[foaf-protocols] sparql, uriburner, and double binding hits

peter williams home_pw at msn.com
Mon Mar 28 00:27:50 CEST 2011


The FROM clause makes sense – for the main problem: the classical problem of
testing for existence of a pubkey value in an pubkey array, stored in an
identified file on the web. I will amend my code to require it.

 

 

There are additional problems, though, beyond the (From-enhanced) query -
marked up for Vituoso’s added-value. Webid is supposed to be webby, of
course - and do more than good ol PGP, or ever older X.509 cert chains. It’s
supposed to explore what webbiness can do (that PGP cannot
). And, it seems
in using the FROM-less version of the query, we have started to explore an
interesting, “more-webby” variant of webid. 

 

Now that my client cert testing engine is talking to a data service with
quads, that service can evidently answer queries such as: does the pubkey
exists in any n sets of triples (each triple set being distinguished by a
quad element, in some quad scheme). If so, what are these graphs, and their
graphs identifiers (?g) ? 

 

My thought was , well if uriburner was being somehow induced to crawl
friends graphs and their foaf cards, and thus under some criteria builds a
model of which them also - as independent sources – list that my webid maps
to my RSApublicKey, then might not the FROM-less query now test: how many
“reputable” folks attest (in their foaf cards) to the mapping of my webid to
my RSAPubkey? If some or all 10 were viewed then as being “endorsers” of me
and my RSApubkey, we have the beginnings of testing: how many others (apart
from Peter) wish to speak-for peter’s key? (pgp like
.)

 

Now, Im guessing/hoping that the semantic social space is addressing this
kind of topic.

 

 

This is the second interesting use of graph ?g constructs, in the
FOAF+SSL/webid world. Henry once used them in queries that two
(webid-powered) sparql endpoints might send to each other, when acting as
relative-client, relative-server. The query’s formulation could be seen to
be “message” being exchanged between the https endpoints (rather than a
“query”) – much like SSL sends messages between its endpoints. Given
messaging
 then one can build messaging protocols. Perhaps, on could build
an SSL-like handshake using this kind of message passing!.

 

 

From: Andreas Radinger [mailto:andreas.radinger at ebusiness-unibw.org] 
Sent: Sunday, March 27, 2011 2:02 PM
To: Kingsley Idehen; peter williams
Cc: foaf-protocols at lists.foaf-project.org
Subject: Re: [foaf-protocols] sparql, uriburner, and double binding hits

 

 

----- Original Message ----- 

From: Kingsley Idehen <mailto:kidehen at openlinksw.com>  

To: peter williams <mailto:home_pw at msn.com>  

Cc: foaf-protocols at lists.foaf-project.org 

Sent: Sunday, March 27, 2011 10:27 PM

Subject: Re: [foaf-protocols] sparql, uriburner, and double binding hits

 

On 3/27/11 1:38 PM, peter williams wrote: 

http://uriburner.com/sparql/?default-graph-uri=&should-sponge=&query=%23Why%
3F+--+string+comparison%0D%0A%23How%3F+--+leverage+fact+that+Virtuoso+can+su
rface+all+its+in-built+functions+%28from+SQL+and+other+functionality+realms%
29%0D%0A%23+ditto+custom+functions%0D%0A%0D%0APREFIX+cert%3A+%3Chttp%3A%2F%2
Fwww.w3.org%2Fns%2Fauth%2Fcert%23%3E+%0D%0APREFIX+rsa%3A+%3Chttp%3A%2F%2Fwww
.w3.org%2Fns%2Fauth%2Frsa%23%3E+%0D%0ASELECT+%3Fg%0D%0A+++++++%28str+%28bif%
3Acoalesce+%28%3Fexp_val%2C+%3Fexp%29%29%29+%28str+%28bif%3Acoalesce+%28%3Fm
od_val%2C+%3Fmod%29%29%29++%0D%0AWHERE+%7B+++GRAPH+%3Fg+%7B+%0D%0A++++++++++
+%3Fid+cert%3Aidentity+%3Chttp%3A%2F%2Ffoaf.me%2Fpw2%23me%3E+%3B%0D%0A++++++
+++++rsa%3Apublic_exponent+%3Fexp+%3B+rsa%3Amodulus+%3Fmod+.+++++++++%0D%0A+
++++++++++OPTIONAL+%7B+%3Fexp+cert%3Adecimal+%3Fexp_val+.+%3Fmod+cert%3Ahex+
%3Fmod_val+.+%7D++++++%0D%0A++++++++++%7D+%0D%0A++++++%7D%0D%0A&debug=on&tim
eout=&
;format=text%2Fhtml&CXML_redir_for_subjs=&CXML_redir_for_hrefs=&save=display
&fname=

