[foaf-protocols] sparql, uriburner, and double binding hits

Kingsley Idehen kidehen at openlinksw.com
Sun Mar 27 22:27:24 CEST 2011


On 3/27/11 1:38 PM, peter williams wrote:
>
> http://uriburner.com/sparql/?default-graph-uri=&should-sponge=&query=%23Why%3F+--+string+comparison%0D%0A%23How%3F+--+leverage+fact+that+Virtuoso+can+surface+all+its+in-built+functions+%28from+SQL+and+other+functionality+realms%29%0D%0A%23+ditto+custom+functions%0D%0A%0D%0APREFIX+cert%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Fcert%23%3E+%0D%0APREFIX+rsa%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Frsa%23%3E+%0D%0ASELECT+%3Fg%0D%0A+++++++%28str+%28bif%3Acoalesce+%28%3Fexp_val%2C+%3Fexp%29%29%29+%28str+%28bif%3Acoalesce+%28%3Fmod_val%2C+%3Fmod%29%29%29++%0D%0AWHERE+%7B+++GRAPH+%3Fg+%7B+%0D%0A+++++++++++%3Fid+cert%3Aidentity+%3Chttp%3A%2F%2Ffoaf.me%2Fpw2%23me%3E+%3B%0D%0A+++++++++++rsa%3Apublic_exponent+%3Fexp+%3B+rsa%3Amodulus+%3Fmod+.+++++++++%0D%0A+++++++++++OPTIONAL+%7B+%3Fexp+cert%3Adecimal+%3Fexp_val+.+%3Fmod+cert%3Ahex+%3Fmod_val+.+%7D++++++%0D%0A++++++++++%7D+%0D%0A++++++%7D%0D%0A&debug=on&timeout=&format=text%2Fhtml&CXML_redir_for_subjs=&CXML_redir_for_hrefs=&save=display&fname 
> <http://uriburner.com/sparql/?default-graph-uri=&should-sponge=&query=%23Why%3F+--+string+comparison%0D%0A%23How%3F+--+leverage+fact+that+Virtuoso+can+surface+all+its+in-built+functions+%28from+SQL+and+other+functionality+realms%29%0D%0A%23+ditto+custom+functions%0D%0A%0D%0APREFIX+cert%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Fcert%23%3E+%0D%0APREFIX+rsa%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Frsa%23%3E+%0D%0ASELECT+%3Fg%0D%0A+++++++%28str+%28bif%3Acoalesce+%28%3Fexp_val%2C+%3Fexp%29%29%29+%28str+%28bif%3Acoalesce+%28%3Fmod_val%2C+%3Fmod%29%29%29++%0D%0AWHERE+%7B+++GRAPH+%3Fg+%7B+%0D%0A+++++++++++%3Fid+cert%3Aidentity+%3Chttp%3A%2F%2Ffoaf.me%2Fpw2%23me%3E+%3B%0D%0A+++++++++++rsa%3Apublic_exponent+%3Fexp+%3B+rsa%3Amodulus+%3Fmod+.+++++++++%0D%0A+++++++++++OPTIONAL+%7B+%3Fexp+cert%3Adecimal+%3Fexp_val+.+%3Fmod+cert%3Ahex+%3Fmod_val+.+%7D++++++%0D%0A++++++++++%7D+%0D%0A++++++%7D%0D%0A&debug=on&timeout=&format=text%2Fhtml&CXML_redir_for_subjs=&CXML_redir_for_hrefs=&save=display&fname>=
>
> gives
>
> *g*
>
> 	
>
> *callret-1*
>
> 	
>
> *callret-2*
>
> http://foaf.me/pw2
>
> 	
>
> 65537
>
> 	
>
> bd 4b 4a 44 35 d5 01 ee 87 46 70 e1 01 7f ab b0 80 60 c1 cb 3c e5 b4 
> 3d 7f 62 7c c4 e0 a2 1d 24 3a 4f d6 89 0b cf 72 3f 39 ca 5f 0a 86 6e 
> 43 40 06 99 14 6f 47 f6 99 03 3c 07 c8 e7 cf b9 06 6e 85 1b 5d 8d 2e 
> 71 79 a0 db 2c 1a 59 b7 fc 7c be 70 aa b9 d0 d3 a7 f2 34 db 9f ce f9 
> 67 ab 8f b7 93 28 97 c1 2c b0 74 ed e2 15 fe ca 0d f4 07 f7 23 36 06 
> 4e 81 d4 3f 83 01 a9 94 e2 a0 f4 ba cd
>
> http://foaf.me/pw2#me
>
> 	
>
> 65537
>
> 	
>
> bd 4b 4a 44 35 d5 01 ee 87 46 70 e1 01 7f ab b0 80 60 c1 cb 3c e5 b4 
> 3d 7f 62 7c c4 e0 a2 1d 24 3a 4f d6 89 0b cf 72 3f 39 ca 5f 0a 86 6e 
> 43 40 06 99 14 6f 47 f6 99 03 3c 07 c8 e7 cf b9 06 6e 85 1b 5d 8d 2e 
> 71 79 a0 db 2c 1a 59 b7 fc 7c be 70 aa b9 d0 d3 a7 f2 34 db 9f ce f9 
> 67 ab 8f b7 93 28 97 c1 2c b0 74 ed e2 15 fe ca 0d f4 07 f7 23 36 06 
> 4e 81 d4 3f 83 01 a9 94 e2 a0 f4 ba cd
>
> Ive little idea why this card produces those triples in uriburners 
> triple/quad store, given my other cards don't. I do remember 
