[foaf-protocols] sparql, uriburner, and double binding hits

Peter Williams home_pw at msn.com
Mon Mar 28 03:58:05 CEST 2011


I'll release my windows demo, layer.

100 line demo server for windows 2008 r2 sp1, that does the common use case - using procedural code. 

Works fine with opera .

Doesn't work well with ie (as I don't know still how to make the ssl ca list be null). But opera doesn't care....

Only allows 1 San uri per cert since windows API does not assume multiple . ;I can hand parse the San, though, I suppose(.





On Mar 27, 2011, at 5:01 PM, Kingsley Idehen <kidehen at openlinksw.com> wrote:

> On 3/27/11 6:27 PM, peter williams wrote:
>> 
>> The FROM clause makes sense – for the main problem: the classical problem of testing for existence of a pubkey value in an pubkey array, stored in an identified file on the web. I will amend my code to require it.
>>  
>>  
>> There are additional problems, though, beyond the (From-enhanced) query - marked up for Vituoso’s added-value. Webid is supposed to be webby, of course - and do more than good ol PGP, or ever older X.509 cert chains. It’s supposed to explore what webbiness can do (that PGP cannot…). And, it seems in using the FROM-less version of the query, we have started to explore an interesting, “more-webby” variant of webid.
> 
> Virtuoso isn't impeding webbyness, its a sophisticated DBMS that offers a range of options. It can operate in a plethora of modes, naturally I have URIBurner set to max flexibility.
> 
>>  
>> Now that my client cert testing engine is talking to a data service with quads, that service can evidently answer queries such as: does the pubkey exists in any n sets of triples (each triple set being distinguished by a quad element, in some quad scheme). If so, what are these graphs, and their graphs identifiers (?g) ?
> 
> Each Named Graph in Virtuoso's Relational Property Graph DBMS is like a Table in a Relational Tables DBMS. When Virtuoso sponges (HTTP GET and cache) a Resource via its URL it makes a local Named Graph using the Resource URL. In our parlance, the Resource URL is equivalent to an ODBC Data Source Name (DSN).
>>  
>> My thought was , well if uriburner was being somehow induced to crawl friends graphs and their foaf cards, and thus under some criteria builds a model of which them also - as independent sources – list that my webid maps to my RSApublicKey, then might not the FROM-less query now test: how many “reputable” folks attest (in their foaf cards) to the mapping of my webid to my RSAPubkey?
> 
> Yes, if you use DISTINCT without FROM, for instance.
> 
>> If some or all 10 were viewed then as being “endorsers” of me and my RSApubkey, we have the beginnings of testing: how many others (apart from Peter) wish to speak-for peter’s key? (pgp like….)
>>  
>> Now, Im guessing/hoping that the semantic social space is addressing this kind of topic.
> 
> Yes.
> 
>>  
>>  
>> This is the second interesting use of graph ?g constructs, in the FOAF+SSL/webid world. Henry once used them in queries that two (webid-powered) sparql endpoints might send to each other, when acting as relative-client, relative-server. The query’s formulation could be seen to be “message” being exchanged between the https endpoints (rather than a “query”) – much like SSL sends messages between its endpoints. Given messaging… then one can build messaging protocols. Perhaps, on could build an SSL-like handshake using this kind of message passing!.
