- From: Henry Story <henry.story@bblfish.net>
- Date: Wed, 11 Jan 2012 20:05:31 +0100
- To: Peter Williams <home_pw@msn.com>
- Cc: <j.jakobitsch@semantic-web.at>, "public-xg-webid@w3.org" <public-xg-webid@w3.org>
On 11 Jan 2012, at 17:17, Peter Williams wrote:
> 
>  "a verifier currently MUST reject non-# uris that don't respond with 303"
>  
>  
> To enforce the secure naming/addressing requirements, do the above. It really means a validation agent MUST raise an exception to an authentication event, when a SAN URI presented non non-# URI form fails to respond with a 303 See Also.
Yes, one can go down that route. But what is the security risk?
It would be useful to hash that out ( so to speak ).
>  
> This is quite similar to secure X.500 directory DAP (used in military networks for secure message, still) and XRI servers in trusted resolution model (not actually used anywhere on the planet, to my albeit limited knowledge).
Ok, so if this is similar to something you know, can you bring out the simplest possible scenario that reveals the security issue that could be had.
> It all properly handles the security enforcing semantics of what other communities call cross references in synonym space (http to https synonyms handed through owl:sameAs in this community). I also properly handles the security enforcing semantics of what other communities call naming domains (counter intuitiively), in which authority for certain rdf:types is split between several management entities, for the same named entity. The latter partitions the rdf:types giving each a different controlling authority, and different replication pattern are appleid to each partition (thus keys can be replicated with roaming in a manner distinct from other rdfs entities - foaf:Person being distinctly handled from foaf:PersonalProfileDocument). It also allows for things like rdfs sub-property rule inferencing, so there one can maintain the illusion of a single entity (conformed from multiple partitions). I see ALL this nicely handled, in Kingsley's system (making webid "viable", now).
I find this difficult to understand presumably because I don't know the technologies you are speaking about ( secure x500 or XRI solutions ), nor the mapping that you are using to map it to the semantic web terms. But that should not be relevant. As you are getting better at working in the semantic space now, it should be easy to put together a simple scenario.
Henry
>  
>  
>  
>  
> Subject: Re: Slash URIs and WebID Experiment
> From: henry.story@bblfish.net
> Date: Wed, 11 Jan 2012 17:05:49 +0100
> CC: j.jakobitsch@semantic-web.at; public-xg-webid@w3.org
> To: home_pw@msn.com
> 
> 
> On 11 Jan 2012, at 16:32, Peter Williams wrote:
> 
> 
>  Excellent . The last month was not a waste of time. Not only did I learn something, the spec must surely have improved considerably. WebID is starting to map closely onto the world of openXRI servers I played with 2 years ago for the "trusted resolution" modes of (advanced) openid (adding dynamic signed responses to the chain of XRDs hosting the service access point desciptors, and handling formal cross-references between https/http namespaces and naming domains (partiions of governance) using "secure" redirects.
>  
> I also learned that on the typical Windows MVC3 platform, Im going to struggle to host even a webid profile (since its not easy to produce 303 - the framework is quite hostile to changing the patterns its just engineered).
> 
> Why do you need to produce a 303 requiring URL? You can use a #tag url.
> 
> 
>  
> we also have an answer to the question: does a validation agent follow redirects. Yes, and they are security critical (which was hushed up, before today).
> 
> Where did you get that answer from? Sorry I might have missed something here.
> Can you explain or point me to where you found this?
> 
>  
> With the spec in such flux on such important security matteres, there is just no way Im going to make a full implementation by Fri midnight. There are just too many hurdles in the way, presented by the very platforms Im using. But, ill see if I can get a collectiong of "useful windows" techniques together, that someone else can run with one day. I failed. 
