=id.myopenlink.net
>          Validity
>              Not Before: Nov 28 20:50:28 2011 GMT
>              Not After : Nov 27 20:50:28 2012 GMT
>          Subject: CN=Kingsley Uyi Idehen (MyOpenLink New), O=OpenLink Software (MyOpenLinkIdP)/emailAddress=kidehen@openlinksw.com
>          Subject Public Key Info:
>              Public Key Algorithm: rsaEncryption
>              RSA Public Key: (2048 bit)
>                  Modulus (2048 bit):
>                      00:99:4d:00:67:dd:21:02:19:a4:49:be:b1:84:f2:
>                      0e:a5:0e:9a:8c:a7:1e:b3:db:8b:42:5f:f5:c8:f0:
>                      56:d4:f8:8a:55:9c:61:7e:4f:4b:20:b5:46:35:91:
>                      1d:45:c6:24:d4:1f:84:8e:6c:df:a3:ad:a1:a6:8f:
>                      6e:dc:8b:bd:45:b5:41:8e:c3:6c:cb:b0:c0:5a:da:
>                      8d:91:d9:c2:ab:5e:a9:3f:98:24:ba:e9:0e:6c:33:
>                      17:98:c2:c8:34:27:60:cb:49:4c:bb:d3:21:83:c1:
>                      3c:d4:3c:bd:c0:c2:27:6c:69:bc:e6:3f:70:90:ed:
>                      c2:0b:2a:4d:e4:4f:56:80:01:6e:19:e1:20:57:be:
>                      80:01:f3:a3:31:61:d2:fe:ab:87:db:5a:35:1e:7e:
>                      da:33:e3:07:b6:cd:54:a2:71:a0:ea:4a:47:ba:93:
>                      98:d7:f1:11:18:12:1c:ec:a7:08:62:e8:66:71:98:
>                      f5:fc:19:92:41:71:d8:75:8b:2e:1d:27:7f:73:c7:
>                      7a:0c:58:d6:28:ef:da:de:97:41:85:75:53:ea:a4:
>                      c5:4c:82:c4:5f:08:b2:ef:1b:ab:8f:74:52:ae:de:
>                      7b:8e:38:2c:a9:c2:45:77:65:c1:45:15:c9:21:52:
>                      c5:8b:dd:da:ae:71:cf:c6:91:1c:a1:e6:63:98:33:
>                      45:d3
>                  Exponent: 65537 (0x10001)
>          X509v3 extensions:
>              X509v3 Subject Key Identifier:
>                  10:A5:71:47:DC:6A:C9:C2:1C:E2:44:6A:0D:E9:DB:E5:14:B1:74:7D
>              X509v3 Subject Alternative Name:
>                  URI:http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this
>              Netscape Comment:
>                  Virtuoso Generated Certificate
>      Signature Algorithm: sha1WithRSAEncryption
>          b8:bf:56:52:2c:52:be:24:90:03:a0:1e:22:84:e0:b8:56:da:
>          9b:b5:c0:fe:67:9d:7a:83:e7:43:5d:e8:d1:ea:e3:90:08:ee:
>          8b:ee:54:04:b2:0c:ce:28:78:af:a3:1a:ff:03:2b:3b:71:ec:
>          99:4d:d9:c3:df:e3:3f:22:5d:fa:c5:97:69:e6:1d:40:e3:ed:
>          ed:2f:ab:0c:72:e8:60:9a:da:7e:85:80:d5:43:91:0a:9f:c7:
>          b8:ea:41:d8:92:1d:5f:8a:71:00:ee:2d:34:a3:d0:af:6f:48:
>          d8:67:42:bb:74:68:4e:05:6b:91:d3:4f:1e:b1:74:26:4b:47:
>          ba:3d
>
> -- 
>
> Regards,
>
> Kingsley Idehen	
> Founder&  CEO
> OpenLink Software
> Company Web:http://www.openlinksw.com
> Personal Weblog:http://www.openlinksw.com/blog/~kidehen
> Twitter/Identi.ca handle: @kidehen
> Google+ Profile:https://plus.google.com/112399767740508618350/about
> LinkedIn Profile:http://www.linkedin.com/in/kidehen
>
>
>
>

Received on Monday, 28 November 2011 23:19:01 UTC