[foaf-protocols] Multiple entries in SAN in mod_authn_webid

Henry Story henry.story at bblfish.net
Thu Sep 2 13:40:10 CEST 2010

On 27 Aug 2010, at 12:45, Kingsley Idehen wrote:

> On 8/27/10 5:10 AM, Joe Presbrey wrote:
>> On Thu, Aug 26, 2010 at 6:59 PM, Kingsley Idehen <kidehen at openlinksw.com>
>>  wrote:
>>> We also support SANs with multiple entries. Thus it begs the question:
>>> how many WebID implementations don't support this important capability?
>>> Are we still debating this matter re. WebID spec?

Clerezza checks all WebIDs, which is one method. But we somehow need to specify this clearly: Whatever WebID you verify is a handle you can use. So if the Relying Party is satisfied with just checking 1 that's ok. Each verification step verfies that id. A clever server might want to check the WebIDs in parallel. It may also want to accept the authentication as soon as one id is verified, then continue the other verification in the background.

It is going to be somewhat delicate to write this out clearly. I will try.

>> What other important capabilities of WebID do you implement that we're
>> missing in Apache? (We're trying to replace 'AuthType Basic' with
>> 'AuthType WebID')

What is this?
> Hmm. don't know of the top of my head, maybe when the ESW Wiki page re. capabilities is done, we can reconcile that way :-)

That would be cool. Where are we there Melvin?

> Don't know if this is relevant re. Apache:
> We do support Webfinger (for mailto: and acct: scheme URIs) and  Fingerpoint - which enables dealing with the dilemma of having mailto: and acct: scheme URIs that co-reference a given Subject in a Cert that doesn't carry WebID, via owl:sameAs or IFP inference.

That is cool. We should somewhow work out a way to leave open in the spec that these options are possible. One way to do this is to speak of a canonical dereferencing procedure - though that works somewhat less well with mailto: as mailto does not have such a procedure.

Also the protocols are a bit new still, so for the moment I think working with them is a good will effort. And I am not so sure of the benefit. That is webfinger or fingerpoint require a few more connections... Implementations that support it should certainly list this in the wiki. If most of us do then we can put it in the spec too. Perhaps that is the best way to proceed :-)


> -- 
> Regards,
> Kingsley Idehen	      
> President & CEO 
> OpenLink Software     
> Web: 
> http://www.openlinksw.com
> Weblog: 
> http://www.openlinksw.com/blog/~kidehen
> Twitter/Identi.ca: kidehen 
> _______________________________________________
> foaf-protocols mailing list
> foaf-protocols at lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols

Social Web Architect

More information about the foaf-protocols mailing list