[foaf-protocols] webid vs distributed social networks

peter williams home_pw at msn.com
Sat Mar 12 20:43:12 CET 2011

Ok. Ive confused myself.


Simple: http://webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4#me.

This is a ref to an RDFa marked up RDF source.



This is call to a query engine. I can even stuff it in my cert, to help
coding of webid VAs.


So what is this?

It's an element of the response to the query of course, which I took to me:
the required cert exists in the foaf card. Further metadata on this response
is available at that source (I said to myself) - thinking of that URI as an
artifact-refnum from the SAML world.


So lets have a look at the resource. It's a complex XML document with RDF
markup tags, which makes statements about the very same information as was
in my own foaf card.


So, now that said resource exists and has a name, what would it means if I
did the sparql query against it (versus the myxwiki graph)?


Let me treat the resources as a trusted cache copy of my foaf card, mashed
up with other content. 


In webid semantics, what does it mean for that source to assert: pubkey
present in resource? How does that compare with the meaning of myxwiki
asserting: pubkey present in resource? 


Should I now have 2 webids in my cert




letting the VA choose which one it wants to consume (based on the authority
in the http scheme)?


Well, we know that the validation agent in webidland wants to enforce: user
has control over id (and write access to id'd resource).

But should VA choose the first above, would it matter in webidland if the VA
confirms that "user trusted caching agent" . has control over id (and has
delegated write access to cached security enforcing content)?


I think not, so long  as the VA is reasoning with the indirection.


Is there any real difference between the two cases?


No, I think. As, after all though we assume only the user has write access
to the document (a fact being tested), in reality so does the privileged
administration (who can spoof the user). In the general case, such admin is
the owner of the portal hosting the blogsite say (Google, Yahoo, etc). As we
know, given a secret/non-secret order from USG, they would spoof me at the
drop of a hat, no questions asked. Would not even bother telling me, 99% of
the time; such is the nature of that web sub-society


Does this mental model sound right?


Feels like I should put the first form (trusted cache) in the IAN URI, and
the second form in the SAN URI - so they are "tagged" as subject-centric and
issuer-centric webids, thus signaling that there are multiple indirections
when enforcing, in the issuer case.




From: Kingsley Idehen [mailto:kidehen at openlinksw.com] 
Sent: Monday, February 28, 2011 4:08 AM
To: peter williams
Cc: foaf-protocols at lists.foaf-project.org
Subject: Re: [foaf-protocols] webid vs distributed social networks


On 2/27/11 2:51 PM, peter williams wrote: 

Now, this is what I expect the semweb to feel like. A remote agent (or an
agent down a chain of agents) does some work as specified by the user-agent,
probably teaching the user agent by its result how to do it directly the
next time.
If the agent provider makes a data silo or insists on being the only gateway
to a public data set, one avoids it politically. If it adds some value (not
jus control, not just wrappers, not just aggregation), then perhaps its ok.
Im trying to decide whether or not to boycott Microsoft's new Azure ACS v2
service when building a realty SAAS site in Azure land (because the program
managers seem to have decided to refuse to allow me to talk to my SAAS
tenants bridged by their ACS service from my wordpress IDP (or the ~3000
sites realtors have in wordpress) -  even though the Microsoft fabric
service (ACS) supports the very same protocol as wordpress uses, when
talking to upstream to Yahoo IDP).
I tried to alter the query, to make it an existence test. Not sure I quite
got it right. For the m and e value I supply as constants (read from the
incoming client cert), I want it now to answer essentially: exists/not-exist
But, it worked (as you gave it me), 99% of what I want. One last push, I
feel. (Peter starting to get that itch  that usually means "go into budget
finding mode").
# Pragma for enabling Virtuoso's Sponger Middleware -- component that
#  - HTTP GETs against resources that may or my not be RDF formats based
data containers 
#  - Transform data into a 3-tuple based graph 
# Post actions above the SPARQL engine processes the SPARQL query pattern
DEFINE  get:soft "replace"
PREFIX cert:  <http://www.w3.org/ns/auth/cert>
PREFIX rsa:  <http://www.w3.org/ns/auth/rsa>
SELECT ?webid FROM  <http://webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4>
    [] cert:identity ?webid ;
b7c59" ;
         rsa:public_exponent "65537" .


# Remove commented out pragma below if you want to override cache, otherwise
the system will do it automagically in its own time based on server settings

# DEFINE get:soft "replace"

PREFIX cert: <http://www.w3.org/ns/auth/cert#
<http://www.w3.org/ns/auth/cert> > 

PREFIX rsa: <http://www.w3.org/ns/auth/rsa# <http://www.w3.org/ns/auth/rsa>


select  ?webid 

FROM <http://webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4>


    [] cert:identity ?webid ;

         rsa:modulus ?m ;

         rsa:public_exponent ?e .

        ?m cert:hex
d216a705ad08b7c59\n"^^xsd:string .

        ?e cert:decimal "65537"^^xsd:string


Kingsley Idehen       
President & CEO 
OpenLink Software     
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20110312/30156fec/attachment-0001.htm 

More information about the foaf-protocols mailing list