> 
> We can do many things, we just need to get started with many players doing interop :-)
> 
> 
> Kingsley
>>  
>>  
>> From: Andreas Radinger [mailto:andreas.radinger at ebusiness-unibw.org] 
>> Sent: Sunday, March 27, 2011 2:02 PM
>> To: Kingsley Idehen; peter williams
>> Cc: foaf-protocols at lists.foaf-project.org
>> Subject: Re: [foaf-protocols] sparql, uriburner, and double binding hits
>>  
>>  
>> ----- Original Message -----
>> From: Kingsley Idehen
>> To: peter williams
>> Cc: foaf-protocols at lists.foaf-project.org
>> Sent: Sunday, March 27, 2011 10:27 PM
>> Subject: Re: [foaf-protocols] sparql, uriburner, and double binding hits
>>  
>> On 3/27/11 1:38 PM, peter williams wrote:
>> http://uriburner.com/sparql/?default-graph-uri=&should-sponge=&query=%23Why%3F+--+string+comparison%0D%0A%23How%3F+--+leverage+fact+that+Virtuoso+can+surface+all+its+in-built+functions+%28from+SQL+and+other+functionality+realms%29%0D%0A%23+ditto+custom+functions%0D%0A%0D%0APREFIX+cert%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Fcert%23%3E+%0D%0APREFIX+rsa%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Frsa%23%3E+%0D%0ASELECT+%3Fg%0D%0A+++++++%28str+%28bif%3Acoalesce+%28%3Fexp_val%2C+%3Fexp%29%29%29+%28str+%28bif%3Acoalesce+%28%3Fmod_val%2C+%3Fmod%29%29%29++%0D%0AWHERE+%7B+++GRAPH+%3Fg+%7B+%0D%0A+++++++++++%3Fid+cert%3Aidentity+%3Chttp%3A%2F%2Ffoaf.me%2Fpw2%23me%3E+%3B%0D%0A+++++++++++rsa%3Apublic_exponent+%3Fexp+%3B+rsa%3Amodulus+%3Fmod+.+++++++++%0D%0A+++++++++++OPTIONAL+%7B+%3Fexp+cert%3Adecimal+%3Fexp_val+.+%3Fmod+cert%3Ahex+%3Fmod_val+.+%7D++++++%0D%0A++++++++++%7D+%0D%0A++++++%7D%0D%0A&debug=on&timeout= & ;format=text%2Fhtml&CXML_redir_for_subjs=&CXML_redir_for_hrefs=&save=display&fname=
>> gives
>> g
>> callret-1
>> callret-2
>> http://foaf.me/pw2
>> 65537
>> bd 4b 4a 44 35 d5 01 ee 87 46 70 e1 01 7f ab b0 80 60 c1 cb 3c e5 b4 3d 7f 62 7c c4 e0 a2 1d 24 3a 4f d6 89 0b cf 72 3f 39 ca 5f 0a 86 6e 43 40 06 99 14 6f 47 f6 99 03 3c 07 c8 e7 cf b9 06 6e 85 1b 5d 8d 2e 71 79 a0 db 2c 1a 59 b7 fc 7c be 70 aa b9 d0 d3 a7 f2 34 db 9f ce f9 67 ab 8f b7 93 28 97 c1 2c b0 74 ed e2 15 fe ca 0d f4 07 f7 23 36 06 4e 81 d4 3f 83 01 a9 94 e2 a0 f4 ba cd
>> http://foaf.me/pw2#me
>> 65537
>> bd 4b 4a 44 35 d5 01 ee 87 46 70 e1 01 7f ab b0 80 60 c1 cb 3c e5 b4 3d 7f 62 7c c4 e0 a2 1d 24 3a 4f d6 89 0b cf 72 3f 39 ca 5f 0a 86 6e 43 40 06 99 14 6f 47 f6 99 03 3c 07 c8 e7 cf b9 06 6e 85 1b 5d 8d 2e 71 79 a0 db 2c 1a 59 b7 fc 7c be 70 aa b9 d0 d3 a7 f2 34 db 9f ce f9 67 ab 8f b7 93 28 97 c1 2c b0 74 ed e2 15 fe ca 0d f4 07 f7 23 36 06 4e 81 d4 3f 83 01 a9 94 e2 a0 f4 ba cd
>> Ive little idea why this card produces those triples in uriburners triple/quad store, given my other cards don’t. I do remember experimenting a year+ ago putting two rsapublickeys in 1 card though, and issuing many many queries to uriburner on it (just seeing “what would happen?”…as I played with variants of the webid URI). This may be the cause.
