[foaf-protocols] webid vs distributed social networks

Kingsley Idehen kidehen at openlinksw.com
Sun Mar 13 21:36:34 CET 2011


On 3/12/11 2:43 PM, peter williams wrote:
>
> Ok. Ive confused myself.
>
> Simple: http://webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4#me.
>
> This is a ref to an RDFa marked up RDF source.
>
> Simple 
> http://linkeddata.uriburner.com/sparql?default-graph-uri=&should-sponge=&query=%23+Remove+commented+out+pragma+below+if+you+want+to+override+cache%2C+otherwise+the+system+will+do+it+automagically+in+its+own+time+based+on+server+settings%0D%0A%23+DEFINE+get%3Asoft+%22replace%22%0D%0APREFIX+cert%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Fcert%23%3E+%0D%0APREFIX+rsa%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Frsa%23%3E+%0D%0A%0D%0Aselect++%3Fwebid+%0D%0AFROM+%3Chttp%3A%2F%2Fwebid.myxwiki.org%2Fxwiki%2Fbin%2Fview%2FXWiki%2Fhomepw4%3E%0D%0AWHERE+%7B%0D%0A++++%5B%5D+cert%3Aidentity+%3Fwebid+%3B%0D%0A+++++++++rsa%3Amodulus+%3Fm+%3B%0D%0A+++++++++rsa%3Apublic_exponent+%3Fe+.%0D%0A++++++++%3Fm+cert%3Ahex+%22b520f38479f5803a7ab33233155eeef8ad4e1f575b603f7780f3f60ceab1%5Cn34618fbe117539109c015c5f959b497e67c1a3b2c96e5f098bb0bf2a6597%5Cn779d26f55fe8d320de7af0562fd2cd067dbc9d775b22fc06e63422717d00%5Cna6801dedafd7b54a93c3f4e59538475673972e524f4ec2a3667d0e1ac856%5Cnd532e32bf30cef8c1adc41718920568fbe9f793daeeaeeaa7e8367b7228a%5Cn895a6cf94545a6f6286693277a1bc7750425ce6c35d570e89453117b88ce%5Cn24206afd216a705ad08b7c59%5Cn%22%5E%5Exsd%3Astring+.%0D%0A++++++++%3Fe+cert%3Adecimal+%2265537%22%5E%5Exsd%3Astring%0D%0A%7D%0D%0A&debug=on&timeout=&format=text%2Fhtml&CXML_redir_for_subjs=&CXML_redir_for_hrefs=&save=display&fname=
>
> This is call to a query engine. I can even stuff it in my cert, to 
> help coding of webid VAs.
>
> So what is this? 
> http://uriburner.com/about/id/entity/http/webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4#me
>

A Proxy Entity ID (URI Name Ref) generated by the URIBurner service. 
Trouble is this, the URIBurner service takes a Resource URL and passes 
it through 70+ extractors that use a variety of heuristics that may or 
may not result in transformation. Then it does another 70+ lookups 
against Web Services and the LOD cloud etc.. Net effect is a much larger 
and richer Linked Data graph.

URIBurner has had issues dealing with RDFa out in the wild since there 
isn't uniformity re. use of DOCTYPE declarations etc. Thus, we've ended 
up making two RDFa cartridges i.e., one that assumes the producer knows 
what its doing and another that makes a "best effort" to make sense of 
the resource. I've just disable the "best effort" variant and re. 
sponged (SPARQL with HTTP GET invoked) and the result is better.


See:

1. 
http://uriburner.com/about/html/http://uriburner.com/about/id/entity/http/webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4%01me 
- -not backlinks tab in this page
2. 
http://uriburner.com/describe/?url=http%3A%2F%2Fwebid.myxwiki.org%2Fxwiki%2Fbin%2Fview%2FXWiki%2Fhomepw4%23me 
-- a different page showing the same data .
>
> It's an element of the response to the query of course, which I took 
> to me: the required cert exists in the foaf card. Further metadata on 
> this response is available at that source (I said to myself) -- 
> thinking of that URI as an artifact-refnum from the SAML world.
>
> So lets have a look at the resource. It's a complex XML document with 
> RDF markup tags, which makes statements about the very same 
> information as was in my own foaf card.
>
> So, now that said resource exists and has a name, what would it means 
> if I did the sparql query against it (versus the myxwiki graph)?
>
> Let me treat the resources as a trusted cache copy of my foaf card, 
> mashed up with other content.
>
> In webid semantics, what does it mean for that source to assert: 
> pubkey present in resource? How does that compare with the meaning of 
> myxwiki asserting: pubkey present in resource?
>