gives


g

callret-1

callret-2


http://foaf.me/pw2

65537

bd 4b 4a 44 35 d5 01 ee 87 46 70 e1 01 7f ab b0 80 60 c1 cb 3c e5 b4 3d 7f
62 7c c4 e0 a2 1d 24 3a 4f d6 89 0b cf 72 3f 39 ca 5f 0a 86 6e 43 40 06 99
14 6f 47 f6 99 03 3c 07 c8 e7 cf b9 06 6e 85 1b 5d 8d 2e 71 79 a0 db 2c 1a
59 b7 fc 7c be 70 aa b9 d0 d3 a7 f2 34 db 9f ce f9 67 ab 8f b7 93 28 97 c1
2c b0 74 ed e2 15 fe ca 0d f4 07 f7 23 36 06 4e 81 d4 3f 83 01 a9 94 e2 a0
f4 ba cd


http://foaf.me/pw2#me

65537

bd 4b 4a 44 35 d5 01 ee 87 46 70 e1 01 7f ab b0 80 60 c1 cb 3c e5 b4 3d 7f
62 7c c4 e0 a2 1d 24 3a 4f d6 89 0b cf 72 3f 39 ca 5f 0a 86 6e 43 40 06 99
14 6f 47 f6 99 03 3c 07 c8 e7 cf b9 06 6e 85 1b 5d 8d 2e 71 79 a0 db 2c 1a
59 b7 fc 7c be 70 aa b9 d0 d3 a7 f2 34 db 9f ce f9 67 ab 8f b7 93 28 97 c1
2c b0 74 ed e2 15 fe ca 0d f4 07 f7 23 36 06 4e 81 d4 3f 83 01 a9 94 e2 a0
f4 ba cd

Ive little idea why this card produces those triples in uriburners
triple/quad store, given my other cards don’t. I do remember experimenting a
year+ ago putting two rsapublickeys in 1 card though, and issuing many many
queries to uriburner on it (just seeing “what would happen?”
as I played
with variants of the webid URI). This may be the cause.

Now, assuming I can repeat the cause, it would be easy for me to create 2
self signed certs, with same pubkey (above) but different URIs (the g
above).

The argument is, presumably, that one tests that two such URIs are
equivalent (for the purposes of access control) not because of the pubkey,
but because the verifying authority determine there to be logical relations
(e.g. sameAs
) that asserts the equivalence. One has to have a trusted
source of triples, to do this, of course.

So, this seems an interesting test case. 

<!--[if !supportLists]-->1.       <!--[endif]-->Create a new foaf.me file.
Somehow fiddle that one file’s rsapublickeys values. Issue lots of uriburner
queries, such that uriburner ends up with 2 graphs (as above), binding to
the same publickey

<!--[if !supportLists]-->2.       <!--[endif]-->Make 2 self-signed certs,
each with 1 graph URI (as above) as it’s 1 webid SAN field

<!--[if !supportLists]-->3.       <!--[endif]-->Make login attempts to
foaf.me, with each.

Now, Im not sure what this proves, when foaf.me accepts/denies the login.
Presumably, even without any sameAS statements, it SHOULD authenticate
either, and allow access to the user to make card changes (e.g. add a third
public key, different to the first two).

Presumably,  a security enforcer module for authn  (in general) could have
its own source of owl:sameAs statements, that influence its unique
perspectives on equivalence of the 2 certs logons. It not that the sameAs
statements have to come from foaf cards.

If I go to a different resource server, with a triple store asserting X and
Y URIs are not equivalent, its authn SEF could recognize one client cert as
an authentic user logon attempt, but not the other.

So, in the wider sense of webid, just “who” is “authoritative” 
 for such
equivalence relations?

