[foaf-protocols] X509 Ontology for foaf+ssl
Story Henry
henry.story at bblfish.net
Mon Oct 13 19:02:34 CEST 2008
So to get foaf+ssl basics going it should help if we have develop a
little X509 ontology. Perhaps we can get a very basic one going, with
just the classes we need for our protocol. We can then add more later
as we need them. I am not sure how much we need/can integrate this
with the wot ontology.
WHAT WE NEED
------------
This is what we have been using currently, and it seems to be enough
to get us going. I am using as a prefix for the ontology that we are
working on.
:me is xxx:identity of [ a xxx:x509Certificate;
xxx:sigType xxx:md5WithRSAEncryption;
xxx:sigValue
"4d85aae9e4c4afc0384fc10b56a9cd61125e804717c0bbe324a7c85d2c9da14696a0c9eb7714e3d375a2ff0edf363c484c5dfcd779985de8ed9f29c6926f827778553bc2984276fea9c69d051ef6c7579fc610fee67feebd112c800664dc86bbc9f1794ae0d0b79f6f502fcda5c4bd24026312f1faabbc2aaae2ec35c2f5244c";
];
Ie we need :
- a relation from an X509 Certificate to the thing it is identifying
( xxx:identity ) ( :me )
[ the ' ... is REL of ... construction is another way of speaking
of the inverse relation to REL ]
- a way of specifying a unique identifying feature of that certificate
this requires two things it seems:
+ the value of the signature
+ the type of the signature
( Are there other ways of identifying X509 certificates? Hex ids
perhaps? )
We need this in order to help link a person to their certificate
when the server gets the key
SKETCH OF AN X509 ONTOLOGY
--------------------------
Here is a first attempt to sketch out an ontology for X509 in UML with
the help of Bruno Harbulot
@prefix time: <http://www.w3.org/2006/time#> .
@prefix foaf: <http://xmlns.com/foaf/0.1/> .
[[
THE UML diagram is available here:
http://www.flickr.com/photos/bblfish/2938006277/sizes/o/
It could not get through the image limit of the list
]]
Notes:
- In an X509 certificate the certificate is usually (I think) about
an agent. But I imagine that one could
certify information about anything. So I tried to be a bit more
general. Perhaps I should not.
- it does not look like there is much that hangs above on the
particular X509 documents in the above. It looks like one can get a
good general idea of a certificate.
- should the signature link to the signee ? It does indirectly via
the public key that verifies it.
- the public key identifies the agent, because the agent knows the
private key
- any better name for the relation between a public key and a
private key?
the following rule needs to hold
{ ?pubkey :identifies ?agent } => { ?agent :knows ?privateKey . ?
pubKey :private ?privateKey }
- the PGP public key is a subclass of a certificate because it
signs a number of statements about a subject
(usually at least his email address and his public key)
WHAT SHOULD ONE PUBLISH?
------------------------
In our current examples we are publishing the relation in the foaf of
the person to their certificate signature.
:me is xxx:identity of
[ a xxx:x509Certificate;
xxx:sigType xxx:md5WithRSAEncryption;
xxx:sigValue
"4d85aae9e4c4afc0384fc10b56a9cd61125e804717c0bbe324a7c85d2c9d...";
].
Should one not rather just be publishing the relation from the person
to their public key(s)? So using the
ontology sketched in the UML diagram [1]
:me is uml:identity of
[ a uml:PublicKey, uml:RSAKey;
uml:modulus "00:b3:a1:b3:3d:a9:b1:b4:87:32:97:86:9f:c4:9e:...";
uml:exponent "65537"
] .
This would be both a useful way to publish one's public key, and a way
to help confirm the relation between the foaf file and the x509
certificate. Now if one then used the Public key to sign one's own
foaf file, then in a sense the foaf file would turn out to be a
uml:Certificate.
I am still just finding my way through this space. So I may have got a
lot wrong. Don't hesitate to correct me.
Henry
More information about the foaf-protocols
mailing list