RE: Updated IdP to new spec.

I vote we impose a limit of one, but that the text says... a future version of the standard will very likely reconsider this limit, as user experience is gained.

 

 

Similarly, I vote that the hexbinary format of the modulus in a webid profile should be required to be only lower-case hex digits (rather than free form).

 

 

I'm tempted to suggests that only 1 URI be permitted in the cert too, with similar language about the strong likelihood of this changing as anticipated needs actually materialize.

 

________________________________
> Date: Tue, 29 Nov 2011 00:18:23 +0100 
> From: andrei@fcns.eu 
> To: public-xg-webid@w3.org 
> Subject: Re: Updated IdP to new spec. 
> 
> Hi Kingsley, 
> 
> Yeah, it looks like I forgot to limit the test for the number of public 
> keys a foaf profile can have. Maybe we can have a formal discussion on 
> this subject. 
> 
> What would be a "best practice" in this case? 
> 
> How many keys can we have in a single profile, so that it will not look 
> like a DoS attack? 
> 
> Andrei 
> 
> 
> On 11/28/11 22:01, Kingsley Idehen wrote: 
> Andrei, 
> 
> Output from testing a latest WebID from our generator [1][2] against 
> your verifier. I notice you scan all six of the public key relations in 
> my graph. What happens it there were more? Wouldn't your system 
> timeout? Luckily I cleaned out the 30+ relations I had prior to this 
> test. What about performing an explicit lookup? 
> 
> 
> * Checking ownership of certificate (public key matches private 
> key)... PASSED (Reason: GENEROUS) 
> 
> * Checking if certificate contains URIs in the subjectAltName field... PASSED 
> 
> * Found 1 URIs in the certificate (a maximum of 3 will be tested). 
> 
> * Checking URI 
> 1 (http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this)... 
> - Trying to fetch and process certificate(s) from webid profile... 
> Testing if the modulus representation matches the one in the 
> webid (found a modulus value)... 
> 
> Testing modulus... - FAILED 
> WebID=f4990925e526be2.......a5c172d91fafa01 
> Cert =994d0067dd21021.......ca1e663983345d3 
> 
> Testing if the modulus representation matches the one in the 
> webid (found a modulus value)... 
> 
> Testing modulus... - FAILED 
> WebID=c9cbdde371ea987.......c3d4e28dfe27423 
> Cert =994d0067dd21021.......ca1e663983345d3 
> 
> Testing if the modulus representation matches the one in the 
> webid (found a modulus value)... 
> 
> Testing modulus... - FAILED 
> WebID=d633f04252a9b3f.......e719cb59227d8a7 
> Cert =994d0067dd21021.......ca1e663983345d3 
> 
> Testing if the modulus representation matches the one in the 
> webid (found a modulus value)... 
> 
> Testing modulus... - FAILED 