>> Now, assuming I can repeat the cause, it would be easy for me to create 2 self signed certs, with same pubkey (above) but different URIs (the g above).
>> The argument is, presumably, that one tests that two such URIs are equivalent (for the purposes of access control) not               because of the pubkey, but because the verifying authority determine there to be logical relations (e.g. sameAs…) that asserts the equivalence. One has to have a trusted source of triples, to do this, of course.
>> So, this seems an interesting test case.
>> <!--[if !supportLists]-->1.       <!--[endif]-->Create a new foaf.me file. Somehow fiddle that one file’s rsapublickeys values. Issue lots of uriburner queries, such that uriburner ends up with 2 graphs (as above), binding to the same publickey
>> <!--[if !supportLists]-->2.       <!--[endif]-->Make 2 self-signed certs, each with 1 graph URI (as above) as it’s 1 webid SAN field
>> <!--[if !supportLists]-->3.       <!--[endif]-->Make login attempts to foaf.me, with each.
>> Now, Im not sure what this proves, when foaf.me accepts/denies the login. Presumably, even without any sameAS statements, it SHOULD authenticate either, and allow access to the user to make card changes (e.g. add a third public key, different to the first two).
>> Presumably,  a security enforcer module for authn  (in general) could have its own source of owl:sameAs statements, that influence its unique perspectives on equivalence of the 2 certs logons. It not that the sameAs statements have to               come from foaf cards.
>> If I go to a different resource server, with a triple store asserting X and Y URIs are not equivalent, its authn SEF could recognize one client cert as an authentic user logon attempt, but not the other.
>> So, in the wider sense of webid, just “who” is “authoritative” … for such equivalence relations?
>> Traditionally, in IIS land, the cert (not its id, or its pubkey) is mapped to an NT account, and the authorization logic for               resources is simple IBAC – in which NT SIDs map to ACLs. Or, in more modern designs, the cert supports access to an IDP which delivering a resigned token with claims targeting the resource server – that then drives claims-based access controls (after translation, if required). This does not assume semweb trust, of course, merely recognizing of the IDP’s signing keys – which seems to be a variant of webid protocol.
>> From: foaf-protocols-bounces at lists.foaf-project.org [mailto:foaf-protocols-bounces at lists.foaf-project.org] On Behalf Of Kingsley Idehen
>> Sent: Sunday, March 27, 2011 9:35 AM
>> To: foaf-protocols at lists.foaf-project.org
>> Subject: Re: [foaf-protocols] sparql, uriburner, and double binding hits
>> On 3/27/11 10:30 AM, peter williams wrote:
>> Gulp! There can be 2 containers (foaf card files, in the simple representation on a webserverr) matched by a URI?
>> If there can be 2, presumably there can be n.
>> How would I find out info about the 2 containers? Are these containers like a transaction log file, in which there is a logical record of changes?
>> Or, should I think in terms of quads, where it so happens that the cert:hex… etc triple exists in 2 (n) quads, where a distinct 4th element is a time-value, say? The time the foaf card was replicated/crawled, say?
>> While it seems important to eliminate this (using the FROM…incantation) in one sense, it also seems in another sense interesting to consider the semantics of such a quad store. If the non-FROM query - when implemented by the uriburner data service - is answering the question “what are all the pubkeys, ever known to be or have been associated”, this is also interesting. This is something beyond the core URI semantics of de-referencing.
>> 
>> Virtuoso (what sits behind URIBurner.com) is a Quad Store (amongst many other things re. DBMS functionality).