> experimenting a year+ ago putting two rsapublickeys in 1 card though, 
> and issuing many many queries to uriburner on it (just seeing "what 
> would happen?"...as I played with variants of the webid URI). This may 
> be the cause.
>
> Now, assuming I can repeat the cause, it would be easy for me to 
> create 2 self signed certs, with same pubkey (above) but different 
> URIs (the g above).
>
> The argument is, presumably, that one tests that two such URIs are 
> equivalent (for the purposes of access control) not because of the 
> pubkey, but because the verifying authority determine there to be 
> logical relations (e.g. sameAs...) that asserts the equivalence. One 
> has to have a trusted source of triples, to do this, of course.
>
> So, this seems an interesting test case.
>
> 1.Create a new foaf.me file. Somehow fiddle that one file's 
> rsapublickeys values. Issue lots of uriburner queries, such that 
> uriburner ends up with 2 graphs (as above), binding to the same publickey
>
> 2.Make 2 self-signed certs, each with 1 graph URI (as above) as it's 1 
> webid SAN field
>
> 3.Make login attempts to foaf.me, with each.
>
> Now, Im not sure what this proves, when foaf.me accepts/denies the 
> login. Presumably, even without any sameAS statements, it SHOULD 
> authenticate either, and allow access to the user to make card changes 
> (e.g. add a third public key, different to the first two).
>
> Presumably,  a security enforcer module for authn  (in general) could 
> have its own source of owl:sameAs statements, that influence its 
> unique perspectives on equivalence of the 2 certs logons. It not that 
> the sameAs statements have to come from foaf cards.
>
> If I go to a different resource server, with a triple store asserting 
> X and Y URIs are not equivalent, its authn SEF could recognize one 
> client cert as an authentic user logon attempt, but not the other.
>
> So, in the wider sense of webid, just "who" is "authoritative" ... for 
> such equivalence relations?
>
> Traditionally, in IIS land, the cert (not its id, or its pubkey) is 
> mapped to an NT account, and the authorization logic for resources is 
> simple IBAC -- in which NT SIDs map to ACLs. Or, in more modern 
> designs, the cert supports access to an IDP which delivering a 
> resigned token with claims targeting the resource server -- that then 
> drives claims-based access controls (after translation, if required). 
> This does not assume semweb trust, of course, merely recognizing of 
> the IDP's signing keys -- which seems to be a variant of webid protocol.
>
> *From:*foaf-protocols-bounces at lists.foaf-project.org 
> [mailto:foaf-protocols-bounces at lists.foaf-project.org] *On Behalf Of 
> *Kingsley Idehen
> *Sent:* Sunday, March 27, 2011 9:35 AM
> *To:* foaf-protocols at lists.foaf-project.org
> *Subject:* Re: [foaf-protocols] sparql, uriburner, and double binding hits
>
> On 3/27/11 10:30 AM, peter williams wrote:
>
> Gulp! There can be 2 containers (foaf card files, in the simple 
> representation on a webserverr) matched by a URI?
>
> If there can be 2, presumably there can be n.
>
> How would I find out info about the 2 containers? Are these containers 
> like a transaction log file, in which there is a logical record of 
> changes?
>
> Or, should I think in terms of quads, where it so happens that the 
