[foaf-dev] missing the value - of SOAP tokens cooperating with REST tokens

Peter Williams pwilliams at rapattoni.com
Thu Apr 15 18:42:05 CEST 2010

Folks with (free) windows tools might want to take a gander at

you see there an interesting mix of commodity technologies. A soap exchange enables code in running in browser/plugin to recover a (SAML) token, talking to its enterprise system (conformed of lots of vendors contributions). Then, by talking with a simplistic WRAP query to a token gateway (in Microsoft's cloud, as it happens), the SAML token is exchanged for a SWT token. The SWT token is sent to public RESTful (data) services that projects the classical entity/relationship model of the designers choice - spitting out records in some or other bit format. The token is placed in the www-auth header for delivery to the RESTful services interceptors (that just parse querystring-style dictionary, and verify an HMAC checksum.) More advanced WRAP flows allow for more intelligent browser plugins (such as those supported by cardspace's metadata-aware browsers).

sample code at http://blogs.msdn.com/justinjsmith/archive/2009/07/31/client-certificate-credential-verification.aspx shows how to add in FOAF+SSL-style certificate validation to a ws-security-protected SOAP exchange - at the SOAP server. It's just like FOAF+SSL, except there is no SSL (because layer 7 ws-security/ws-secureconversation enveloping of the SOAP elements essentially does what the SSL handshake and security context does). It's "better than" SSL in that there are no legacy cert assumptions (all certs can be managed using "peer" trust models, with little bias left towards the old VeriSign/NSA  public CA model).

The example happens to use a file as a store of cert thumbprints, whereas in the FOAF+SSL world one pings a remote FOAF card for a similar store of public keys labeled with names. If one takes a FOAF+SSL .NET library to talk to FOAF cards and do FOAF+SSL-style SPARQL queries against the key store, it should be trivial to convert the sample code to talk to Henry's FOAF+SSL infrastructure (dedicated to SSL) rather than the local file of certs identifiers - and thus re-purpose all the FOAF+SSL infrastructure to both SOAP and WRAP.

-----Original Message-----
From: foaf-dev-bounces at lists.foaf-project.org [mailto:foaf-dev-bounces at lists.foaf-project.org] On Behalf Of Story Henry
Sent: Thursday, April 15, 2010 2:10 AM
To: Toby Inkster
Cc: foaf-dev at lists.foaf-project.org; foaf-protocols at lists.foaf-project.org
Subject: Re: [foaf-dev] [foaf-protocols] fp:ping

On 15 Apr 2010, at 08:42, Toby Inkster wrote:

> On Wed, 14 Apr 2010 10:00:23 +0100
> Story Henry <henry.story at bblfish.net> wrote:
>> I would like to propose a ping relation.
> Have you seen Semantic Pingback?
> http://aksw.org/Projects/SemanticPingback

It seems unnecessarily complex. 

It uses RPC, when a simple HTML FORM can do. Why? RPC was cool 8 years ago
because it used XML!  Wow! The continuation of this lead to the SOAP
bubble, which seems to have vanished in the past year somehow.

So the suggestion seems to be that because blogging used RPC for ping,
one should use it too. But since every application developer knows how
to parse a POST, and only legacy blog developers need to learn the dying 
XML/RPC standard, I don't see why we should burden ourselves with it.
Neither do I understand why the linked data people are.

Or perhaps I have mised something.

If I have not, I'll repost the suggestion on the linked data 
mailing list.


> -- 
> Toby A Inkster
> <mailto:mail at tobyinkster.co.uk>
> <http://tobyinkster.co.uk>

foaf-dev mailing list
foaf-dev at lists.foaf-project.org

More information about the foaf-dev mailing list