>> 
>> Try:
>> 
>> #Why? -- string comparison
>> #How? -- leverage fact that Virtuoso can surface all its in-built functions (from SQL and other functionality realms)
>> # ditto custom functions
>> 
>> PREFIX cert: <http://www.w3.org/ns/auth/cert#> 
>> PREFIX rsa: <http://www.w3.org/ns/auth/rsa#> 
>> SELECT ?g
>>        (str (bif:coalesce (?exp_val, ?exp))) (str (bif:coalesce (?mod_val, ?mod)))  
>> WHERE {   GRAPH ?g { 
>>            ?id cert:identity <http://webid.myxwiki.org/xwiki/bin/view/XWiki/homepw4#me> ;
>>            rsa:public_exponent ?exp ; rsa:modulus ?mod .         
>>            OPTIONAL { ?exp cert:decimal ?exp_val . ?mod cert:hex ?mod_val . }      
>>           } 
>>           
>> 
>> 
>> Kingsley
>> 
>> 
>> From: Andreas Radinger [mailto:andreas.radinger at ebusiness-unibw.org] 
>> Sent: Sunday, March 27, 2011 4:18 AM
>> To: peter williams
>> Cc: foaf-protocols at lists.foaf-project.org
>> Subject: Re: [foaf-protocols] sparql, uriburner, and double binding hits
>> On 3/26/11 10:45 PM, peter williams wrote:
>> Concerning foaf card at http://foaf.me/pw2#me,
>> The public entry has 1 RSA publicKeyResource:
>> - <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#" xmlns:foaf="http://xmlns.com/foaf/0.1/" xmlns:rsa="http://www.w3.org/ns/auth/rsa#" xmlns:cert="http://www.w3.org/ns/auth/cert#" xmlns:admin="http://webns.net/mvcb/">
>> - <foaf:PersonalProfileDocument rdf:about="">
>>   <foaf:maker rdf:resource="#me" />
>>   <foaf:primaryTopic rdf:resource="#me" />
>>   </foaf:PersonalProfileDocument>
>> - <foaf:Person rdf:ID="me">
>>   <foaf:nick>pw2</foaf:nick>
>>   <foaf:homepage rdf:resource="" />
>>   </foaf:Person>
>> - <rdf:Description>
>>   <rdf:type rdf:resource="http://www.w3.org/ns/auth/rsa#RSAPublicKey" />
>>   <cert:identity rdf:resource="#me" />
>> - <rsa:modulus rdf:parseType="Resource">
>>   <cert:hex>bd 4b 4a 44 35 d5 01 ee 87 46 70 e1 01 7f ab b0 80 60 c1 cb 3c e5 b4 3d 7f 62 7c c4 e0 a2 1d 24 3a 4f d6 89 0b cf 72 3f 39 ca 5f 0a 86 6e 43 40 06 99 14 6f 47 f6 99 03 3c 07 c8 e7 cf b9 06 6e 85 1b 5d 8d 2e 71 79 a0 db 2c 1a 59 b7 fc 7c be 70 aa b9 d0 d3 a7 f2 34 db 9f ce f9 67 ab 8f b7 93 28 97 c1 2c b0 74 ed e2 15 fe ca 0d f4 07 f7 23 36 06 4e 81 d4 3f 83 01 a9 94 e2 a0 f4 ba cd</cert:hex>
>>   </rsa:modulus>
>> - <rsa:public_exponent rdf:parseType="Resource">
>>   <cert:decimal>65537</cert:decimal>
>>   </rsa:public_exponent>
>>   </rdf:Description>
>>   </rdf:RDF>
>> A ping on URIburner (using a query that works fine for OTHER foaf cards….)