Nothing changes re. relation between public key and webid; especially as 
you can always force invocation against the source rather than cache via 
pragma (as per my initial example). In addition, if you published from a 
space that had its own SPARQL endpoint, you can use SPARQL-FED from my 
instance which cuts out all the additional sponging that occurs (when 
the instance has these cartridges enabled).
>
> Should I now have 2 webids in my cert
>
> http://uriburner.com/about/id/entity/http/webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4#me
>
> http://webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4#me
>

Yes, and a little tweak that we need to make (long scheduled but 
awaiting completion and release) is the automatic addition of:

<http://uriburner.com/about/id/entity/http/webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4#me> 
owl:sameAs <http://webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4#me> .

Then you can get a key match using either URI Name Ref. You achieve this 
by invoking the owl:sameAs inference pragma which then handles the union 
expansion automatically when processing your SPARQL query.
>
> letting the VA choose which one it wants to consume (based on the 
> authority in the http scheme)?
>
> Well, we know that the validation agent in webidland wants to enforce: 
> user has control over id (and write access to id'd resource).
>
> But should VA choose the first above, would it matter in webidland if 
> the VA confirms that "user trusted caching agent" ... has control over 
> id (and has delegated write access to cached security enforcing content)?
>

Shouldn't need to choose since the endpoint can be ACL protected, ditto 
specific inference rules (which reside in their own Named Graphs).
>
> I think not, so long  as the VA is reasoning with the indirection.
>
> Is there any real difference between the two cases?
>

Hopefully, I've cleared the coreference issue via comments above.

> No, I think. As, after all though we assume only the user has write 
> access to the document (a fact being tested), in reality so does the 
> privileged administration (who can spoof the user). In the general 
> case, such admin is the owner of the portal hosting the blogsite say 
> (Google, Yahoo, etc). As we know, given a secret/non-secret order from 
> USG, they would spoof me at the drop of a hat, no questions asked. 
> Would not even bother telling me, 99% of the time; such is the nature 
> of that web sub-society
>
> Does this mental model sound right?
>

Yes. But remember there is granular control that can be invoked. If you 
were working with http://id.mopenlinkse.com/ods instance, you can make 
the co-reference assertions yourself. Then scope your own queries to 
your graph, which can be ACL constrained while sitting behind an ACL 
constrained SPARQL endpoint etc..

> Feels like I should put the first form (trusted cache) in the IAN URI, 
> and the second form in the SAN URI -- so they are "tagged" as 
> subject-centric and issuer-centric webids, thus signaling that there 
> are multiple indirections when enforcing, in the issuer case.
>

I think owl:sameAs inference takes care of this :-)