> WebID=db0aec1b33f4909.......8ea627df06f60b3 
> Cert =994d0067dd21021.......ca1e663983345d3 
> 
> Testing if the modulus representation matches the one in the 
> webid (found a modulus value)... 
> 
> Testing modulus... - FAILED 
> WebID=cd3ff1569dc66df.......e3ab848cfccd1e7 
> Cert =994d0067dd21021.......ca1e663983345d3 
> 
> Testing if the modulus representation matches the one in the 
> webid (found a modulus value)... 
> 
> Testing modulus... PASSED 
> WebID=994d0067dd21021.......ca1e663983345d3 
> Cert =994d0067dd21021.......ca1e663983345d3 
> 
> Match found, ignoring futher tests! 
> 
> * Authentication successful! 
> 
> 
> 
> 
> Your certificate contains the following WebIDs: 
> 
> * http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this 
> 
> The WebID URI used to claim your identity is: 
> 
> * http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this 
> (your claim was SUCCESSFUL!) 
> 
> The WebID URL suffix (to be signed) for your service provider is: 
> 
> * 
> ?webid=http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this&ts=2011-11-28UTC20:53:50+00:00<http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this%26ts%3d2011-11-28UTC20%3a53%3a50+00%3a00> 
> 
> Unless both of those strings map to the same number, your 
> identification experience will vary across clients. 
> 
> 
> 
> 
> Your certificate in PEM format: 
> 
> -----BEGIN CERTIFICATE----- 
> MIIDlDCCAv2gAwIBAgICALAwDQYJKoZIhvcNAQEFBQAwdjELMAkGA1UEBhMCVVMx 
> FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEzARBgNVBAcUCkJ1cmxpbmd0b24xHjAc 
> BgNVBAoUFU9wZW5saW5rIFNvZnR3YXJlIEluYzEaMBgGA1UEAxQRaWQubXlvcGVu 
> bGluay5uZXQwHhcNMTExMTI4MjA1MDI4WhcNMTIxMTI3MjA1MDI4WjCBgzEtMCsG 
> A1UEAxMkS2luZ3NsZXkgVXlpIElkZWhlbiAoTXlPcGVuTGluayBOZXcpMSswKQYD 
> VQQKEyJPcGVuTGluayBTb2Z0d2FyZSAoTXlPcGVuTGluayBJZFApMSUwIwYJKoZI 
> hvcNAQkBFhZraWRlaGVuQG9wZW5saW5rc3cuY29tMIIBIjANBgkqhkiG9w0BAQEF 
> AAOCAQ8AMIIBCgKCAQEAmU0AZ90hAhmkSb6xhPIOpQ6ajKces9uLQl/1yPBW1PiK 
> VZxhfk9LILVGNZEdRcYk1B+Ejmzfo62hpo9u3Iu9RbVBjsNsy7DAWtqNkdnCq16p 
> P5gkuukObDMXmMLINCdgy0lMu9Mhg8E81Dy9wMInbGm85j9wkO3CCypN5E9WgAFu 
> GeEgV76AAfOjMWHS/quH21o1Hn7aM+MHts1UonGg6kpHupOY1/ERGBIc7KcIYuhm 
> cZj1/BmSQXHYdYsuHSd/c8d6DFjWKO/a3pdBhXVT6qTFTILEXwiy7xurj3RSrt57 
> jjgsqcJFd2XBRRXJIVLFi93arnHPxpEcoeZjmDNF0wIDAQABo4GeMIGbMB0GA1Ud 
> DgQWBBQQpXFH3GrJwhziRGoN6dvlFLF0fTBLBgNVHREERDBChkBodHRwOi8vaWQu 
> bXlvcGVubGluay5uZXQvZGF0YXNwYWNlL3BlcnNvbi9LaW5nc2xleVV5aUlkZWhl 
> biN0aGlzMC0GCWCGSAGG+EIBDQQgFh5WaXJ0dW9zbyBHZW5lcmF0ZWQgQ2VydGlm 
> aWNhdGUwDQYJKoZIhvcNAQEFBQADgYEAuL9WUixSviSQA6AeIoTguFbam7XA/med 
> eoPnQ13o0erjkAjui+5UBLIMzih4r6Ma/wMrO3HsmU3Zw9/jPyJd+sWXaeYdQOPt 
> 7S+rDHLoYJrafoWA1UORCp/HuOpB2JIdX4pxAO4tNKPQr29I2GdCu3RoTgVrkdNP 
> HrF0JktHuj0= 