>> GET http://uriburner.com/sparql?default-graph-uri=&should-sponge=grab-all&query=%23What%3F+--+SELECT+list+type+casting%0D%0A%23Why%3F+--+string+comparison%0D%0A%23How%3F+--+leverage+fact+that+Virtuoso+can+surface+all+its+in-built+functions+%28from+SQL+and+other+functionality+realms%29%0D%0A%23+ditto+custom+functions%0D%0APREFIX+cert%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Fcert%23%3E%0D%0APREFIX+rsa%3A+%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Frsa%23%3E%0D%0ASELECT%0D%0A+++++++%28str+%28bif%3Acoalesce+%28%3Fexp_val%2C+%3Fexp%29%29%29+%28str+%28bif%3Acoalesce+%28%3Fmod_val%2C+%3Fmod%29%29%29%0D%0AWHERE+%7B%0D%0A+++++++++++%3Fid+cert%3Aidentity+%3Chttp%3A%2F%2Ffoaf.me%2Fpw2%23me%3E+%3B%0D%0A+++++++++++rsa%3Apublic_exponent+%3Fexp+%3B+rsa%3Amodulus+%3Fmod+.%0D%0A+++++++++++OPTIONAL+%7B+%3Fexp+cert%3Adecimal+%3Fexp_val+.+%3Fmod+cert%3Ahex+%3Fmod_val+.+%7D%0D%0A++++++++++%7D&debug=on&timeou t=&format=text%2Fhtml&CXML_redir_for_subjs=&CXML_redir_for_hrefs=&save=display&fname= HTTP/1.1
>> Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
>> Referer: http://uriburner.com/sparql
>> Accept-Language: en-US
>> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; FDM)
>> Accept-Encoding: gzip, deflate
>> Host: uriburner.com
>> Connection: Keep-Alive
>> HTTP/1.1 200 OK
>> Server: Virtuoso/06.02.3129 (Linux) x86_64-generic-linux-glibc25-64  VDB
>> Connection: close
>> Date: Sat, 26 Mar 2011 21:13:24 GMT
>> Accept-Ranges: bytes
>> Content-Type: text/html; charset=UTF-8
>> Access-Control-Allow-Origin: *
>> Content-Length: 965
>> Generates multiple binding matches, in the result set:
>> <table class="sparql" border="1">
>>   <tr>
>>     <th>callret-0</th>
>>     <th>callret-1</th>
>>   </tr>
>>   <tr>
>>     <td>65537</td>
>>     <td>bd 4b 4a 44 35 d5 01 ee 87 46 70 e1 01 7f ab b0 80 60 c1 cb 3c e5 b4 3d 7f 62 7c c4 e0 a2 1d 24 3a 4f d6 89 0b cf 72 3f 39 ca 5f 0a 86 6e 43 40 06 99 14 6f 47 f6 99 03 3c 07 c8 e7 cf b9 06 6e 85 1b 5d 8d 2e 71 79 a0 db 2c 1a 59 b7 fc 7c be 70 aa b9 d0 d3 a7 f2 34 db 9f ce f9 67 ab 8f b7 93 28 97 c1 2c b0 74 ed e2 15 fe ca 0d f4 07 f7 23 36 06 4e 81 d4 3f 83 01 a9 94 e2 a0 f4 ba cd</td>
>>   </tr>
>>   <tr>
>>     <td>65537</td>
>>     <td>bd 4b 4a 44 35 d5 01 ee 87 46 70 e1 01 7f ab b0 80 60 c1 cb 3c e5 b4 3d 7f 62 7c c4 e0 a2 1d 24 3a 4f d6 89 0b cf 72 3f 39 ca 5f 0a 86 6e 43 40 06 99 14 6f 47 f6 99 03 3c 07 c8 e7 cf b9 06 6e 85 1b 5d 8d 2e 71 79 a0 db 2c 1a 59 b7 fc 7c be 70 aa b9 d0 d3 a7 f2 34 db 9f ce f9 67 ab 8f b7 93 28 97 c1 2c b0 74 ed e2 15 fe ca 0d f4 07 f7 23 36 06 4e 81 d4 3f 83 01 a9 94 e2 a0 f4 ba cd</td>
>>   </tr>
>> </table>
>> Any rationale? How should I behave?
>> Hi Peter,
>> 
>> the reason for the multiple results is the existence of two named graphs which match "?id cert:identity <http://foaf.me/pw2#me>".