> cert:hex... etc triple exists in 2 (n) quads, where a distinct 4^th 
> element is a time-value, say? The time the foaf card was 
> replicated/crawled, say?
>
> While it seems important to eliminate this (using the 
> FROM...incantation) in one sense, it also seems in another sense 
> interesting to consider the semantics of such a quad store. If the 
> non-FROM query - when implemented by the uriburner data service - is 
> answering the question "what are all the pubkeys, ever known to be or 
> have been associated", this is also interesting. This is something 
> beyond the core URI semantics of de-referencing.
>
>
> Virtuoso (what sits behind URIBurner.com) is a Quad Store (amongst 
> many other things re. DBMS functionality).
>
> Try:
>
> #Why? -- string comparison
> #How? -- leverage fact that Virtuoso can surface all its in-built 
> functions (from SQL and other functionality realms)
> # ditto custom functions
>
> PREFIX cert: <http://www.w3.org/ns/auth/cert#> 
> <http://www.w3.org/ns/auth/cert>
> PREFIX rsa: <http://www.w3.org/ns/auth/rsa#> 
> <http://www.w3.org/ns/auth/rsa>
> SELECT ?g
>        (str (bif:coalesce (?exp_val, ?exp))) (str (bif:coalesce 
> (?mod_val, ?mod)))
> WHERE {   GRAPH ?g {
>            ?id cert:identity 
> <http://webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4#me> ;
>            rsa:public_exponent ?exp ; rsa:modulus ?mod .
>            OPTIONAL { ?exp cert:decimal ?exp_val . ?mod cert:hex 
> ?mod_val . }
>           }
>
>
>
> Kingsley
>
> *From:*Andreas Radinger [mailto:andreas.radinger at ebusiness-unibw.org]
> *Sent:* Sunday, March 27, 2011 4:18 AM
> *To:* peter williams
> *Cc:* foaf-protocols at lists.foaf-project.org 
> <mailto:foaf-protocols at lists.foaf-project.org>
> *Subject:* Re: [foaf-protocols] sparql, uriburner, and double binding hits
>
> On 3/26/11 10:45 PM, peter williams wrote:
>
> Concerning foaf card at http://foaf.me/pw2#me,
>
> The public entry has 1 RSA publicKeyResource:
>
> - <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" 
> <http://www.w3.org/1999/02/22-rdf-syntax-ns> 
> xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#" 
> <http://www.w3.org/2000/01/rdf-schema> 
> xmlns:foaf="http://xmlns.com/foaf/0.1/" <http://xmlns.com/foaf/0.1/> 
> xmlns:rsa="http://www.w3.org/ns/auth/rsa#" 
> <http://www.w3.org/ns/auth/rsa> 
> xmlns:cert="http://www.w3.org/ns/auth/cert#" 
> <http://www.w3.org/ns/auth/cert> xmlns:admin="http://webns.net/mvcb/" 
> <http://webns.net/mvcb/>>
>
> - <foaf:PersonalProfileDocument rdf:about="">
>
> <foaf:maker rdf:resource="#me" />
>
> <foaf:primaryTopic rdf:resource="#me" />
>
> </foaf:PersonalProfileDocument>
>
> - <foaf:Person rdf:ID="me">
>
> <foaf:nick>pw2</foaf:nick>
>
> <foaf:homepage rdf:resource="" />
>
> </foaf:Person>
>
> - <rdf:Description>
>
> <rdf:type rdf:resource="http://www.w3.org/ns/auth/rsa#RSAPublicKey" 
> <http://www.w3.org/ns/auth/rsa#RSAPublicKey> />
>
> <cert:identity rdf:resource="#me" />
>
> - <rsa:modulus rdf:parseType="Resource">
>
> <cert:hex>bd 4b 4a 44 35 d5 01 ee 87 46 70 e1 01 7f ab b0 80 60 c1 cb 
> 3c e5 b4 3d 7f 62 7c c4 e0 a2 1d 24 3a 4f d6 89 0b cf 72 3f 39 ca 5f 
> 0a 86 6e 43 40 06 99 14 6f 47 f6 99 03 3c 07 c8 e7 cf b9 06 6e 85 1b 
> 5d 8d 2e 71 79 a0 db 2c 1a 59 b7 fc 7c be 70 aa b9 d0 d3 a7 f2 34 db 
> 9f ce f9 67 ab 8f b7 93 28 97 c1 2c b0 74 ed e2 15 fe ca 0d f4 07 f7 
