[foaf-protocols] foaf.me with https, vs http

Peter Williams home_pw at msn.com
Fri Jan 22 04:13:35 CET 2010 

I've set myself a couple of new implementation goals that go beyond the
security apparatus, now Ive a critical mass of code (*)

 

Complete the work on using Windows Azman to now process the multiple
claimsets for the multiple authorization tokens signaled to the foaf+ssl
endpoint, acting as a guard to the resource (post authentication). This is
nice and general showing foaf+ssl can work with platform support where folks
may have investment in existing business/authorization logics.

 

In
http://cid-05061d4609325b60.skydrive.live.com/self.aspx/Public/Tying%20FOAF%
20identity%20with%20the%20identity%20semantics%20of%20OpenID.pdf page 6 we
previous discussed how an RP might interact with an (openid) IDP not by
redirecting simple messages by location header but by using sparql. I.e. the
artifact binding would be sparql  protocol and customer queries (rather than
using name value pairs or querystring values as a bearer for signals).

 

Of particular interest is the notion that the openid IDP would return a
tagged graph (not just a xml formmatted dictionary resultset of (ax-like)
variables bound to some user profile strings). This means Im going to have
to be able to dynamically create .NET types given the structure of the graph
to be constructed, so I get strong type checking.

 

Since I've got now enough knowhow now to be using Microsoft ASP.NET factory
objects to dynamically add sparql endpoint for documents (of various kinds,
and serializations0, and since foaf+ssl enables mutually-authenticated
transport session for the sparql protocol, I think I can explore building my
first protocol engine that is an custom instance of a sparql server (vs a
classical state machines handling API interfaces and wire messages as
inputs). Rather than think of the sparql engine as a query tool front a
bynch of triple stores, now it's a factory for making custom communication
endpoints.

 

The .NET semweb toolkit has a sparql client class, that Ill alter to support
foaf+ssl keying from a .p12 file (much as I do in my simple HTTP client form
in the FAOF+SSL demonstrator for .NET)

 

Since I have Rick Stahl's openid2-powered RP working now, I can treat the
delivery of the openid positive assertion and its claimed id (providing it's
a URI) as an artifact signal - and use the sparql client (above) as an
artifact resolver - which pings the IDP's endpoint for collecting the
assertion it signed, timestamped and minted  (pending pickup) on releasing
the claimedID. I think this will need be lookup the webid in the FOAF store,
given the openid input.

 

An open question will then be: how do I determine the sparql endpoinf of the
IDP? Normally, Id obtain and parse its discovery file, that lists all its
services and select the right type given the rel type on the link. But, W3C
folks are kinda against that. since it's the wrong type of XML list for
their tastes. I don't know what the right answer here is. Help welcome.

 

(*) I really to thank folks for putting up with me. This semweb-related
projects has been great fun. Its indirectly taught me C# functional
programming, which allows me actually understand the implementation of the
semweb library (now!). I can also see how sparql itself allows one to create
data-centric interfaces, that are about much more than just querying some
data using some query language. I still need to dominate how parse trees of
SPARQL queries become metadata that .NET can reflect upon, in implementing
the IQueryable generic for sparql (vs SQL) queries, but.finding out how all
this kind of stuff works is all good fun!

 

From: foaf-protocols-bounces at lists.foaf-project.org
[mailto:foaf-protocols-bounces at lists.foaf-project.org] On Behalf Of Peter
Williams
Sent: Wednesday, January 20, 2010 7:51 PM
To: 'Akbar Hossain'
Cc: foaf-protocols at lists.foaf-project.org
Subject: Re: [foaf-protocols] foaf.me with https, vs http

 

So the task mentioned is a project Ill address over the next 2 weeks. It
turns out that "Silverlight" controls have a nice good ol' BSD style socket
interface (so you can avoid whatever it is that things like the Mozilla
layer entities in its browser communication stack do (or don't do). And, the
java ssl class from GNU are included in the semweb library (for .NET). So, I
don't know if it will work, but the goal is to see what (if any) of my own
client side SSL I can get working. It's time to move into ssl src, I think-
and leave behind the sandboxes of the platforms.

Ive more or less worked through my list of work items from about 4 weeks
ago. Only 2 projects were a complete failure: I failed to host a modern
windows restful service  with resestul web bindings in the asp.net runtime I
load behind the foaf+ssl listener (though I can run it them from _within_
the listener's part of the process). And I could not implement my own server
side handlers for digest auth (due to some security controls that  prevent
one from writing certain headers, in the obvious way - even though the same
code works when hosted in IIS!).

 

 

 

 

 

One interesting experiment is to have the client induce server-side
destruction of transport session .by doing a TCP close on WITHOUT first
doing a SSL close. For conforming servers, this forces  the server to cease
further use of that transport session (ssl3 sessionid) on ALL outstanding
connections, including those connections derived from the pre-master secret
tied to the SSL3 sessionid.


Good luck
 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20100121/010b59e5/attachment-0001.htm

More information about the foaf-protocols mailing list