>  
> But, its a useful fail - becuase it just boots someone else, who at least has the overall structure right. They just need to figure how to make Windows be natively friendly to all these engineering assumptions, without just running a thid party server on a socket (as in my 32-bit trial of a validation agent)
>  
>  
>  
> > Date: Wed, 11 Jan 2012 15:47:53 +0100
> > From: j.jakobitsch@semantic-web.at
> > To: home_pw@msn.com
> > CC: public-xg-webid@w3.org
> > Subject: Re: Slash URIs and WebID Experiment
> > 
> > hi,
> > 
> > conclusion : 
> > 
> > if none of the solutions kingsley presented [see below] is applied 
> > a verifier currently MUST reject non-# uris that don't respond with 303 if said verifier wants to be spec-compliant.
> > 
> > wkr j
> > 
> > 
> > ----- Original Message -----
> > From: "Peter Williams" <home_pw@msn.com>
> > To: public-xg-webid@w3.org
> > Sent: Wednesday, January 11, 2012 12:58:25 AM
> > Subject: RE: Slash URIs and WebID Experiment
> > 
> > 
> > NOw answer the hard question I asked a long time ago (before folks with actual intelligence analyzed the issue). 
> > 
> > one cannot assume the self-signed or not-signed cert sender does it right - and that is the nature of the project (recall). (If it wasnt Id have had a windows SSL verifier up a long time ago.) 
> > 
> > So, what MUST the verifier do. 
> > 
> > As it stands, some reject, some dont. Henry told: its sort of ok-ish, jsut recognize folks may think you are a document. Having been a queen, I dont mind being anything at this point. If I can be a document and get access, I dont care. Im not here to be anything but a (stupid) user, or hacker, gaming the system. 
> > 
> > Now, there could be a rule that says: Verifiers shall insist http/s URIs have a particular syntax. The webid URI is rejected, if its not. 
> > 
> > FCNS code does not so reject; but others do for this syntactic reason alone, or for reasons derived from it consequences on then resolving the name. For a while, I believed FCNS was the abiter a conformance testing site. But, its not the case, it accepts at least 2 profile/certs that others reject. 
> > 
> > 
> > 
> > 
> > 
> > 
> > > Date: Tue, 10 Jan 2012 18:33:32 -0500 
> > > From: kidehen@openlinksw.com 
> > > To: public-xg-webid@w3.org 
> > > Subject: Re: Slash URIs and WebID Experiment 
> > > 
> > > On 1/10/12 6:27 PM, Jürgen Jakobitsch wrote: 
> > > > hi kingsley, 
> > > > 
> > > > i'm glad i could help, thanks for making it as clear as it can get. 
> > > > 
> > > > i have updated my profile and i feel much better as "any kind of resource" than as "information resource" :) 
> > > > 
> > > > for people who want to follow your steps below, i did backup my old slash-profile @http://www.turnguard.com/mylifeasdocument. 
> > > > 
> > > > one note on my old profile and uriburner : you might have an old version cached. 
> > > > 
> > > > 
> > > > so your point is simply, 
> > > > 
> > > > if we want webid to stick (hard) to linked data principles, we must have a possibility to put the difference between 
> > > > name and address into the certificate. why? because linked data principles are not limited to 2-in-1-hash-uris
> > > > and a webid like http://www.turnguard.com/mylifeasdocument must be rejected because it can't be both (name and address) 
> > > > without breaking said principles. 
> > > > 
> > > > right? 
> > > 
> > > Amen! 
> > > 
> > > Kingsley 
> > > > wkr j 
> > > > 
> > > > ----- Original Message ----- 
> > > > From: "Kingsley Idehen"<kidehen@openlinksw.com> 
> > > > To: public-xg-webid@w3.org 
> > > > Sent: Tuesday, January 10, 2012 7:35:53 PM 
> > > > Subject: Re: Slash URIs and WebID Experiment 
> > > > 
> > > > On 1/10/12 11:58 AM, Jürgen Jakobitsch wrote: 
> > > >> hi, 
> > > >> 
> > > >> i'm not sure if this webid [1] meets your test criteria. anyway here are the results. 