Traditionally, in IIS land, the cert (not its id, or its pubkey) is mapped
to an NT account, and the authorization logic for resources is simple IBAC –
in which NT SIDs map to ACLs. Or, in more modern designs, the cert supports
access to an IDP which delivering a resigned token with claims targeting the
resource server – that then drives claims-based access controls (after
translation, if required). This does not assume semweb trust, of course,
merely recognizing of the IDP’s signing keys – which seems to be a variant
of webid protocol.

From: foaf-protocols-bounces at lists.foaf-project.org
[mailto:foaf-protocols-bounces at lists.foaf-project.org] On Behalf Of Kingsley
Idehen
Sent: Sunday, March 27, 2011 9:35 AM
To: foaf-protocols at lists.foaf-project.org
Subject: Re: [foaf-protocols] sparql, uriburner, and double binding hits

On 3/27/11 10:30 AM, peter williams wrote: 

Gulp! There can be 2 containers (foaf card files, in the simple
representation on a webserverr) matched by a URI?

If there can be 2, presumably there can be n.

How would I find out info about the 2 containers? Are these containers like
a transaction log file, in which there is a logical record of changes? 

Or, should I think in terms of quads, where it so happens that the cert:hex

etc triple exists in 2 (n) quads, where a distinct 4th element is a
time-value, say? The time the foaf card was replicated/crawled, say?

While it seems important to eliminate this (using the FROM
incantation) in
one sense, it also seems in another sense interesting to consider the
semantics of such a quad store. If the non-FROM query - when implemented by
the uriburner data service - is answering the question “what are all the
pubkeys, ever known to be or have been associated”, this is also
interesting. This is something beyond the core URI semantics of
de-referencing.


Virtuoso (what sits behind URIBurner.com) is a Quad Store (amongst many
other things re. DBMS functionality).

Try:

#Why? -- string comparison
#How? -- leverage fact that Virtuoso can surface all its in-built functions
(from SQL and other functionality realms)
# ditto custom functions

PREFIX cert:  <http://www.w3.org/ns/auth/cert>
<http://www.w3.org/ns/auth/cert#> 
PREFIX rsa:  <http://www.w3.org/ns/auth/rsa>
<http://www.w3.org/ns/auth/rsa#> 
SELECT ?g
       (str (bif:coalesce (?exp_val, ?exp))) (str (bif:coalesce (?mod_val,
?mod)))  
WHERE {   GRAPH ?g { 
           ?id cert:identity
<http://webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4#me>
<http://webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4#me> ;
           rsa:public_exponent ?exp ; rsa:modulus ?mod .         
           OPTIONAL { ?exp cert:decimal ?exp_val . ?mod cert:hex ?mod_val .
}      
          } 
          


Kingsley




From: Andreas Radinger [mailto:andreas.radinger at ebusiness-unibw.org] 
Sent: Sunday, March 27, 2011 4:18 AM
To: peter williams
Cc: foaf-protocols at lists.foaf-project.org
Subject: Re: [foaf-protocols] sparql, uriburner, and double binding hits

On 3/26/11 10:45 PM, peter williams wrote: 

Concerning foaf card at http://foaf.me/pw2#me,

The public entry has 1 RSA publicKeyResource: 

- <rdf:RDF xmlns:rdf= <http://www.w3.org/1999/02/22-rdf-syntax-ns>
"http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:rdfs=
<http://www.w3.org/2000/01/rdf-schema>
"http://www.w3.org/2000/01/rdf-schema#" xmlns:foaf=
<http://xmlns.com/foaf/0.1/> "http://xmlns.com/foaf/0.1/" xmlns:rsa=
<http://www.w3.org/ns/auth/rsa> "http://www.w3.org/ns/auth/rsa#" xmlns:cert=
<http://www.w3.org/ns/auth/cert> "http://www.w3.org/ns/auth/cert#"
xmlns:admin= <http://webns.net/mvcb/> "http://webns.net/mvcb/">

- <foaf:PersonalProfileDocument rdf:about="">

  <foaf:maker rdf:resource="#me" /> 

  <foaf:primaryTopic rdf:resource="#me" /> 

  </foaf:PersonalProfileDocument>

- <foaf:Person rdf:ID="me">

  <foaf:nick>pw2</foaf:nick> 

  <foaf:homepage rdf:resource="" /> 

  </foaf:Person>

- <rdf:Description>

  <rdf:type rdf:resource= <http://www.w3.org/ns/auth/rsa#RSAPublicKey>
"http://www.w3.org/ns/auth/rsa#RSAPublicKey" /> 

