[foaf-protocols] webid vs distributed social networks

peter williams home_pw at msn.com
Tue Mar 15 18:01:18 CET 2011


Let me recast all this using .NET terminology (classical computer science,
in general).


Since the cert is self-asserted, it's the trusted validator that consults a
source of owl:sameAs statements for the n names in the cert. From trusted
validator, infer trusted statements. For me as a resource serveer trusting
the validator, I don't  care how it made the leap that the owl:sameAs is not
only true,. but trustworthy per se. Atg the same time as any such offloading
validator can be hijacked (and probably will be, as soon as its google
size), as a resource server I have to be able to compute the same truths
myself. I  can then test&verify my offloading validators (to see when they
are acting against my interests).


In the reference semantic framework of .NET, folks now have the framework to
do what Henry often discusses (let metadata define the type of the URI name,
where the metadata is triples/RDF). Since the web is a pass by value world,
the de-referencer in .NET can use my own type-resolver, when handling
apparent isa relations between subclasses to be shared between clients and
servers. That resolver can now be implemented by me and be used when
processing rest service built by channel factories, where the my
implementation can be using the foaf/rdf card as its source of structural
relations between [sub]classes. This of course supports relations between
URIs/webids; out of which one builds core trust graphs.


Now that I've got passed worrying largely about SSL, certs and sparql
queryies, I think I can focus on the security semantics of identifiers. It's
not enough to merely test a foaf card for existence of a pubkey (delivering
security to the assertion). Now, the ontologies and the ontology plumbing in
the core of the SOA framework have to really get to grips with what the
semantic web is attempting to address. While there is nothing there I have
not seen before, who cares! What matters is that the right tweak or two by
W3C community is what should give its momentum and mass appeal - once
society is ready.


From: Kingsley Idehen [mailto:kidehen at openlinksw.com] 
Sent: Sunday, March 13, 2011 1:37 PM
To: peter williams
Cc: foaf-protocols at lists.foaf-project.org
Subject: Re: [foaf-protocols] webid vs distributed social networks


On 3/12/11 2:43 PM, peter williams wrote: 

Ok. Ive confused myself.


Simple: http://webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4#me.

This is a ref to an RDFa marked up RDF source.



This is call to a query engine. I can even stuff it in my cert, to help
coding of webid VAs.


So what is this?

A Proxy Entity ID (URI Name Ref) generated by the URIBurner service. Trouble
is this, the URIBurner service takes a Resource URL and passes it through
70+ extractors that use a variety of heuristics that may or may not result
in transformation. Then it does another 70+ lookups against Web Services and
the LOD cloud etc.. Net effect is a much larger and richer Linked Data

URIBurner has had issues dealing with RDFa out in the wild since there isn't
uniformity re. use of DOCTYPE declarations etc. Thus, we've ended up making
two RDFa cartridges i.e., one that assumes the producer knows what its doing
and another that makes a "best effort" to make sense of the resource. I've
just disable the "best effort" variant and re. sponged (SPARQL with HTTP GET
invoked) and the result is better.


bid.myxwiki.org/xwiki/bin/view/XWiki/homepw4%01me>  - -not backlinks tab in
this page
bin%2Fview%2FXWiki%2Fhomepw4%23me -- a different page showing the same data

It's an element of the response to the query of course, which I took to me:
the required cert exists in the foaf card. Further metadata on this response
is available at that source (I said to myself) - thinking of that URI as an
artifact-refnum from the SAML world.


So lets have a look at the resource. It's a complex XML document with RDF
markup tags, which makes statements about the very same information as was
in my own foaf card.


So, now that said resource exists and has a name, what would it means if I
did the sparql query against it (versus the myxwiki graph)?


Let me treat the resources as a trusted cache copy of my foaf card, mashed
up with other content. 


In webid semantics, what does it mean for that source to assert: pubkey
present in resource? How does that compare with the meaning of myxwiki
asserting: pubkey present in resource? 

Nothing changes re. relation between public key and webid; especially as you
can always force invocation against the source rather than cache via pragma
(as per my initial example). In addition, if you published from a space that
had its own SPARQL endpoint, you can use SPARQL-FED from my instance which
cuts out all the additional sponging that occurs (when the instance has
these cartridges enabled). 


Should I now have 2 webids in my cert



Yes, and a little tweak that we need to make (long scheduled but awaiting
completion and release) is the automatic addition of:

XWiki/homepw4#me> owl:sameAs
<http://webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4#me> .

Then you can get a key match using either URI Name Ref. You achieve this by
invoking the owl:sameAs inference pragma which then handles the union
expansion automatically when processing your SPARQL query.


letting the VA choose which one it wants to consume (based on the authority
in the http scheme)?