> -----END CERTIFICATE----- 
> 
> 
> 
> Your certificate in text format: 
> 
> Certificate: 
> Data: 
> Version: 3 (0x2) 
> Serial Number: 176 (0xb0) 
> Signature Algorithm: sha1WithRSAEncryption 
> Issuer: C=US, ST=Massachusetts, L=Burlington, O=Openlink Software Inc, CN=id.myopenlink.net 
> Validity 
> Not Before: Nov 28 20:50:28 2011 GMT 
> Not After : Nov 27 20:50:28 2012 GMT 
> Subject: CN=Kingsley Uyi Idehen (MyOpenLink New), O=OpenLink Software (MyOpenLink IdP)/emailAddress=kidehen@openlinksw.com<mailto:IdP%29/emailAddress=kidehen@openlinksw.com> 
> Subject Public Key Info: 
> Public Key Algorithm: rsaEncryption 
> RSA Public Key: (2048 bit) 
> Modulus (2048 bit): 
> 00:99:4d:00:67:dd:21:02:19:a4:49:be:b1:84:f2: 
> 0e:a5:0e:9a:8c:a7:1e:b3:db:8b:42:5f:f5:c8:f0: 
> 56:d4:f8:8a:55:9c:61:7e:4f:4b:20:b5:46:35:91: 
> 1d:45:c6:24:d4:1f:84:8e:6c:df:a3:ad:a1:a6:8f: 
> 6e:dc:8b:bd:45:b5:41:8e:c3:6c:cb:b0:c0:5a:da: 
> 8d:91:d9:c2:ab:5e:a9:3f:98:24:ba:e9:0e:6c:33: 
> 17:98:c2:c8:34:27:60:cb:49:4c:bb:d3:21:83:c1: 
> 3c:d4:3c:bd:c0:c2:27:6c:69:bc:e6:3f:70:90:ed: 
> c2:0b:2a:4d:e4:4f:56:80:01:6e:19:e1:20:57:be: 
> 80:01:f3:a3:31:61:d2:fe:ab:87:db:5a:35:1e:7e: 
> da:33:e3:07:b6:cd:54:a2:71:a0:ea:4a:47:ba:93: 
> 98:d7:f1:11:18:12:1c:ec:a7:08:62:e8:66:71:98: 
> f5:fc:19:92:41:71:d8:75:8b:2e:1d:27:7f:73:c7: 
> 7a:0c:58:d6:28:ef:da:de:97:41:85:75:53:ea:a4: 
> c5:4c:82:c4:5f:08:b2:ef:1b:ab:8f:74:52:ae:de: 
> 7b:8e:38:2c:a9:c2:45:77:65:c1:45:15:c9:21:52: 
> c5:8b:dd:da:ae:71:cf:c6:91:1c:a1:e6:63:98:33: 
> 45:d3 
> Exponent: 65537 (0x10001) 
> X509v3 extensions: 
> X509v3 Subject Key Identifier: 
> 10:A5:71:47:DC:6A:C9:C2:1C:E2:44:6A:0D:E9:DB:E5:14:B1:74:7D 
> X509v3 Subject Alternative Name: 
> URI:http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this 
> Netscape Comment: 
> Virtuoso Generated Certificate 
> Signature Algorithm: sha1WithRSAEncryption 
> b8:bf:56:52:2c:52:be:24:90:03:a0:1e:22:84:e0:b8:56:da: 
> 9b:b5:c0:fe:67:9d:7a:83:e7:43:5d:e8:d1:ea:e3:90:08:ee: 
> 8b:ee:54:04:b2:0c:ce:28:78:af:a3:1a:ff:03:2b:3b:71:ec: 
> 99:4d:d9:c3:df:e3:3f:22:5d:fa:c5:97:69:e6:1d:40:e3:ed: 
> ed:2f:ab:0c:72:e8:60:9a:da:7e:85:80:d5:43:91:0a:9f:c7: 
> b8:ea:41:d8:92:1d:5f:8a:71:00:ee:2d:34:a3:d0:af:6f:48: 
> d8:67:42:bb:74:68:4e:05:6b:91:d3:4f:1e:b1:74:26:4b:47: 
> ba:3d 
> 
> 
> -- 
> 
> Regards, 
> 
> Kingsley Idehen 
> Founder & CEO 
> OpenLink Software 
> Company Web: http://www.openlinksw.com 
> Personal Weblog: http://www.openlinksw.com/blog/~kidehen 
> Twitter/Identi.ca handle: @kidehen 
> Google+ Profile: https://plus.google.com/112399767740508618350/about 
> LinkedIn Profile: http://www.linkedin.com/in/kidehen 
> 
> 
> 
> 
> 
>  		 	   		  

Received on Tuesday, 29 November 2011 01:39:48 UTC