  <cert:identity rdf:resource="#me" /> 

- <rsa:modulus rdf:parseType="Resource">

  <cert:hex>bd 4b 4a 44 35 d5 01 ee 87 46 70 e1 01 7f ab b0 80 60 c1 cb 3c
e5 b4 3d 7f 62 7c c4 e0 a2 1d 24 3a 4f d6 89 0b cf 72 3f 39 ca 5f 0a 86 6e
43 40 06 99 14 6f 47 f6 99 03 3c 07 c8 e7 cf b9 06 6e 85 1b 5d 8d 2e 71 79
a0 db 2c 1a 59 b7 fc 7c be 70 aa b9 d0 d3 a7 f2 34 db 9f ce f9 67 ab 8f b7
93 28 97 c1 2c b0 74 ed e2 15 fe ca 0d f4 07 f7 23 36 06 4e 81 d4 3f 83 01
a9 94 e2 a0 f4 ba cd</cert:hex> 

  </rsa:modulus>

- <rsa:public_exponent rdf:parseType="Resource">

  <cert:decimal>65537</cert:decimal> 

  </rsa:public_exponent>

  </rdf:Description>

  </rdf:RDF>

A ping on URIburner (using a query that works fine for OTHER foaf cards
.)

GET
http://uriburner.com/sparql?default-graph-uri=&should-sponge=grab-all&query=
%23What%3F+--+SELECT+list+type+casting%0D%0A%23Why%3F+--+string+comparison%0
D%0A%23How%3F+--+leverage+fact+that+Virtuoso+can+surface+all+its+in-built+fu
nctions+%28from+SQL+and+other+functionality+realms%29%0D%0A%23+ditto+custom+
functions%0D%0APREFIX+cert%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Fcert%
23%3E%0D%0APREFIX+rsa%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Frsa%23%3E%
0D%0ASELECT%0D%0A+++++++%28str+%28bif%3Acoalesce+%28%3Fexp_val%2C+%3Fexp%29%
29%29+%28str+%28bif%3Acoalesce+%28%3Fmod_val%2C+%3Fmod%29%29%29%0D%0AWHERE+%
7B%0D%0A+++++++++++%3Fid+cert%3Aidentity+%3Chttp%3A%2F%2Ffoaf.me%2Fpw2%23me%
3E+%3B%0D%0A+++++++++++rsa%3Apublic_exponent+%3Fexp+%3B+rsa%3Amodulus+%3Fmod
+.%0D%0A+++++++++++OPTIONAL+%7B+%3Fexp+cert%3Adecimal+%3Fexp_val+.+%3Fmod+ce
rt%3Ahex+%3Fmod_val+.+%7D%0D%0A++++++++++%7D&debug=on&timeou
t=&format=text%2Fhtml&CXML_redir_for_subjs=&CXML_redir_for_hrefs=&save=displ
ay&fname= HTTP/1.1

Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application,
application/xaml+xml, application/x-ms-xbap, */*

Referer: http://uriburner.com/sparql

Accept-Language: en-US

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64;
Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
3.0.30729; .NET4.0C; .NET4.0E; FDM)

Accept-Encoding: gzip, deflate

Host: uriburner.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Virtuoso/06.02.3129 (Linux) x86_64-generic-linux-glibc25-64  VDB

Connection: close

Date: Sat, 26 Mar 2011 21:13:24 GMT

Accept-Ranges: bytes

Content-Type: text/html; charset=UTF-8

Access-Control-Allow-Origin: *

Content-Length: 965

Generates multiple binding matches, in the result set:

<table class="sparql" border="1">

  <tr>

    <th>callret-0</th>

    <th>callret-1</th>

  </tr>

  <tr>

    <td>65537</td>

    <td>bd 4b 4a 44 35 d5 01 ee 87 46 70 e1 01 7f ab b0 80 60 c1 cb 3c e5 b4
3d 7f 62 7c c4 e0 a2 1d 24 3a 4f d6 89 0b cf 72 3f 39 ca 5f 0a 86 6e 43 40
06 99 14 6f 47 f6 99 03 3c 07 c8 e7 cf b9 06 6e 85 1b 5d 8d 2e 71 79 a0 db
2c 1a 59 b7 fc 7c be 70 aa b9 d0 d3 a7 f2 34 db 9f ce f9 67 ab 8f b7 93 28
97 c1 2c b0 74 ed e2 15 fe ca 0d f4 07 f7 23 36 06 4e 81 d4 3f 83 01 a9 94
e2 a0 f4 ba cd</td>

