- From: Peter Williams <home_pw@msn.com>
- Date: Tue, 3 Jan 2012 20:09:47 -0800
- To: <kidehen@openlinksw.com>, "public-xg-webid@w3.org" <public-xg-webid@w3.org>
- Message-ID: <SNT143-W1DCD83FEDE16FCEF45E9592970@phx.gbl>
xmlns:n19="http://linkeddata.uriburner.com/about/id/entity/http/blogs.oracle.com/bblfish/entry/" Henry also lost control over a UI (when Oracle bought SUN). He even lost control over the domain name about his former openid (since it just morped from sun.com into oracle.com). this is NOT just about peter (and his need to address reality). Its real life for Henry, too. The world of Names in certs FOR X.500 STRONG AUTHENTICATION (not ldap authentication) was really easy. Your DUA bound to a nameless DSA, presenting a cert in the bind. it also presented the NAME as the originator, and could also (if I recall right back 20 years) identify the NAME of the server too. It did a BIND time de-deferencing act, with the bind getting to a object to which it could form up a real channel (running some protocol for querying). the Bind "port" (informal term) determined if there was an object in the DIB that matched the name (by locating a compound key from cues in the name), and returned the actual (DN) address in the bind response. Thereafter, the DUA had the DN (address) derived from the Name (in the cert), for use in the querying protocol (and querying protocol security, including originator fiels that were now DNs, not Names). If the name presented at bind time (in a cert) actually turned out to reference a yellow pages entry, the DN AT BIND TIME RESPONSE would come back as the white pages entry''s DN. For the purposes then of querying (with or without signatures, and attached certs on the query), much as in ldap v3 today, a DN IN THE QUERY (not in the bind) might have multiple AVAs in an RDN. These had different purpose to the multiple AVAs per RDN in a Name. Thus you could be distinguished with cn=peter+cn=peter2, o=UCL-CS, c=GB. the second AVA in the CN= RDN was there for fast indexing in a compound key, and other sepcialized purposes that you can talk about in your sleep, being db stuff. Of course, users never saw such DNs when doing authentication, and they were certainly NOT PRINTABLE. Anyways back to reality: having got a sparql query that describes a profile (due to inference) that my yorkporc2 name is is bound to a webfinger acct URI, and thence to a couple of cert:keys stored in the ODS repository of triples, Im going to make a cert whose SAN is the sparql protocol URI - whose describe verb generates the inferred profile on the fly. Lets see what happens at henrys site. > Date: Tue, 3 Jan 2012 21:39:12 -0500 > From: kidehen@openlinksw.com > To: public-xg-webid@w3.org > Subject: Re: WebID equivalence > > On 1/3/12 8:27 PM, Mo McRoberts wrote: > > On 4 Jan 2012, at 00:56, Kingsley Idehen wrote: > > > >> Use a Name to do things that fit the Name Role. Don't use was many think is an Address as a Name, certainly not at first blush irrespective of deeper prowess. Use an Address for functionality folks intuitively associate with addresses e.g., data access. Use Names to Identity things. > > I a feeling this paragraph is meant to be fundamental to your point, but I honestly can't make head nor tail of it. > > Use a Name to Name things. Does an HTTP URI instinctively come across to > the typical Web Developer as a Name? It doesn't. It comes across an an > Address. The level of indirection is no more than 1. > > > > It's probably not worth the hassle of point out that both DN and subjectAltName are called “names” in X.509. > > You have a generic Name and a function specific Name (e.g. an Address). > In the CN examples I've given you have examples of two address types > i.e., http: scheme and mailto: scheme. The intuition of "Address" is > there. Likewise, the intuition of a generic name re. Subject Alternative > Name. > > > Only one (and even then, only parts of it) — the DN — is readily presented in interfaces, and where it is, it’s done so as a label. > > That isn't my the core issue here. Basically, the use as label doesn't > determine its semantics. Why are there examples of CN's with URLs all > over the place then? > > > The subjectAltName is an implementation device, unlike host-meta is or the Link HTTP response header. > > It's a slot for Names in the generic sense. You can use URIs as well as > other identifiers in this slot. Also please remember a URI != HTTP URI, > solely. > > [SNIP] > > -- > > Regards, > > Kingsley Idehen > Founder& CEO > OpenLink Software > Company Web: http://www.openlinksw.com > Personal Weblog: http://www.openlinksw.com/blog/~kidehen > Twitter/Identi.ca handle: @kidehen > Google+ Profile: https://plus.google.com/112399767740508618350/about > LinkedIn Profile: http://www.linkedin.com/in/kidehen > > > > > >
Received on Wednesday, 4 January 2012 04:12:52 UTC