Well, we know that the validation agent in webidland wants to enforce: user
has control over id (and write access to id'd resource).

But should VA choose the first above, would it matter in webidland if the VA
confirms that "user trusted caching agent" . has control over id (and has
delegated write access to cached security enforcing content)?

Shouldn't need to choose since the endpoint can be ACL protected, ditto
specific inference rules (which reside in their own Named Graphs).


I think not, so long  as the VA is reasoning with the indirection.


Is there any real difference between the two cases?

Hopefully, I've cleared the coreference issue via comments above.


No, I think. As, after all though we assume only the user has write access
to the document (a fact being tested), in reality so does the privileged
administration (who can spoof the user). In the general case, such admin is
the owner of the portal hosting the blogsite say (Google, Yahoo, etc). As we
know, given a secret/non-secret order from USG, they would spoof me at the
drop of a hat, no questions asked. Would not even bother telling me, 99% of
the time; such is the nature of that web sub-society


Does this mental model sound right?

Yes. But remember there is granular control that can be invoked. If you were
working with http://id.mopenlinkse.com/ods instance, you can make the
co-reference assertions yourself. Then scope your own queries to your graph,
which can be ACL constrained while sitting behind an ACL constrained SPARQL
endpoint etc..


Feels like I should put the first form (trusted cache) in the IAN URI, and
the second form in the SAN URI - so they are "tagged" as subject-centric and
issuer-centric webids, thus signaling that there are multiple indirections
when enforcing, in the issuer case.

I think owl:sameAs inference takes care of this :-)





From: Kingsley Idehen [mailto:kidehen at openlinksw.com] 
Sent: Monday, February 28, 2011 4:08 AM
To: peter williams
Cc: foaf-protocols at lists.foaf-project.org
Subject: Re: [foaf-protocols] webid vs distributed social networks


On 2/27/11 2:51 PM, peter williams wrote: 

Now, this is what I expect the semweb to feel like. A remote agent (or an
agent down a chain of agents) does some work as specified by the user-agent,
probably teaching the user agent by its result how to do it directly the
next time.
If the agent provider makes a data silo or insists on being the only gateway
to a public data set, one avoids it politically. If it adds some value (not
jus control, not just wrappers, not just aggregation), then perhaps its ok.
Im trying to decide whether or not to boycott Microsoft's new Azure ACS v2
service when building a realty SAAS site in Azure land (because the program
managers seem to have decided to refuse to allow me to talk to my SAAS
tenants bridged by their ACS service from my wordpress IDP (or the ~3000
sites realtors have in wordpress) -  even though the Microsoft fabric
service (ACS) supports the very same protocol as wordpress uses, when
talking to upstream to Yahoo IDP).
I tried to alter the query, to make it an existence test. Not sure I quite
got it right. For the m and e value I supply as constants (read from the
incoming client cert), I want it now to answer essentially: exists/not-exist
But, it worked (as you gave it me), 99% of what I want. One last push, I
feel. (Peter starting to get that itch  that usually means "go into budget
finding mode").
# Pragma for enabling Virtuoso's Sponger Middleware -- component that
#  - HTTP GETs against resources that may or my not be RDF formats based
data containers 
#  - Transform data into a 3-tuple based graph 
# Post actions above the SPARQL engine processes the SPARQL query pattern
DEFINE  get:soft "replace"
PREFIX cert:  <http://www.w3.org/ns/auth/cert>
PREFIX rsa:  <http://www.w3.org/ns/auth/rsa>
SELECT ?webid FROM  <http://webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4>
    [] cert:identity ?webid ;
b7c59" ;
         rsa:public_exponent "65537" .


# Remove commented out pragma below if you want to override cache, otherwise
the system will do it automagically in its own time based on server settings

# DEFINE get:soft "replace"

PREFIX cert: <http://www.w3.org/ns/auth/cert#
<http://www.w3.org/ns/auth/cert> > 

PREFIX rsa: <http://www.w3.org/ns/auth/rsa# <http://www.w3.org/ns/auth/rsa>


select  ?webid 

FROM <http://webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4>


    [] cert:identity ?webid ;

         rsa:modulus ?m ;

         rsa:public_exponent ?e .

        ?m cert:hex
d216a705ad08b7c59\n"^^xsd:string .

        ?e cert:decimal "65537"^^xsd:string


Kingsley Idehen       
President & CEO 
OpenLink Software     
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen 

Kingsley Idehen       
President & CEO 
OpenLink Software     
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20110315/c23a8455/attachment-0001.htm 

More information about the foaf-protocols mailing list