  </tr>

  <tr>

    <td>65537</td>

    <td>bd 4b 4a 44 35 d5 01 ee 87 46 70 e1 01 7f ab b0 80 60 c1 cb 3c e5 b4
3d 7f 62 7c c4 e0 a2 1d 24 3a 4f d6 89 0b cf 72 3f 39 ca 5f 0a 86 6e 43 40
06 99 14 6f 47 f6 99 03 3c 07 c8 e7 cf b9 06 6e 85 1b 5d 8d 2e 71 79 a0 db
2c 1a 59 b7 fc 7c be 70 aa b9 d0 d3 a7 f2 34 db 9f ce f9 67 ab 8f b7 93 28
97 c1 2c b0 74 ed e2 15 fe ca 0d f4 07 f7 23 36 06 4e 81 d4 3f 83 01 a9 94
e2 a0 f4 ba cd</td>

  </tr>

</table>

Any rationale? How should I behave?

Hi Peter,

the reason for the multiple results is the existence of two named graphs
which match "?id cert:identity  <http://foaf.me/pw2#me>
<http://foaf.me/pw2#me>".

PREFIX cert:  <http://www.w3.org/ns/auth/cert>
<http://www.w3.org/ns/auth/cert#>
PREFIX rsa:  <http://www.w3.org/ns/auth/rsa>
<http://www.w3.org/ns/auth/rsa#>
SELECT *
WHERE {
       graph ?g {
             ?id cert:identity  <http://foaf.me/pw2#me>
<http://foaf.me/pw2#me> ;
                 rsa:modulus [cert:hex ?m] ;
                 rsa:public_exponent [cert:decimal ?e] .
       }

}


You can fix this behaviour by just adding
  FROM <http://foaf.me/pw2#me>
to your query.

Best,
Andreas







-- 
------------------------------------------
Dipl.-Ing. Andreas Radinger
Professur für Allgemeine BWL, insbesondere E-Business
e-business & web science research group
Universität der Bundeswehr München
 
e-mail: andreas.radinger at unibw.de
phone:  +49-(0)89-6004-4218
fax:    +49-(0)89-6004-4620
www:    http://www.unibw.de/ebusiness/
skype:  andreas.radinger
 
 
_______________________________________________
foaf-protocols mailing list
foaf-protocols at lists.foaf-project.org
http://lists.foaf-project.org/mailman/listinfo/foaf-protocols







-- 
 
Regards,
 
Kingsley Idehen       
President & CEO 
OpenLink Software     
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
<http://www.openlinksw.com/blog/%7Ekidehen> 
Twitter/Identi.ca: kidehen 
 
 
 
 



Try:

#Why? -- string comparison
#How? -- leverage fact that Virtuoso can surface all its in-built functions
(from SQL and other functionality realms)
# ditto custom functions

PREFIX cert:  <http://www.w3.org/ns/auth/cert>
<http://www.w3.org/ns/auth/cert#> 
PREFIX rsa:  <http://www.w3.org/ns/auth/rsa>
<http://www.w3.org/ns/auth/rsa#> 
SELECT DISTINCT ?g
       (str (bif:coalesce (?exp_val, ?exp))) (str (bif:coalesce (?mod_val,
?mod)))  
WHERE {   GRAPH ?g { 
           ?id cert:identity  <http://foaf.me/pw2#me>
<http://foaf.me/pw2#me> ;
           rsa:public_exponent ?exp ; rsa:modulus ?mod .         
           OPTIONAL { ?exp cert:decimal ?exp_val . ?mod cert:hex ?mod_val .
}      
          } 
      }




-- 
 
Regards,
 
Kingsley Idehen            
President & CEO 
OpenLink Software     
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen 
 
 

 
I helped to get another "g" into the endpoint.
Yes Peter, it is possible to generate another n "g"s in other domains.
Either you really need to use a "FROM" clause or I have not fully understood
the problem.
 
Best regards,
Andreas
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20110327/10f8b656/attachment-0001.htm 


More information about the foaf-protocols mailing list