- From: Kingsley Idehen <kidehen@openlinksw.com>
- Date: Mon, 09 Jan 2012 21:59:55 -0500
- To: Henry Story <henry.story@bblfish.net>
- CC: public-xg-webid@w3.org
- Message-ID: <4F0BA9AB.3000503@openlinksw.com>
On 1/9/12 7:11 PM, Henry Story wrote: > > On 10 Jan 2012, at 00:32, Kingsley Idehen wrote: > >> On 1/9/12 6:18 PM, Peter Williams wrote: >>> Finally, I made a long uri into a tiny URI, with nice QR code. Is >>> the point that this COULD be pointing at my proxy URI (and the cRUI >>> could be going in the cert SAN URI?) If so, this bvegs the redirects >>> question I posed a while ago. Are validators supposed to following >>> redirects (or not). >> >> And that question manifests at some point when (if possible) we Henry >> get beyond what seems to be a covert mandate of # based HTTP URIs in SAN. > > There is no covert mission of # uris. > That is what we keep explaining to you. > > The SPARQL query in the spec does not specify that. As long as the > quary works it is ok. Here is the page extracted: > > > 3.2.4.2 Verifying the WebID Claim > > To check a WebID claim one has to find if the graph returned by the > profile relates the WebID > <https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/index-respec.html#dfn-webid> to > the Certificate > <https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/index-respec.html#dfn-certificate> > Public Key > <https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/index-respec.html#dfn-public_key> with > the |cert:key |relation. In other words one has to check if those > statements are present in the graph. > > > Verifying the WebID Claim with SPARQL > > Testing for patterns in graphs is what the SPARQL query language is > designed to do [RDF-SPARQL-QUERY > <https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/index-respec.html#bib-RDF-SPARQL-QUERY>]. > We will first look at how to use this as it is also the simplest > method, and then what some other programmatic options may be. > > Below is the SPARQL Query Template which should be used for an RSA > public key. It contains three variables |?webid|, |?mod| and > |?exp| that need to be replaced by the appropriate values: > > PREFIX :<http://www.w3.org/ns/auth/cert#> > PREFIX xsd:<http://www.w3.org/2001/XMLSchema#> > ASK { > ?webid :key [ > :modulus ?mod; > :exponent ?exp; > ] . > } > > The variables to be replaced for each WebID claim are: > > Variable Details on its value. > |?webid| should be replaced by the WebID Resource. In the SPARQL > notation that is the URL string would be placed between |<...>| in the > position of the |?webid| variable. > |?mod| should be replaced by the modulus written as a xsd:hexBinary > as specified by the cert:modulus > <http://www.w3.org/ns/auth/cert#modulus> relation. All leading double > 0 bytes (written "00" in hexadecimal) should be removed. The resulting > hexadecimal should then be placed in the space of the XXX > in|"XXX"^^xsd:hexBinary| > |?exp| should be replaced by the public exponent written as an > xsd:integer typed literal. In SPARQL as in Turtle notation this can > just be written directly as an integer. > > Assuming that we received Bob's key whose modulus starts with > |cb24ed85d64d794b6...| and whose exponent is |65537| then the > following query should be used: > > PREFIX :<http://www.w3.org/ns/auth/cert#> > PREFIX xsd:<http://www.w3.org/2001/XMLSchema#> > ASK { > <https://bob.example/profile#me> :key [ > :modulus "cb24ed85d64d794b69c701c186acc059501e856000f661c93204d8380e07191c5c8b368d2ac32a428acb970398664368dc2a867320220f755e99ca2eecdae62e8d15fb58e1b76ae59cb7ace8838394d59e7250b449176e51a494951a1c366c6217d8768d682dde78dd4d55e613f8839cf275d4c8403743e7862601f3c49a6366e12bb8f498262c3c77de19bce40b32f89ae62c3780f5b6275be337e2b3153ae2ba72a9975ae71ab724649497066b660fcf774b7543d980952d2e8586200eda4158b014e75465d91ecf93efc7ac170c11fc7246fc6ded79c37780000ac4e079f671fd4f207ad770809e0e2d7b0ef5493befe73544d8e1be3dddb52455c61391a1"^^xsd:hexBinary; > :exponent 65537; > ] . > } > > An ASK query simply returns true or false. If it returns true, then > the key was found in the graph with the proper relation and the claim > is verified. > You still haven't addressed the locator (address) of the document that bears the graph to which the query applies. For the verifier: What happens if there are multiple URIs in the SAN? For the publisher: How do they publish using slash style of HTTP URI, for instance? How do they publish using a # style of HTTP URI and not be exposed to the legacy libraries, frameworks etc.. that send fragments over the wire? How do they obtain and control HTTP URI based Names? You are glossing over some serious pragmatic challenges! > > > Henry > > >> Once you go beyond the HTTP # based style of URI Name, you hit >> indirection via HTTP responses for redirection. Basically, the slash >> based HTTP URI and 303 issue. >> >> >> -- Regards, Kingsley Idehen Founder& CEO OpenLink Software Company Web: http://www.openlinksw.com Personal Weblog: http://www.openlinksw.com/blog/~kidehen Twitter/Identi.ca handle: @kidehen Google+ Profile: https://plus.google.com/112399767740508618350/about LinkedIn Profile: http://www.linkedin.com/in/kidehen
Attachments
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Tuesday, 10 January 2012 03:00:24 UTC