RE: what are claims mirrors? from Peter Williams on 2012-01-16 (public-xg-webid@w3.org from January 2012)

From: Peter Williams <home_pw@msn.com>
Date: Mon, 16 Jan 2012 08:00:38 -0800
CC: "public-xg-webid@w3.org" <public-xg-webid@w3.org>
Message-ID: <SNT143-W650C7EA18D278DD7FAC11E92830@phx.gbl>
Ive tried three times to get off this list using the declared process, and am still getting endless mail.  I have both evidence and proof that Ive sent the confirmation tokens acknolwedging that I, as registered email account user, authorize and require W3C to stop distributing the mailing lists mail to my emailbox.  Help me, leave. I have things to do (and this stuff is too much fun). While Im suffering, Kingsley means for claims mirror that the certificate and and master record can be mirrored in a seconday master, as in classical multi-mastering clustering. I made a yorkporc2.blogspot.com dataspace (known as a blog site). It has a author-centric profile page (whose vcard/hcard I ignore). It has a RSS-feed Person object (which I ignore). they are ignored becuase I have little or no control over their values (due to blogspot's user control concept). It has 1 post, that is bookmarked as the lead post on the home page. Said post publishes an RDFa Webid Profile (using the Foaf ontology). It also publishes an owl:sameAs relation noting a particular linkeddata.uriburner.com URI as a potential multi-mastering endpoint. linkeddata.uriburner.com is my preferred multi-mastering partner. I induce that linked data space to mirror both my webid profile and my certificate (which is just a second owl:sameAs identity property in my webid profile).  once the mirror exists,  I "acknowlegde" to the world that the linkeddataluriburner.com is actually an authoritative multi-mastering partner by puttings it proxy URI in my cert, as SAN URI #2. I update my webid profile changing the owl:sameAs identity relation to be a renewed cert (now with 2 SAN names). When I perform the SSL handshake, I assert the SAN array of names and a modulus to a relying party. This is a statement of authority, and locates endpoints and identifies entities. The webid validation agent verifies and validates, eventually acting as a temporary claims mirror itself, by creating a web session between browser and site based on the relied upon nameidentifier, computed using Kingsley's/Jurgens URI "nameidentifier" management rule (#URIs, 303 for /URIs etc). Note the term used for the consturct "nameidentifier" - which comes from SAML2 and ws-fedp. Its very similar to the openid claimedid/identifier. I also have an openid.delegation relation in my webid profile outer HTML, though not in the graph. In the multi-mastered claim mirror in linkeddata.uriburner.com, this is prsent in my entity graph. It enables one to make coherent inferences between the Person in the RSS stream alternative of the webid profiles site, with the vcard in the same site, with the webid profile bookmarked on the home page of said site, and the mirrored claims on the authoritative multi-mastering endpoints, in my cluster. This is all very good, and very webby. Its similar to but  different to my making a conenction between my second webid profile (in ODS) to my Facebook graph, connected via the OAUTH handshake and not the owl:sameAs semantics. The connection is not the same however; as a a conenction between a profile and a data graph service of another (Facebook) user is not the same as linkeddata.uriburner being an authoritative multi-master for either of my profiles. Yes, linkeddata.uriburner.com is an multi-master (and not a slave secondary) becuase it collates and infers (vcard, Person, and openid properties) that are not present in the pure webid profile I typed and enterred as a blog post. Its inferences are authoritative, as I acknowledged said property by adding the proxy profile URI to the SAN URI list, as entry #2. My cert is signed, and has cert-using controls and copyrights requiring an act of reliance that governs any webid validation agent. The authority authorized the openid proxy run by OpenLinkId to bridge the openid identifier world used by the entire Windows/Azure world to webid to the world of linked data and webid. An openid relying party will be relying upon my blogspot site URI (a slash form URI) as an openid identifier, which has a webid URi in its proof theorems (hidden from the openid relying party). In establishing the proof, the openid proxy OP uses my cert and the openid identifier_select mode of the openid auth v2 protocol, to assert that the proxy URI is under my control (and is authoritative), and that it is furthermore an Authorized openid OP for my openid identifier delivered to openid consumers. Now, can I get off this list, please? I need to work on today's problems. If I have time, Ill work on stting up an instance of Virtuoso and its odata endpoint, so via ADO.NET I can link to linkeddata entities as I do to Azure CRM Online entitites. I can justify that use of time.           
 > From: henry.story@bblfish.net
> Date: Mon, 16 Jan 2012 14:47:33 +0100
> CC: public-xg-webid@w3.org
> To: kidehen@openlinksw.com
> Subject: Re: what are claims mirrors?
> 
> 
> On 16 Jan 2012, at 13:11, Kingsley Idehen wrote:
> 
> > On 1/16/12 6:20 AM, Henry Story wrote:
> >> Kingsley keeps speaking of "Claims mirrors" in support of his arguments. What are they? How do they work?
> >> 
> >> Henry
> >> 
> >> Social Web Architect
> >> http://bblfish.net/
> >> 
> >> 
> >> 
> > I mean the graph that is created in the IdP space.
> 
> So you mean the WebID Profile, as specified in 
> http://www.w3.org/2005/Incubator/webid/spec/#publishing-the-webid-profile-document
> ?
> 
> In that illustration it would be <https://bob.example/profile> ?
> 
> What is the IDP in this scenario? IDP is a word that comes from OpenId. In OpenID the IDP is the service one links to from one's profile page. But in WebID we don't have an IDP in that sense. 
> 
> 
> > It holds a mirror of claims in the x.509 certificate in a local key store.
> 
> You mean the WebID Profile is mirroring the claims in the X509 certificate?
> 
> > 
> > We make certificates and persist them to a local keystore. We then make a set of claims via triples in Idp oriented data space that mirrors whats in the local key store.
> 
> So given that WebID does not require an IdP, it is even more mysterious what an "IDP oriented dataspace" is.
> 
> > 
> > If you have a relation associating a subject with a public key in a certificate that resides in your local store, having the same relation in your idp oriented data space via triples implies a mirror.
> 
> In that case can we just use the word from the spec namely the WebID Profile?
> 
> > 
> > I hope that clears up the matter of "mirrored claims" re. WebID.
> > 
> > btw -- some Idp spaces will mirror other claims too e.g. fingerprints, some can even hold a complete carbon copy of the x.509 certificate.
> > 
> > 
> > -- 
> > 
> > Regards,
> > 
> > Kingsley Idehen	
> > Founder&  CEO
> > OpenLink Software
> > Company Web: http://www.openlinksw.com
> > Personal Weblog: http://www.openlinksw.com/blog/~kidehen
> > Twitter/Identi.ca handle: @kidehen
> > Google+ Profile: https://plus.google.com/112399767740508618350/about
> > LinkedIn Profile: http://www.linkedin.com/in/kidehen
> > 
> > 
> > 
> > 
> > 
> > 
> 
> Social Web Architect
> http://bblfish.net/
> 
>
Received on Monday, 16 January 2012 16:01:10 UTC