Kingsley
>
> *From:*Kingsley Idehen [mailto:kidehen at openlinksw.com]
> *Sent:* Monday, February 28, 2011 4:08 AM
> *To:* peter williams
> *Cc:* foaf-protocols at lists.foaf-project.org
> *Subject:* Re: [foaf-protocols] webid vs distributed social networks
>
> On 2/27/11 2:51 PM, peter williams wrote:
>
> Now, this is what I expect the semweb to feel like. A remote agent (or an
> agent down a chain of agents) does some work as specified by the user-agent,
> probably teaching the user agent by its result how to do it directly the
> next time.
>   
> If the agent provider makes a data silo or insists on being the only gateway
> to a public data set, one avoids it politically. If it adds some value (not
> jus control, not just wrappers, not just aggregation), then perhaps its ok.
>   
> Im trying to decide whether or not to boycott Microsoft's new Azure ACS v2
> service when building a realty SAAS site in Azure land (because the program
> managers seem to have decided to refuse to allow me to talk to my SAAS
> tenants bridged by their ACS service from my wordpress IDP (or the ~3000
> sites realtors have in wordpress) -  even though the Microsoft fabric
> service (ACS) supports the very same protocol as wordpress uses, when
> talking to upstream to Yahoo IDP).
>   
> I tried to alter the query, to make it an existence test. Not sure I quite
> got it right. For the m and e value I supply as constants (read from the
> incoming client cert), I want it now to answer essentially: exists/not-exist
>   
> But, it worked (as you gave it me), 99% of what I want. One last push, I
> feel. (Peter starting to get that itch  that usually means "go into budget
> finding mode").
>   
> ---------
>   
> # Pragma for enabling Virtuoso's Sponger Middleware -- component that
> performs
> #  - HTTP GETs against resources that may or my not be RDF formats based
> data containers
> #  - Transform data into a 3-tuple based graph
> # Post actions above the SPARQL engine processes the SPARQL query pattern
>   
> DEFINE  get:soft "replace"
> PREFIX cert:<http://www.w3.org/ns/auth/cert#>  <http://www.w3.org/ns/auth/cert>  
> PREFIX rsa:<http://www.w3.org/ns/auth/rsa#>  <http://www.w3.org/ns/auth/rsa>  
>   
> SELECT ?webid FROM<http://webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4>
> WHERE {
>      [] cert:identity ?webid ;
>           rsa:modulus
> "a520f38479f5803a7ab33233155eeef8ad4e1f575b603f7780f3f60ceab134618fbe1175391
> 09c015c5f959b497e67c1a3b2c96e5f098bb0bf2a6597779d26f55fe8d320de7af0562fd2cd0
> 67dbc9d775b22fc06e63422717d00a6801dedafd7b54a93c3f4e59538475673972e524f4ec2a
> 3667d0e1ac856d532e32bf30cef8c1adc41718920568fbe9f793daeeaeeaa7e8367b7228a895
> a6cf94545a6f6286693277a1bc7750425ce6c35d570e89453117b88ce24206afd216a705ad08
> b7c59" ;
>           rsa:public_exponent "65537" .
> }
>   
>   
>
> Peter,
>
> # Remove commented out pragma below if you want to override cache, 
> otherwise the system will do it automagically in its own time based on 
> server settings
>
> # DEFINE get:soft "replace"
>
> PREFIX cert: <http://www.w3.org/ns/auth/cert# 
> <http://www.w3.org/ns/auth/cert>>
>
> PREFIX rsa: <http://www.w3.org/ns/auth/rsa# 
> <http://www.w3.org/ns/auth/rsa>>
>
> select  ?webid
>
> FROM <http://webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4>
>
> WHERE {
>
>     [] cert:identity ?webid ;
>
>          rsa:modulus ?m ;
>
>          rsa:public_exponent ?e .
>
>         ?m cert:hex 
> "b520f38479f5803a7ab33233155eeef8ad4e1f575b603f7780f3f60ceab1\n34618fbe117539109c015c5f959b497e67c1a3b2c96e5f098bb0bf2a6597\n779d26f55fe8d320de7af0562fd2cd067dbc9d775b22fc06e63422717d00\na6801dedafd7b54a93c3f4e59538475673972e524f4ec2a3667d0e1ac856\nd532e32bf30cef8c1adc41718920568fbe9f793daeeaeeaa7e8367b7228a\n895a6cf94545a6f6286693277a1bc7750425ce6c35d570e89453117b88ce\n24206afd216a705ad08b7c59\n"^^xsd:string 
> .
>
>         ?e cert:decimal "65537"^^xsd:string
>
> }
>
>
>
>
> -- 
>   
> Regards,
>   
> Kingsley Idehen
> President&  CEO
> OpenLink Software
> Web:http://www.openlinksw.com
> Weblog:http://www.openlinksw.com/blog/~kidehen  <http://www.openlinksw.com/blog/%7Ekidehen>
> Twitter/Identi.ca: kidehen
>   
>   
>   
>   


-- 

Regards,

Kingsley Idehen	
President&  CEO
OpenLink Software
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20110313/ecf9805e/attachment-0001.htm 


More information about the foaf-protocols mailing list