[foaf-protocols] Opera, foaf+ssl and OpenId

Story Henry henry.story at bblfish.net
Thu Sep 10 15:38:31 CEST 2009


A very interesting howto posted by Peter Williams to the OpenId  
mailing list, on how to use Opera client side server, foaf+ssl, and  
Toby Inkster's foaf+ssl OpenId server.

Toby's server needs a little bit more work I think: I have not been  
able to use it to log into OpenId sites recently. It is a really good  
idea though, and would be a great project requiring a little bit more  
work, to make it widely useable.

Henry

Begin forwarded message:

> From: Peter Williams <pwilliams at rapattoni.com>
> Date: 9 September 2009 17:12:32 CEST
> To: Melvin Carvalho <melvincarvalho at gmail.com>
> Cc: Toby A Inkster <tai at g5n.co.uk>, "general at openid.net" <general at openid.net 
> >
> Subject: Re: [OpenID] missing the final piece, leveraing openid with  
> foaf+ssl
>
> I updated it, to make it more easily repeatable. Failure points at  
> the end.
>
>
>
> Install and configure www.opera.com browser, setting a master  
> password. Then
>
>
>
> 1.    Install, configure and enable opera unite (makes your browser  
> into a web server while you are  signed into the opera cloud).
>
> 2.    Arm and start your new web server, mapping virtual directory  
> "a" to the desktop area of the physical file system
>
> 3.    Give virtual folder /a "public" access, and create an  
> index.html file. Ensure the public can see your index content at http://*.*.operaunite.com/a
>
>
>
> 4.    Use Opera browser's Tools->Preferences->Advanced->Downloads- 
> >Add to add "application/rdf+xml" for file type of "rdf"
>
> 5.    Restart web browser to restart web server.
>
>
>
> 6.    Copy xml stream (a foaf file) shown below to new file named  
> me.rdf, stored on your desktop
>
> 7.    Edit the me.rdf file to change personal attributes values for  
> Peter to your values, and replace the homepage URL to use your own  
> opera unite hosting URL. (Note how directory /a correctly becomes /a/ 
> content )
>
>
>
> 8.    Use opera to navigate to http://foaf.me/simpleCreateClientCertificate.php 
> , and cite your "http://*.*.operateunite.com/a/content/me.rdf#me"  
> opera unite url as your webid. Fill out the cert template, put the  
> domain name in the cn field (optionally), and remember the cert's  
> private key password. Save the resulting .p12 file to desktop with  
> file name that has NO #me component (if present in the suggested  
> filename).
>
>
>
> 9.    Use opera's Tools->Preferences->Advanced->Security->Manage  
> Certificates->Import (p12) to arm SSL client certificate support in  
> Opera
>
>
>
> 10.   In opera, goto https://foaf.me/RDF_Representation_of_a_X.509_Client_Certificate.php 
>  . Present the client cert, and note the resulting RDF. Find the  
> RSAPublicKey in the result, and replace my value with your value...  
> in your desktop's me.rdf file.
>
>
>
> 11.   In Opera, goto https://foaf.me/simpleLogin.php to try out foaf 
> +ssl
>
>
>
> 12.   Things are correct if the report has the form as follows:
>
>
>
> FOAF+SSL Simple Login Page
>
> The login Suceeded! Authenticated as: http://*.*.operaunite.com/a/content/me.rdf#me
>
>
>
> Technical Explanation:
>
> SSL Client Certificate: detected!
>
>
>
> Client Certificate Public Key detected! (HEX):
>
> Array
>
> (
>
>    [modulus] =>  
> DAB11EBD01E48B4BAB9F9088877701583B1E07CF318062ACB27B1EE951A03234071674FFB590903CEAB1F6B9319EB40342A731821E3BC12E975E4A63EA6039D6BC7889DD115E475DB2BA2A3437197E283FAE43FC68BC91098DC25C370A4B6EF53D597FBB58DDEBE6E8321B3435A476B088A9D99E75121FD805F77D79DBF75EA1
>
>    [exponent] => 010001
>
> )
>
> Subject Alt Name (FOAF Profile): detected!: http://*.*.operaunite.com/a/content/me.rdf#me
>
>
>
> FOAF Remote Public Key found in http://*.*.operaunite.com/a/content/me.rdf#me:
>
> Array
>
> (
>
>    [modulus] =>  
> DAB11EBD01E48B4BAB9F9088877701583B1E07CF318062ACB27B1EE951A03234071674FFB590903CEAB1F6B9319EB40342A731821E3BC12E975E4A63EA6039D6BC7889DD115E475DB2BA2A3437197E283FAE43FC68BC91098DC25C370A4B6EF53D597FBB58DDEBE6E8321B3435A476B088A9D99E75121FD805F77D79DBF75EA1
