[foaf-protocols] http://test.foafssl.org/cert/

Story Henry henry.story at bblfish.net
Fri Jan 30 10:30:36 CET 2009 

Dear Friends,

	I have put a lot of late nights in the last week putting together a  
very simple certificate creation service for foaf+ssl . It is now up  
and running on a cloud service at

	http://test.foafssl.org/cert/

In one click this creates an X509 cert that is loaded to the browser  
with the URL of the foaf:OnlineAccount, that it also creates. This  
online Account is really nothing special. It is just an rdf document.  
You can see a few of those created here http://test.foafssl.org/ 
certs/ . They contain RDF such as this

     @prefix cert: <http://www.w3.org/ns/auth/cert#> .
     @prefix foaf: <http://xmlns.com/foaf/0.1/> .
     @prefix rsa: <http://www.w3.org/ns/auth/rsa#> .
     @prefix : <#> .


     <http://bblfish.net/people/henry/card#me>      
foaf:holdsAccount :accnt .

     :accnt     a foaf:OnlineAccount;
         foaf:accountServiceHomePage </cert/> .

     []  a rsa:RSAPublicKey;
         cert:identity :accnt;
         rsa:modulus """"
a3423146a072a33086073bda802c6d34be45a05081af6b801ae786ec1fcbb2d5be330ac434640ab
35298e54eb2a0c9dafef372be236b8b61b517d052d7daea9c2460307e823c22e556d634ed76ed00
88af2d631b493abd694c47d248398d2c94bfc043f687ce573b9cb88a3478962c06727c3e975236c
843a8e7fa43e653cd01"""^cert:hex;
          rsa:public_exponent "65537"^cert:decimal .


    So this document provides you with an account that links to your  
WebID.

If the server you log into does not want to know anything about you,  
this could be enough. If a server, say a foaf+ssl enabled wiki, wanted  
to know about the Person whose account this was, they would have to  
follow the foaf:holdsAccount relation (in the inverse direction), and  
get that resource.

Of course as you will notice when you use the service, that you can  
put anyone's Web Id in the form and get a certificate. So the service  
should not trust what the Account document says. It needs to check  
that something else makes it believe that this account really is  
related to that person. The most efficient way to do this is of course  
for the user to have his foaf list that account too.

So there is a lot that needs to be done still to make this better, and  
perhaps even releasable. It is open source, and I welcome contributions.

The work put into this was mainly learning a few new frameworks such  
as Wicket and the GlassFish application server, writing the code, and  
then finding a server and deploying to it. I first deployed it to my  
local server, but found there was not enough memory or hard drive  
space (my disk was 95% full), then on another server that was lent to  
me without guarantees, and that crashed at a few key moments. So I  
ended up getting some cloud computing space at gogrid.com, who gave me  
a two months free trial. I also bought various foafssl domains, not  
because I necessarily think this is the best name, nor because I think  
this will be a popular name that will become a verb like Google, but  
just to avoid some mischievous person buying the domain and creating  
confusion. When we have done our initial exploration and if we arrive  
at the stage where a more formal standards process is required I'll be  
happy to give these over if still needed to that body.

Henry

Blog: http://blogs.sun.com/bblfish

More information about the foaf-protocols mailing list