> > > >> 
> > > >> 1. http://id.myopenlink.net/ods/webid_demo.html 
> > > >> accepted 
> > > >> 2. https://webid.turnguard.com:8443/WebIDTestServer/ 
> > > >> accepted 
> > > >> 3. https://resourceme.bergnet.org 
> > > >> failed 
> > > >> 3.1. http://www.w3.org/2005/Incubator/webid/earl/RelyingParty#profileGet => failed 
> > > >> and consequently all tests southwards failed. 
> > > >> 4. http://webid.fcns.eu/ 
> > > >> passed (when using https://auth.fcns.eu/auth/index.php?authreqissuer=http://webid.fcns.eu/index.php) 
> > > >> passed (when using https://foafssl.org/srv/idp?authreqissuer=http://webid.fcns.eu/index.php) 
> > > >> 5. https://foafssl.org/test/WebId 
> > > >> passed 
> > > >> 
> > > >> cleared cache, cookies and active logins (in firefox) and retried 
> > > >> 
> > > >> 6. https://resourceme.bergnet.org 
> > > >> failed 
> > > >> 6.1.http://www.w3.org/2005/Incubator/webid/earl/RelyingParty#profileAllKeysWellFormed => failed 
> > > >> and consequently all tests southwards failed. 
> > > >> 
> > > >> wkr j 
> > > >> 
> > > >> [1] http://www.turnguard.com/turnguard 
> > > > Jurgen, 
> > > > 
> > > > For WebID, great i.e., you put it in SAN and it worked. 
> > > > 
> > > > For Linked Data no [1][2]! 
> > > > 
> > > > What you have proven is this: WebID doesn't need the full fidelity of 
> > > > Linked Data. If it did, then your use of a slash URI that returns a 200 
> > > > OK means Name/Address ambiguity, a Linked Data no-no. Ultimately, you 
> > > > end up with problems associated with object equivalence fidelity (be it 
> > > > by names or values). Using more conventional Linked Data parlance, via 
> > > > this URI, you are confusing yourself with a document. 
> > > > 
> > > > Conclusion: your slash URI doesn't exhibit the same Linked Data 
> > > > characteristics demonstrated by mine [3][4]. That's not a bad thing 
> > > > since my fundamental point is that: 
> > > > 
> > > > 1. my slash based HTTP URI is generated by my Linked Data platform. 
> > > > 
> > > > 2. use of my platform or others, shouldn't be the base requirement for 
> > > > WebID if it seeks full Linked Data fidelity as a mandatory requirement 
> > > > for HTTP URIs in a Certs. SAN. 
> > > > 
> > > > You are proving my point ! 
> > > > 
> > > > SPARQL Query Proof: 
> > > > 
> > > > ## using old WebID query pattern since your graph is using old WebID 
> > > > related relations still 
> > > > 
> > > > PREFIX :<http://www.w3.org/ns/auth/cert#> 
> > > > PREFIX xsd:<http://www.w3.org/2001/XMLSchema#> 
> > > > SELECT * WHERE { 
> > > > ?identity cert:identity<http://www.turnguard.com/turnguard> . 
> > > > ?identity rsa:modulus ?m ; 
> > > > rsa:public_exponent ?e . } 
> > > > 
> > > > SPARQL Protocol URL Links: 
> > > > 
> > > > 1. http://uriburner.com/c/IBZM4R -- sparql query results 
> > > > 2. http://uriburner.com/c/IBJUQG -- sparql query editor. 
> > > > 
> > > > 
> > > > Links: 
> > > > 
> > > > 1. http://uriburner.com/c/IBJUQP -- URI debugger output (note: re. 
> > > > Linked Data that should be a 200 OK) 
> > > > 
> > > > 2. http://uriburner.com/c/IBJUQS -- note how it shows you only have 
> > > > descriptor (information) resource address 
> > > > 
> > > > 3. http://uriburner.com/c/IBZM45 -- notice the 303 (how HTTP message 
> > > > exchange is used to facilitate indirection via redirection) 
> > > > 
> > > > 4. http://uriburner.com/c/IBYXSV -- note how the report concludes that I 
> > > > have a generic Name distinct from a descriptor (information) resource 
> > > > address. 