>
>    [exponent] => 10001
>
> )
>
>
>
>
>
> 14.   using, opera and your  client cert, goto https://ophelia.g5n.co.uk:10443/help.cgi 
>  and confirm the page reports positively (i.e. doesn't say 'The  
> help.cgi script wasn't prepared for your setup!' or similar). You  
> are ready for openid trials, if so.
>
>
>
> 15.   use your opera unite server to host a vanity openid (e.g. http://homepw.myopenid.com 
> ) using the index.rdf file. Add a link tag to the head section of  
> the html markup as follows, replacing home.homepw with your own  
> opera united values
>
>
>
> <HEAD>
>
> <link href="https://ophelia.g5n.co.uk:10443/openid/provider.cgi?webid=http%3a%2f%2fhome.homepw.operaunite.com%2fa%2fcontent%2fme.rdf%23me 
> " rel="openid.server" title="FOAF+SSL OpenID Server" />
>
> </HEAD>
>
>
>
> 16. Amend the openid identifier in the me.rdf descriptor with your  
> opera united path.
>
>
>
>
>
> 15. Using operate, navigate to a conforming openid RP: http://www.freexri.com/user/Login/ 
>  . Fill out the openid form field with your openid identifier (whose  
> form is http://*.*.operaunite.com/a ). Note if a client cert is  
> requested.
>
>
>
> 16. if you apply a spying proxy, note that the RP redirects to   
> Location: https://ophelia.g5n.co.uk:10443/openid/provider.cgi?webid=http%3a%2f%2fhome.homepw.operaunite.com%2fa%2fcontent%2fme.rdf%23me&openid.identity=http%3A%2F%2Fhome.homepw.operaunite.com%2Fa%2Fcontent%2F&openid.return_to=http%3A%2F%2Fwww.freexri.com%2Fuser%2FOpenIDEndpoint%3Fopenid.rpnonce%3D2009-09-09T14%253A34%253A55Z0%26openid.rpsig%3D0MLFKxSN3Izq%252B60ZBOSp3l962RATizT6f9mm%252FnS1yDw%253D&openid.trust_root=http%3A%2F%2Fwww.freexri.com%2F&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_request&openid.ext1.type.email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext1.type.name=http%3A%2F%2Fschema.openid.net%2Fcontact%2Fname&openid.ext1.if_available=email%2Cname&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fsreg%2F1.0&openid.sreg.optional=email%2Cname
>
>
>
> That's as far as I can get, as the OP redirects to https://ophelia.g5n.co.uk:10443/openid/error.html 
>  (after asking for the client cert). I cannot get it show its  
> minting an assertion though.
>
>
>
> It doesn't send back an openid assertion tofreexri.com RP, but it  
> does have some interesting material (that I don't understand) on  
> direct and indirect webids. Indirect seems to be about RP-side name  
> linking, so one's long term cert (with a "persistent webid") can map  
> onto a current webid at a different location/provider.
>
>
>
>
>
>
>
>
>
> RDF for me.rdf follows:-
>
>
>
> <?xml version="1.0" encoding="ISO-8859-1"?>
>
> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
>
>      xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#"
>
>      xmlns:foaf="http://xmlns.com/foaf/0.1/"
>
>      xmlns:rsa="http://www.w3.org/ns/auth/rsa#"
>
>      xmlns:cert="http://www.w3.org/ns/auth/cert#"
>
>      xmlns:admin="http://webns.net/mvcb/">
>
> <foaf:PersonalProfileDocument rdf:about="">
>
>    <foaf:maker rdf:resource="#me"/>
>
>    <foaf:primaryTopic rdf:resource="#me"/>
>
> </foaf:PersonalProfileDocument>
>
>
>
> <foaf:Person rdf:ID="me">
>
>    <foaf:nick>homepw</foaf:nick>
>
>    <foaf:firstName>peter</foaf:firstName>
>
>    <foaf:givenName>williams</foaf:givenName>
>
>    <foaf:openid rdf:resource="http://*.*.operaunite.com/a"/>
>
>    <foaf:homepage rdf:resource="http://*.*.operaunite.com/a/content/me.rdf#me 
> "/>
>
> </foaf:Person>
>
>
>
> <rsa:RSAPublicKey>
>
>   <cert:identity rdf:resource=#me"/>
>
>   <rsa:public_exponent cert:decimal="65537"/>
>
>   <rsa:modulus  
> cert:hex 
> = 
> "93F860637CDB801FF62920AA23D41C8FAFD3F98AD21783853B59AEC7AE5F01C834915ECDC00631079EF411781E46B450548B8B1F451431F9FFFB1AD51F6C4A991AEC3E4A9D230E9A5FE7D9DF1991AF06D23757D919AC817AF32E31DE5E99D2C1A34789C4E1F3CF632504C9D664319DEF7BDBA4552E9C0FEC899B93BE95B5744B 
> "/>
>
> </rsa:RSAPublicKey>
>
>
>
> </rdf:RDF>
>
>
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general



More information about the foaf-protocols mailing list