[foaf-protocols] sparql, uriburner, and double binding hits

Andreas Radinger andreas.radinger at ebusiness-unibw.org
Sun Mar 27 23:01:49 CEST 2011


  ----- Original Message ----- 
  From: Kingsley Idehen
  To: peter williams
  Cc: foaf-protocols at lists.foaf-project.org
  Sent: Sunday, March 27, 2011 10:27 PM
  Subject: Re: [foaf-protocols] sparql, uriburner, and double binding hits


  On 3/27/11 1:38 PM, peter williams wrote:


    http://uriburner.com/sparql/?default-graph-uri=&should-sponge=&query=%23Why%3F+--+string+comparison%0D%0A%23How%3F+--+leverage+fact+that+Virtuoso+can+surface+all+its+in-built+functions+%28from+SQL+and+other+functionality+realms%29%0D%0A%23+ditto+custom+functions%0D%0A%0D%0APREFIX+cert%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Fcert%23%3E+%0D%0APREFIX+rsa%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Frsa%23%3E+%0D%0ASELECT+%3Fg%0D%0A+++++++%28str+%28bif%3Acoalesce+%28%3Fexp_val%2C+%3Fexp%29%29%29+%28str+%28bif%3Acoalesce+%28%3Fmod_val%2C+%3Fmod%29%29%29++%0D%0AWHERE+%7B+++GRAPH+%3Fg+%7B+%0D%0A+++++++++++%3Fid+cert%3Aidentity+%3Chttp%3A%2F%2Ffoaf.me%2Fpw2%23me%3E+%3B%0D%0A+++++++++++rsa%3Apublic_exponent+%3Fexp+%3B+rsa%3Amodulus+%3Fmod+.+++++++++%0D%0A+++++++++++OPTIONAL+%7B+%3Fexp+cert%3Adecimal+%3Fexp_val+.+%3Fmod+cert%3Ahex+%3Fmod_val+.+%7D++++++%0D%0A++++++++++%7D+%0D%0A++++++%7D%0D%0A&debug=on&timeout=& 
;format=text%2Fhtml&CXML_redir_for_subjs=&CXML_redir_for_hrefs=&save=display&fname=



    gives



          g
         callret-1
         callret-2

          http://foaf.me/pw2
         65537
         bd 4b 4a 44 35 d5 01 ee 87 46 70 e1 01 7f ab b0 80 60 c1 cb 3c e5 
b4 3d 7f 62 7c c4 e0 a2 1d 24 3a 4f d6 89 0b cf 72 3f 39 ca 5f 0a 86 6e 43 
40 06 99 14 6f 47 f6 99 03 3c 07 c8 e7 cf b9 06 6e 85 1b 5d 8d 2e 71 79 a0 
db 2c 1a 59 b7 fc 7c be 70 aa b9 d0 d3 a7 f2 34 db 9f ce f9 67 ab 8f b7 93 
28 97 c1 2c b0 74 ed e2 15 fe ca 0d f4 07 f7 23 36 06 4e 81 d4 3f 83 01 a9 
94 e2 a0 f4 ba cd

          http://foaf.me/pw2#me
         65537
         bd 4b 4a 44 35 d5 01 ee 87 46 70 e1 01 7f ab b0 80 60 c1 cb 3c e5 
b4 3d 7f 62 7c c4 e0 a2 1d 24 3a 4f d6 89 0b cf 72 3f 39 ca 5f 0a 86 6e 43 
40 06 99 14 6f 47 f6 99 03 3c 07 c8 e7 cf b9 06 6e 85 1b 5d 8d 2e 71 79 a0 
db 2c 1a 59 b7 fc 7c be 70 aa b9 d0 d3 a7 f2 34 db 9f ce f9 67 ab 8f b7 93 
28 97 c1 2c b0 74 ed e2 15 fe ca 0d f4 07 f7 23 36 06 4e 81 d4 3f 83 01 a9 
94 e2 a0 f4 ba cd






    Ive little idea why this card produces those triples in uriburners 
triple/quad store, given my other cards don't. I do remember experimenting a 
year+ ago putting two rsapublickeys in 1 card though, and issuing many many 
queries to uriburner on it (just seeing "what would happen?".as I played 
with variants of the webid URI). This may be the cause.





    Now, assuming I can repeat the cause, it would be easy for me to create 
2 self signed certs, with same pubkey (above) but different URIs (the g 
above).



    The argument is, presumably, that one tests that two such URIs are 
equivalent (for the purposes of access control) not because of the pubkey, 
but because the verifying authority determine there to be logical relations 
(e.g. sameAs.) that asserts the equivalence. One has to have a trusted 
source of triples, to do this, of course.