>> 
>> PREFIX cert: <http://www.w3.org/ns/auth/cert#>
>> PREFIX rsa: <http://www.w3.org/ns/auth/rsa#>
>> SELECT *
>> WHERE {
>>        graph ?g {
>>              ?id cert:identity <http://foaf.me/pw2#me> ;
>>                  rsa:modulus [cert:hex ?m] ;
>>                  rsa:public_exponent [cert:decimal ?e] .
>>        }
>> 
>> }
>> 
>> 
>> You can fix this behaviour by just adding
>>   FROM <http://foaf.me/pw2#me>
>> to your query.
>> 
>> Best,
>> Andreas
>> 
>> 
>> 
>> 
>> 
>> -- 
>> ------------------------------------------
>> Dipl.-Ing. Andreas Radinger
>> Professur für Allgemeine BWL, insbesondere E-Business
>> e-business & web science research group
>> Universität der Bundeswehr München
>>  
>> e-mail: andreas.radinger at unibw.de
>> phone:  +49-(0)89-6004-4218
>> fax:    +49-(0)89-6004-4620
>> www:    http://www.unibw.de/ebusiness/
>> skype:  andreas.radinger
>>  
>>  
>> _______________________________________________
>> foaf-protocols mailing list
>> foaf-protocols at lists.foaf-project.org
>> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
>> 
>> 
>> 
>> 
>> -- 
>>  
>> Regards,
>>  
>> Kingsley Idehen       
>> President & CEO 
>> OpenLink Software     
>> Web: http://www.openlinksw.com
>> Weblog: http://www.openlinksw.com/blog/~kidehen
>> Twitter/Identi.ca: kidehen 
>>  
>>  
>>  
>>  
>> 
>> 
>> Try:
>> 
>> #Why? -- string comparison
>> #How? -- leverage fact that Virtuoso can surface all its in-built functions (from SQL and other functionality realms)
>> # ditto custom functions
>> 
>> PREFIX cert: <http://www.w3.org/ns/auth/cert#> 
>> PREFIX rsa: <http://www.w3.org/ns/auth/rsa#> 
>> SELECT DISTINCT ?g
>>        (str (bif:coalesce (?exp_val, ?exp))) (str (bif:coalesce (?mod_val, ?mod)))  
>> WHERE {   GRAPH ?g { 
>>            ?id cert:identity <http://foaf.me/pw2#me> ;
>>            rsa:public_exponent ?exp ; rsa:modulus ?mod .         
>>            OPTIONAL { ?exp cert:decimal ?exp_val . ?mod cert:hex ?mod_val . }      
>>           } 
>>       }
>> 
>> 
>> -- 
>>  
>> Regards,
>>  
>> Kingsley Idehen            
>> President & CEO 
>> OpenLink Software     
>> Web: http://www.openlinksw.com
>> Weblog: http://www.openlinksw.com/blog/~kidehen
>> Twitter/Identi.ca: kidehen 
>>  
>>  
>>  
>> I helped to get another "g" into the endpoint.
>> Yes Peter, it is possible to generate another n "g"s in other domains.
>> Either you really need to use a "FROM" clause or I have not fully understood the problem.
>>  
>> Best regards,
>> Andreas
>>  
>> 
>> _______________________________________________
>> foaf-protocols mailing list
>> foaf-protocols at lists.foaf-project.org
>> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
> 
> 
> -- 
> 
> Regards,
> 
> Kingsley Idehen	      
> President & CEO 
> OpenLink Software     
> Web: http://www.openlinksw.com
> Weblog: http://www.openlinksw.com/blog/~kidehen
> Twitter/Identi.ca: kidehen 
> 
> 
> 
> 
> _______________________________________________
> foaf-protocols mailing list
> foaf-protocols at lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20110327/4fc02c5c/attachment-0001.htm 


More information about the foaf-protocols mailing list