- From: Peter Williams <home_pw@msn.com>
- Date: Mon, 28 Nov 2011 17:39:17 -0800
- To: <andrei@fcns.eu>, "public-xg-webid@w3.org" <public-xg-webid@w3.org>
I vote we impose a limit of one, but that the text says... a future version of the standard will very likely reconsider this limit, as user experience is gained. Similarly, I vote that the hexbinary format of the modulus in a webid profile should be required to be only lower-case hex digits (rather than free form). I'm tempted to suggests that only 1 URI be permitted in the cert too, with similar language about the strong likelihood of this changing as anticipated needs actually materialize. ________________________________ > Date: Tue, 29 Nov 2011 00:18:23 +0100 > From: andrei@fcns.eu > To: public-xg-webid@w3.org > Subject: Re: Updated IdP to new spec. > > Hi Kingsley, > > Yeah, it looks like I forgot to limit the test for the number of public > keys a foaf profile can have. Maybe we can have a formal discussion on > this subject. > > What would be a "best practice" in this case? > > How many keys can we have in a single profile, so that it will not look > like a DoS attack? > > Andrei > > > On 11/28/11 22:01, Kingsley Idehen wrote: > Andrei, > > Output from testing a latest WebID from our generator [1][2] against > your verifier. I notice you scan all six of the public key relations in > my graph. What happens it there were more? Wouldn't your system > timeout? Luckily I cleaned out the 30+ relations I had prior to this > test. What about performing an explicit lookup? > > > * Checking ownership of certificate (public key matches private > key)... PASSED (Reason: GENEROUS) > > * Checking if certificate contains URIs in the subjectAltName field... PASSED > > * Found 1 URIs in the certificate (a maximum of 3 will be tested). > > * Checking URI > 1 (http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this)... > - Trying to fetch and process certificate(s) from webid profile... > Testing if the modulus representation matches the one in the > webid (found a modulus value)... > > Testing modulus... - FAILED > WebID=f4990925e526be2.......a5c172d91fafa01 > Cert =994d0067dd21021.......ca1e663983345d3 > > Testing if the modulus representation matches the one in the > webid (found a modulus value)... > > Testing modulus... - FAILED > WebID=c9cbdde371ea987.......c3d4e28dfe27423 > Cert =994d0067dd21021.......ca1e663983345d3 > > Testing if the modulus representation matches the one in the > webid (found a modulus value)... > > Testing modulus... - FAILED > WebID=d633f04252a9b3f.......e719cb59227d8a7 > Cert =994d0067dd21021.......ca1e663983345d3 > > Testing if the modulus representation matches the one in the > webid (found a modulus value)... > > Testing modulus... - FAILED > WebID=db0aec1b33f4909.......8ea627df06f60b3 > Cert =994d0067dd21021.......ca1e663983345d3 > > Testing if the modulus representation matches the one in the > webid (found a modulus value)... > > Testing modulus... - FAILED > WebID=cd3ff1569dc66df.......e3ab848cfccd1e7 > Cert =994d0067dd21021.......ca1e663983345d3 > > Testing if the modulus representation matches the one in the > webid (found a modulus value)... > > Testing modulus... PASSED > WebID=994d0067dd21021.......ca1e663983345d3 > Cert =994d0067dd21021.......ca1e663983345d3 > > Match found, ignoring futher tests! > > * Authentication successful! > > > > > Your certificate contains the following WebIDs: > > * http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this > > The WebID URI used to claim your identity is: > > * http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this > (your claim was SUCCESSFUL!) > > The WebID URL suffix (to be signed) for your service provider is: > > * > ?webid=http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this&ts=2011-11-28UTC20:53:50+00:00<http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this%26ts%3d2011-11-28UTC20%3a53%3a50+00%3a00> > > Unless both of those strings map to the same number, your > identification