    So, this seems an interesting test case.

    <!--[if !supportLists]-->1.       <!--[endif]-->Create a new foaf.me 
file. Somehow fiddle that one file's rsapublickeys values. Issue lots of 
uriburner queries, such that uriburner ends up with 2 graphs (as above), 
binding to the same publickey

    <!--[if !supportLists]-->2.       <!--[endif]-->Make 2 self-signed 
certs, each with 1 graph URI (as above) as it's 1 webid SAN field

    <!--[if !supportLists]-->3.       <!--[endif]-->Make login attempts to 
foaf.me, with each.



    Now, Im not sure what this proves, when foaf.me accepts/denies the 
login. Presumably, even without any sameAS statements, it SHOULD 
authenticate either, and allow access to the user to make card changes (e.g. 
add a third public key, different to the first two).



    Presumably,  a security enforcer module for authn  (in general) could 
have its own source of owl:sameAs statements, that influence its unique 
perspectives on equivalence of the 2 certs logons. It not that the sameAs 
statements have to come from foaf cards.



    If I go to a different resource server, with a triple store asserting X 
and Y URIs are not equivalent, its authn SEF could recognize one client cert 
as an authentic user logon attempt, but not the other.



    So, in the wider sense of webid, just "who" is "authoritative" . for 
such equivalence relations?



    Traditionally, in IIS land, the cert (not its id, or its pubkey) is 
mapped to an NT account, and the authorization logic for resources is simple 
IBAC - in which NT SIDs map to ACLs. Or, in more modern designs, the cert 
supports access to an IDP which delivering a resigned token with claims 
targeting the resource server - that then drives claims-based access 
controls (after translation, if required). This does not assume semweb 
trust, of course, merely recognizing of the IDP's signing keys - which seems 
to be a variant of webid protocol.



    From: foaf-protocols-bounces at lists.foaf-project.org 
[mailto:foaf-protocols-bounces at lists.foaf-project.org] On Behalf Of Kingsley 
Idehen
    Sent: Sunday, March 27, 2011 9:35 AM
    To: foaf-protocols at lists.foaf-project.org
    Subject: Re: [foaf-protocols] sparql, uriburner, and double binding hits



    On 3/27/11 10:30 AM, peter williams wrote:



    Gulp! There can be 2 containers (foaf card files, in the simple 
representation on a webserverr) matched by a URI?



    If there can be 2, presumably there can be n.



    How would I find out info about the 2 containers? Are these containers 
like a transaction log file, in which there is a logical record of changes?



    Or, should I think in terms of quads, where it so happens that the 
cert:hex. etc triple exists in 2 (n) quads, where a distinct 4th element is 
a time-value, say? The time the foaf card was replicated/crawled, say?



    While it seems important to eliminate this (using the FROM.incantation) 
in one sense, it also seems in another sense interesting to consider the 
semantics of such a quad store. If the non-FROM query - when implemented by 
the uriburner data service - is answering the question "what are all the 
pubkeys, ever known to be or have been associated", this is also 
interesting. This is something beyond the core URI semantics of 
de-referencing.


    Virtuoso (what sits behind URIBurner.com) is a Quad Store (amongst many 
other things re. DBMS functionality).

    Try:

    #Why? -- string comparison
    #How? -- leverage fact that Virtuoso can surface all its in-built 
functions (from SQL and other functionality realms)
    # ditto custom functions

    PREFIX cert: <http://www.w3.org/ns/auth/cert#>
    PREFIX rsa: <http://www.w3.org/ns/auth/rsa#>
    SELECT ?g
           (str (bif:coalesce (?exp_val, ?exp))) (str (bif:coalesce 
(?mod_val, ?mod)))
    WHERE {   GRAPH ?g {
               ?id cert:identity 
<http://webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4#me> ;
               rsa:public_exponent ?exp ; rsa:modulus ?mod .
               OPTIONAL { ?exp cert:decimal ?exp_val . ?mod cert:hex 
?mod_val . }
              }



    Kingsley







    From: Andreas Radinger [mailto:andreas.radinger at ebusiness-unibw.org]
    Sent: Sunday, March 27, 2011 4:18 AM
    To: peter williams
    Cc: foaf-protocols at lists.foaf-project.org
    Subject: Re: [foaf-protocols] sparql, uriburner, and double binding hits



    On 3/26/11 10:45 PM, peter williams wrote:

    Concerning foaf card at http://foaf.me/pw2#me,



    The public entry has 1 RSA publicKeyResource:



    - <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" 
xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#" 
xmlns:foaf="http://xmlns.com/foaf/0.1/" 
xmlns:rsa="http://www.w3.org/ns/auth/rsa#" 
xmlns:cert="http://www.w3.org/ns/auth/cert#" 
xmlns:admin="http://webns.net/mvcb/">

    - <foaf:PersonalProfileDocument rdf:about="">

      <foaf:maker rdf:resource="#me" />

      <foaf:primaryTopic rdf:resource="#me" />

      </foaf:PersonalProfileDocument>

    - <foaf:Person rdf:ID="me">

      <foaf:nick>pw2</foaf:nick>

      <foaf:homepage rdf:resource="" />

      </foaf:Person>

    - <rdf:Description>

      <rdf:type rdf:resource="http://www.w3.org/ns/auth/rsa#RSAPublicKey" />

      <cert:identity rdf:resource="#me" />

    - <rsa:modulus rdf:parseType="Resource">

      <cert:hex>bd 4b 4a 44 35 d5 01 ee 87 46 70 e1 01 7f ab b0 80 60 c1 cb 
3c e5 b4 3d 7f 62 7c c4 e0 a2 1d 24 3a 4f d6 89 0b cf 72 3f 39 ca 5f 0a 86 
6e 43 40 06 99 14 6f 47 f6 99 03 3c 07 c8 e7 cf b9 06 6e 85 1b 5d 8d 2e 71 
79 a0 db 2c 1a 59 b7 fc 7c be 70 aa b9 d0 d3 a7 f2 34 db 9f ce f9 67 ab 8f 
b7 93 28 97 c1 2c b0 74 ed e2 15 fe ca 0d f4 07 f7 23 36 06 4e 81 d4 3f 83 
01 a9 94 e2 a0 f4 ba cd</cert:hex>

      </rsa:modulus>

    - <rsa:public_exponent rdf:parseType="Resource">

      <cert:decimal>65537</cert:decimal>

      </rsa:public_exponent>

      </rdf:Description>

      </rdf:RDF>





    A ping on URIburner (using a query that works fine for OTHER foaf 
cards..)



    GET 
http://uriburner.com/sparql?default-graph-uri=&should-sponge=grab-all&query=%23What%3F+--+SELECT+list+type+casting%0D%0A%23Why%3F+--+string+comparison%0D%0A%23How%3F+--+leverage+fact+that+Virtuoso+can+surface+all+its+in-built+functions+%28from+SQL+and+other+functionality+realms%29%0D%0A%23+ditto+custom+functions%0D%0APREFIX+cert%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Fcert%23%3E%0D%0APREFIX+rsa%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Frsa%23%3E%0D%0ASELECT%0D%0A+++++++%28str+%28bif%3Acoalesce+%28%3Fexp_val%2C+%3Fexp%29%29%29+%28str+%28bif%3Acoalesce+%28%3Fmod_val%2C+%3Fmod%29%29%29%0D%0AWHERE+%7B%0D%0A+++++++++++%3Fid+cert%3Aidentity+%3Chttp%3A%2F%2Ffoaf.me%2Fpw2%23me%3E+%3B%0D%0A+++++++++++rsa%3Apublic_exponent+%3Fexp+%3B+rsa%3Amodulus+%3Fmod+.%0D%0A+++++++++++OPTIONAL+%7B+%3Fexp+cert%3Adecimal+%3Fexp_val+.+%3Fmod+cert%3Ahex+%3Fmod_val+.+%7D%0D%0A++++++++++%7D&debug=on&timeou 
t=&format=text%2Fhtml&CXML_redir_for_subjs=&CXML_redir_for_hrefs=&save=display&fname= 
HTTP/1.1

    Accept: image/jpeg, image/gif, image/pjpeg, 
application/x-ms-application, application/xaml+xml, application/x-ms-xbap, 
*/*

    Referer: http://uriburner.com/sparql

    Accept-Language: en-US

    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; 
Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 
3.0.30729; .NET4.0C; .NET4.0E; FDM)

    Accept-Encoding: gzip, deflate

    Host: uriburner.com

    Connection: Keep-Alive

    HTTP/1.1 200 OK

    Server: Virtuoso/06.02.3129 (Linux) x86_64-generic-linux-glibc25-64  VDB

    Connection: close

    Date: Sat, 26 Mar 2011 21:13:24 GMT

    Accept-Ranges: bytes

    Content-Type: text/html; charset=UTF-8

    Access-Control-Allow-Origin: *

    Content-Length: 965



    Generates multiple binding matches, in the result set:



    <table class="sparql" border="1">

      <tr>

        <th>callret-0</th>

        <th>callret-1</th>

      </tr>

      <tr>

        <td>65537</td>

        <td>bd 4b 4a 44 35 d5 01 ee 87 46 70 e1 01 7f ab b0 80 60 c1 cb 3c 
e5 b4 3d 7f 62 7c c4 e0 a2 1d 24 3a 4f d6 89 0b cf 72 3f 39 ca 5f 0a 86 6e 
43 40 06 99 14 6f 47 f6 99 03 3c 07 c8 e7 cf b9 06 6e 85 1b 5d 8d 2e 71 79 
a0 db 2c 1a 59 b7 fc 7c be 70 aa b9 d0 d3 a7 f2 34 db 9f ce f9 67 ab 8f b7 
93 28 97 c1 2c b0 74 ed e2 15 fe ca 0d f4 07 f7 23 36 06 4e 81 d4 3f 83 01 
a9 94 e2 a0 f4 ba cd</td>

      </tr>

      <tr>

        <td>65537</td>

        <td>bd 4b 4a 44 35 d5 01 ee 87 46 70 e1 01 7f ab b0 80 60 c1 cb 3c 
e5 b4 3d 7f 62 7c c4 e0 a2 1d 24 3a 4f d6 89 0b cf 72 3f 39 ca 5f 0a 86 6e 
43 40 06 99 14 6f 47 f6 99 03 3c 07 c8 e7 cf b9 06 6e 85 1b 5d 8d 2e 71 79 
a0 db 2c 1a 59 b7 fc 7c be 70 aa b9 d0 d3 a7 f2 34 db 9f ce f9 67 ab 8f b7 
93 28 97 c1 2c b0 74 ed e2 15 fe ca 0d f4 07 f7 23 36 06 4e 81 d4 3f 83 01 
a9 94 e2 a0 f4 ba cd</td>

      </tr>

    </table>



    Any rationale? How should I behave?







    Hi Peter,

    the reason for the multiple results is the existence of two named graphs 
which match "?id cert:identity <http://foaf.me/pw2#me>".

    PREFIX cert: <http://www.w3.org/ns/auth/cert#>
    PREFIX rsa: <http://www.w3.org/ns/auth/rsa#>
    SELECT *
    WHERE {
           graph ?g {
                 ?id cert:identity <http://foaf.me/pw2#me> ;
                     rsa:modulus [cert:hex ?m] ;
                     rsa:public_exponent [cert:decimal ?e] .
           }

    }


    You can fix this behaviour by just adding
      FROM <http://foaf.me/pw2#me>
    to your query.

    Best,
    Andreas






-- ------------------------------------------Dipl.-Ing. Andreas 
RadingerProfessur für Allgemeine BWL, insbesondere E-Businesse-business & 
web science research groupUniversität der Bundeswehr München e-mail: 
andreas.radinger at unibw.dephone:  +49-(0)89-6004-4218fax: 
+49-(0)89-6004-4620www:    http://www.unibw.de/ebusiness/skype: 
andreas.radinger

  _______________________________________________foaf-protocols mailing 
listfoaf-protocols at lists.foaf-project.orghttp://lists.foaf-project.org/mailman/listinfo/foaf-protocols




--  Regards, Kingsley Idehen       President & CEO OpenLink Software 
Web: http://www.openlinksw.comWeblog: 
http://www.openlinksw.com/blog/~kidehenTwitter/Identi.ca: kidehen

  Try:

  #Why? -- string comparison
  #How? -- leverage fact that Virtuoso can surface all its in-built 
functions (from SQL and other functionality realms)
  # ditto custom functions

  PREFIX cert: <http://www.w3.org/ns/auth/cert#>
  PREFIX rsa: <http://www.w3.org/ns/auth/rsa#>
  SELECT DISTINCT ?g
         (str (bif:coalesce (?exp_val, ?exp))) (str (bif:coalesce (?mod_val, 
?mod)))
  WHERE {   GRAPH ?g {
             ?id cert:identity <http://foaf.me/pw2#me> ;
             rsa:public_exponent ?exp ; rsa:modulus ?mod .
             OPTIONAL { ?exp cert:decimal ?exp_val . ?mod cert:hex ?mod_val 
. }
            }
        }


-- 

Regards,

Kingsley IdehenPresident 
& CEO
OpenLink Software
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen

I helped to get another "g" into the endpoint.Yes Peter, it is possible to 
generate another n "g"s in other domains.Either you really need to use a 
"FROM" clause or I have not fully understood the problem.Best 
regards,Andreas 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20110327/943f18bc/attachment-0001.htm 


More information about the foaf-protocols mailing list