> 23 36 06 4e 81 d4 3f 83 01 a9 94 e2 a0 f4 ba cd</cert:hex>
>
> </rsa:modulus>
>
> - <rsa:public_exponent rdf:parseType="Resource">
>
> <cert:decimal>65537</cert:decimal>
>
> </rsa:public_exponent>
>
> </rdf:Description>
>
> </rdf:RDF>
>
> A ping on URIburner (using a query that works fine for OTHER foaf 
> cards....)
>
> GET 
> http://uriburner.com/sparql?default-graph-uri=&should-sponge=grab-all&query=%23What%3F+--+SELECT+list+type+casting%0D%0A%23Why%3F+--+string+comparison%0D%0A%23How%3F+--+leverage+fact+that+Virtuoso+can+surface+all+its+in-built+functions+%28from+SQL+and+other+functionality+realms%29%0D%0A%23+ditto+custom+functions%0D%0APREFIX+cert%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Fcert%23%3E%0D%0APREFIX+rsa%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Frsa%23%3E%0D%0ASELECT%0D%0A+++++++%28str+%28bif%3Acoalesce+%28%3Fexp_val%2C+%3Fexp%29%29%29+%28str+%28bif%3Acoalesce+%28%3Fmod_val%2C+%3Fmod%29%29%29%0D%0AWHERE+%7B%0D%0A+++++++++++%3Fid+cert%3Aidentity+%3Chttp%3A%2F%2Ffoaf.me%2Fpw2%23me%3E+%3B%0D%0A+++++++++++rsa%3Apublic_exponent+%3Fexp+%3B+rsa%3Amodulus+%3Fmod+.%0D%0A+++++++++++OPTIONAL+%7B+%3Fexp+cert%3Adecimal+%3Fexp_val+.+%3Fmod+cert%3Ahex+%3Fmod_val+.+%7D%0D%0A++++++++++%7D&debug=on&timeou 
> t=&format=text%2Fhtml&CXML_redir_for_subjs=&CXML_redir_for_hrefs=&save=display&fname= 
> <http://uriburner.com/sparql?default-graph-uri=&should-sponge=grab-all&query=%23What%3F+--+SELECT+list+type+casting%0D%0A%23Why%3F+--+string+comparison%0D%0A%23How%3F+--+leverage+fact+that+Virtuoso+can+surface+all+its+in-built+functions+%28from+SQL+and+other+functionality+realms%29%0D%0A%23+ditto+custom+functions%0D%0APREFIX+cert%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Fcert%23%3E%0D%0APREFIX+rsa%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Frsa%23%3E%0D%0ASELECT%0D%0A+++++++%28str+%28bif%3Acoalesce+%28%3Fexp_val%2C+%3Fexp%29%29%29+%28str+%28bif%3Acoalesce+%28%3Fmod_val%2C+%3Fmod%29%29%29%0D%0AWHERE+%7B%0D%0A+++++++++++%3Fid+cert%3Aidentity+%3Chttp%3A%2F%2Ffoaf.me%2Fpw2%23me%3E+%3B%0D%0A+++++++++++rsa%3Apublic_exponent+%3Fexp+%3B+rsa%3Amodulus+%3Fmod+.%0D%0A+++++++++++OPTIONAL+%7B+%3Fexp+cert%3Adecimal+%3Fexp_val+.+%3Fmod+cert%3Ahex+%3Fmod_val+.+%7D%0D%0A++++++++++%7D&debug=on&timeout=&format=text%2Fhtml&%0d%0a;CXML_redir_for_subjs=&CXML_redi%0d%0ar_for_hrefs=&save=display&fname=> 
> HTTP/1.1
>
> Accept: image/jpeg, image/gif, image/pjpeg, 
> application/x-ms-application, application/xaml+xml, 
> application/x-ms-xbap, */*
>
> Referer: http://uriburner.com/sparql
>
> Accept-Language: en-US
>
> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; 
> Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 
> 3.0.30729; .NET4.0C; .NET4.0E; FDM)
>
> Accept-Encoding: gzip, deflate
>
> Host: uriburner.com
>
> Connection: Keep-Alive
>
> HTTP/1.1 200 OK
>
> Server: Virtuoso/06.02.3129 (Linux) x86_64-generic-linux-glibc25-64  VDB
>
> Connection: close
>
> Date: Sat, 26 Mar 2011 21:13:24 GMT
>
> Accept-Ranges: bytes
>
> Content-Type: text/html; charset=UTF-8
>
> Access-Control-Allow-Origin: *
>
> Content-Length: 965
>
> Generates multiple binding matches, in the result set:
>
> <table class="sparql" border="1">
>
> <tr>
>
> <th>callret-0</th>
>
> <th>callret-1</th>
>
> </tr>
>
> <tr>
>
> <td>65537</td>
>