> > > > 
> > > > Thank you once again, for helping me showcase an inevitable problem for 
> > > > those who want to start their WebID journey in commodity/consumer mode 
> > > > leveraging "cut, paste, and place at an address" patterns i.e., the most 
> > > > common Web technology exploitation pattern. 
> > > > 
> > > > Solutions: 
> > > > 
> > > > 1. Lower Linked Data fidelity requirements in WebID -- it becomes an 
> > > > option, so 200 OK is fine if the SPARQL ASK still works 
> > > > 2. Allow multiple HTTP URIs in SAN where functions are clear re. Name 
> > > > and Address roles 
> > > > 3. Consider another (optional) location for the descriptor (information) 
> > > > resource address e.g. sIA. 
> > > > 
> > > > We need at least one of the above to address the problem introduced by 
> > > > HTTP URIs. One that many just don't understand until bitten. 
> > > > 
> > > > 
> > > > Kingsley 
> > > >> ----- Original Message ----- 
> > > >> From: "Kingsley Idehen"<kidehen@openlinksw.com> 
> > > >> To: "WebID XG"<public-xg-webid@w3.org> 
> > > >> Sent: Tuesday, January 10, 2012 3:30:32 PM 
> > > >> Subject: Slash URIs and WebID Experiment 
> > > >> 
> > > >> All, 
> > > >> 
> > > >> The URI: 
> > > >> http://id.myopenlink.net/about/id/entity/http/twitter.com/kidehen , is 
> > > >> now fine for testing purposes. 
> > > >> 
> > > >> I've verified successfully using: 
> > > >> 
> > > >> 1. http://id.myopenlink.net/ods/webid_demo.html 
> > > >> 2. https://webid.turnguard.com:8443/WebIDTestServer/ 
> > > >> 3. https://resourceme.bergnet.org 
> > > >> 4. http://webid.fcns.eu/ 
> > > >> 5. https://foafssl.org/test/WebId . 
> > > >> 
> > > >> 
> > > >> Now, it would be nice to see someone else produce a Cert. with a slash 
> > > >> based HTTP URI in its SAN that passes through all of the above, or at 
> > > >> least a majority of them. 
> > > >> 
> > > >> At this juncture, for experimentation you have the following HTTP URI 
> > > >> based Names: 
> > > >> 
> > > >> 1. http://kingsley.idehen.net/dataspace/person/kidehen#this 
> > > >> 2. http://id.myopenlink.net/about/id/entity/http/twitter.com/kidehen . 
> > > >> 
> > > >> 
> > > > 
> > > 
> > > 
> > > -- 
> > > 
> > > Regards, 
> > > 
> > > Kingsley Idehen 
> > > Founder& CEO 
> > > OpenLink Software 
> > > Company Web: http://www.openlinksw.com 
> > > Personal Weblog: http://www.openlinksw.com/blog/~kidehen 
> > > Twitter/Identi.ca handle: @kidehen 
> > > Google+ Profile: https://plus.google.com/112399767740508618350/about 
> > > LinkedIn Profile: http://www.linkedin.com/in/kidehen 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > 
> > -- 
> > | Jürgen Jakobitsch, 
> > | Software Developer
> > | Semantic Web Company GmbH
> > | Mariahilfer Straße 70 / Neubaugasse 1, Top 8
> > | A - 1070 Wien, Austria
> > | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
> > 
> > COMPANY INFORMATION
> > | http://www.semantic-web.at/
> > 
> > PERSONAL INFORMATION
> > | web : http://www.turnguard.com
> > | foaf : http://www.turnguard.com/turnguard
> > | skype : jakobitsch-punkt
> 
> Social Web Architect
> http://bblfish.net/
Social Web Architect
http://bblfish.net/
Received on Wednesday, 11 January 2012 20:04:20 UTC