experience will vary across clients. > > > > > Your certificate in PEM format: > > -----BEGIN CERTIFICATE----- > MIIDlDCCAv2gAwIBAgICALAwDQYJKoZIhvcNAQEFBQAwdjELMAkGA1UEBhMCVVMx > FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEzARBgNVBAcUCkJ1cmxpbmd0b24xHjAc > BgNVBAoUFU9wZW5saW5rIFNvZnR3YXJlIEluYzEaMBgGA1UEAxQRaWQubXlvcGVu > bGluay5uZXQwHhcNMTExMTI4MjA1MDI4WhcNMTIxMTI3MjA1MDI4WjCBgzEtMCsG > A1UEAxMkS2luZ3NsZXkgVXlpIElkZWhlbiAoTXlPcGVuTGluayBOZXcpMSswKQYD > VQQKEyJPcGVuTGluayBTb2Z0d2FyZSAoTXlPcGVuTGluayBJZFApMSUwIwYJKoZI > hvcNAQkBFhZraWRlaGVuQG9wZW5saW5rc3cuY29tMIIBIjANBgkqhkiG9w0BAQEF > AAOCAQ8AMIIBCgKCAQEAmU0AZ90hAhmkSb6xhPIOpQ6ajKces9uLQl/1yPBW1PiK > VZxhfk9LILVGNZEdRcYk1B+Ejmzfo62hpo9u3Iu9RbVBjsNsy7DAWtqNkdnCq16p > P5gkuukObDMXmMLINCdgy0lMu9Mhg8E81Dy9wMInbGm85j9wkO3CCypN5E9WgAFu > GeEgV76AAfOjMWHS/quH21o1Hn7aM+MHts1UonGg6kpHupOY1/ERGBIc7KcIYuhm > cZj1/BmSQXHYdYsuHSd/c8d6DFjWKO/a3pdBhXVT6qTFTILEXwiy7xurj3RSrt57 > jjgsqcJFd2XBRRXJIVLFi93arnHPxpEcoeZjmDNF0wIDAQABo4GeMIGbMB0GA1Ud > DgQWBBQQpXFH3GrJwhziRGoN6dvlFLF0fTBLBgNVHREERDBChkBodHRwOi8vaWQu > bXlvcGVubGluay5uZXQvZGF0YXNwYWNlL3BlcnNvbi9LaW5nc2xleVV5aUlkZWhl > biN0aGlzMC0GCWCGSAGG+EIBDQQgFh5WaXJ0dW9zbyBHZW5lcmF0ZWQgQ2VydGlm > aWNhdGUwDQYJKoZIhvcNAQEFBQADgYEAuL9WUixSviSQA6AeIoTguFbam7XA/med > eoPnQ13o0erjkAjui+5UBLIMzih4r6Ma/wMrO3HsmU3Zw9/jPyJd+sWXaeYdQOPt > 7S+rDHLoYJrafoWA1UORCp/HuOpB2JIdX4pxAO4tNKPQr29I2GdCu3RoTgVrkdNP > HrF0JktHuj0= > -----END CERTIFICATE----- > > > > Your certificate in text format: > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 176 (0xb0) > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=US, ST=Massachusetts, L=Burlington, O=Openlink Software Inc, CN=id.myopenlink.net > Validity > Not Before: Nov 28 20:50:28 2011 GMT > Not After : Nov 27 20:50:28 2012 GMT > Subject: CN=Kingsley Uyi Idehen (MyOpenLink New), O=OpenLink Software (MyOpenLink IdP)/emailAddress=kidehen@openlinksw.com<mailto:IdP%29/emailAddress=kidehen@openlinksw.com> > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (2048 bit) > Modulus (2048 bit): > 00:99:4d:00:67:dd:21:02:19:a4:49:be:b1:84:f2: > 0e:a5:0e:9a:8c:a7:1e:b3:db:8b:42:5f:f5:c8:f0: > 56:d4:f8:8a:55:9c:61:7e:4f:4b:20:b5:46:35:91: > 1d:45:c6:24:d4:1f:84:8e:6c:df:a3:ad:a1:a6:8f: > 6e:dc:8b:bd:45:b5:41:8e:c3:6c:cb:b0:c0:5a:da: > 8d:91:d9:c2:ab:5e:a9:3f:98:24:ba:e9:0e:6c:33: > 17:98:c2:c8:34:27:60:cb:49:4c:bb:d3:21:83:c1: > 3c:d4:3c:bd:c0:c2:27:6c:69:bc:e6:3f:70:90:ed: > c2:0b:2a:4d:e4:4f:56:80:01:6e:19:e1:20:57:be: > 80:01:f3:a3:31:61:d2:fe:ab:87:db:5a:35:1e:7e: > da:33:e3:07:b6:cd:54:a2:71:a0:ea:4a:47:ba:93: > 98:d7:f1:11:18:12:1c:ec:a7:08:62:e8:66:71:98: > f5:fc:19:92:41:71:d8:75:8b:2e:1d:27:7f:73:c7: > 7a:0c:58:d6:28:ef:da:de:97:41:85:75:53:ea:a4: > c5:4c:82:c4:5f:08:b2:ef:1b:ab:8f:74:52:ae:de: > 7b:8e:38:2c:a9:c2:45:77:65:c1:45:15:c9:21:52: > c5:8b:dd:da:ae:71:cf:c6:91:1c:a1:e6:63:98:33: > 45:d3 > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Subject Key Identifier: > 10:A5:71:47:DC:6A:C9:C2:1C:E2:44:6A:0D:E9:DB:E5:14:B1:74:7D > X509v3 Subject Alternative Name: > URI:http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this > Netscape Comment: > Virtuoso Generated Certificate > Signature Algorithm: sha1WithRSAEncryption > b8:bf:56:52:2c:52:be:24:90:03:a0:1e:22:84:e0:b8:56:da: > 9b:b5:c0:fe:67:9d:7a:83:e7:43:5d:e8:d1:ea:e3:90:08:ee: > 8b:ee:54:04:b2:0c:ce:28:78:af:a3:1a:ff:03:2b:3b:71:ec: > 99:4d:d9:c3:df:e3:3f:22:5d:fa:c5:97:69:e6:1d:40:e3:ed: > ed:2f:ab:0c:72:e8:60:9a:da:7e:85:80:d5:43:91:0a:9f:c7: > b8:ea:41:d8:92:1d:5f:8a:71:00:ee:2d:34:a3:d0:af:6f:48: > d8:67:42:bb:74:68:4e:05:6b:91:d3:4f:1e:b1:74:26:4b:47: > ba:3d > > > -- > > Regards, > > Kingsley Idehen > Founder & CEO > OpenLink Software > Company Web: http://www.openlinksw.com > Personal Weblog: http://www.openlinksw.com/blog/~kidehen > Twitter/Identi.ca handle: @kidehen > Google+ Profile: https://plus.google.com/112399767740508618350/about > LinkedIn Profile: http://www.linkedin.com/in/kidehen > > > > > >
Received on Tuesday, 29 November 2011 01:39:48 UTC