> <td>bd 4b 4a 44 35 d5 01 ee 87 46 70 e1 01 7f ab b0 80 60 c1 cb 3c e5 
> b4 3d 7f 62 7c c4 e0 a2 1d 24 3a 4f d6 89 0b cf 72 3f 39 ca 5f 0a 86 
> 6e 43 40 06 99 14 6f 47 f6 99 03 3c 07 c8 e7 cf b9 06 6e 85 1b 5d 8d 
> 2e 71 79 a0 db 2c 1a 59 b7 fc 7c be 70 aa b9 d0 d3 a7 f2 34 db 9f ce 
> f9 67 ab 8f b7 93 28 97 c1 2c b0 74 ed e2 15 fe ca 0d f4 07 f7 23 36 
> 06 4e 81 d4 3f 83 01 a9 94 e2 a0 f4 ba cd</td>
>
> </tr>
>
> <tr>
>
> <td>65537</td>
>
> <td>bd 4b 4a 44 35 d5 01 ee 87 46 70 e1 01 7f ab b0 80 60 c1 cb 3c e5 
> b4 3d 7f 62 7c c4 e0 a2 1d 24 3a 4f d6 89 0b cf 72 3f 39 ca 5f 0a 86 
> 6e 43 40 06 99 14 6f 47 f6 99 03 3c 07 c8 e7 cf b9 06 6e 85 1b 5d 8d 
> 2e 71 79 a0 db 2c 1a 59 b7 fc 7c be 70 aa b9 d0 d3 a7 f2 34 db 9f ce 
> f9 67 ab 8f b7 93 28 97 c1 2c b0 74 ed e2 15 fe ca 0d f4 07 f7 23 36 
> 06 4e 81 d4 3f 83 01 a9 94 e2 a0 f4 ba cd</td>
>
> </tr>
>
> </table>
>
> Any rationale? How should I behave?
>
> Hi Peter,
>
> the reason for the multiple results is the existence of two named 
> graphs which match "?id cert:identity <http://foaf.me/pw2#me>".
>
> PREFIX cert: <http://www.w3.org/ns/auth/cert#> 
> <http://www.w3.org/ns/auth/cert>
> PREFIX rsa: <http://www.w3.org/ns/auth/rsa#> 
> <http://www.w3.org/ns/auth/rsa>
> SELECT *
> WHERE {
>        graph ?g {
>              ?id cert:identity <http://foaf.me/pw2#me> ;
>                  rsa:modulus [cert:hex ?m] ;
>                  rsa:public_exponent [cert:decimal ?e] .
>        }
>
> }
>
>
> You can fix this behaviour by just adding
>   FROM <http://foaf.me/pw2#me>
> to your query.
>
> Best,
> Andreas
>
>
>
>
> -- 
> ------------------------------------------
> Dipl.-Ing. Andreas Radinger
> Professur für Allgemeine BWL, insbesondere E-Business
> e-business&  web science research group
> Universität der Bundeswehr München
>   
> e-mail:andreas.radinger at unibw.de  <mailto:andreas.radinger at unibw.de>
> phone:  +49-(0)89-6004-4218
> fax:    +49-(0)89-6004-4620
> www:http://www.unibw.de/ebusiness/
> skype:  andreas.radinger
>
>   
>   
> _______________________________________________
> foaf-protocols mailing list
> foaf-protocols at lists.foaf-project.org  <mailto:foaf-protocols at lists.foaf-project.org>
> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
>
>
>
>
> -- 
>   
> Regards,
>   
> Kingsley Idehen
> President&  CEO
> OpenLink Software
> Web:http://www.openlinksw.com
> Weblog:http://www.openlinksw.com/blog/~kidehen  <http://www.openlinksw.com/blog/%7Ekidehen>
> Twitter/Identi.ca: kidehen
>   
>   
>   
>   


Try:

#Why? -- string comparison
#How? -- leverage fact that Virtuoso can surface all its in-built 
functions (from SQL and other functionality realms)
# ditto custom functions

PREFIX cert: <http://www.w3.org/ns/auth/cert#>
PREFIX rsa: <http://www.w3.org/ns/auth/rsa#>
SELECT DISTINCT ?g
        (str (bif:coalesce (?exp_val, ?exp))) (str (bif:coalesce 
(?mod_val, ?mod)))
WHERE {   GRAPH ?g {
            ?id cert:identity <http://foaf.me/pw2#me> ;
            rsa:public_exponent ?exp ; rsa:modulus ?mod .
            OPTIONAL { ?exp cert:decimal ?exp_val . ?mod cert:hex 
?mod_val . }
           }
       }

-- 

Regards,

Kingsley Idehen	
President&  CEO
OpenLink Software
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20110327/ab85e6f6/attachment-0001.htm 


More information about the foaf-protocols mailing list