On 9/22/14 10:47 AM, Frans Knibbe | Geodan wrote:
On 2014-09-22 13:01, Kingsley Idehen wrote:On 9/22/14 4:06 AM, Frans Knibbe | Geodan wrote:Hello,I think I could use some help with enabling WebID as an authentication and security mechanism for VOS...I have found several online documents about the subject, like http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/VirtSPARQLSecurityWebID. One thing I notice right away is that I am missing a tab /Linked Data -> Access Controls/ in the Conductor, when logged in as dba. Do I need to install any extra VAD packages to work with WebID?The second step in the process seems to be to create a X.509 certificate. So I noticed the existence of a Certificate Generator hosted by Openlink: http://id.myopenlink.net/certgen/. As in all good research situations, I started experimenting on myself, so I I have a URI that resolves to some data about me: http://lod.geodan.nl/org/frans_knibbe. I /think/ that should be a good WebID URI (by the way, the profile data are stored in Virtuoso). But when I enter this URI as a FOAF profile document URL it gets rejected with an error "Could not retrieve data from URL". Should try to get a certificate some other way? Or could there be something wrong with my WebID URI?Regards, FransFrans,See: http://linkeddata.uriburner.com:8000/vapour?uri=http%3A%2F%2Flod.geodan.nl%2Forg%2Ffrans_knibbe&validateRDF=1&defaultResponse=dontmind&userAgent=http%3A%2F%2Flinkeddata.uriburner.com%3A8000%2Fvapour%23this<http://lod.geodan.nl/org/frans_knibbe> identifies a document. In that document there are no relations that associates the URI that identifies you with the URI that identifies the profile document, as shown by the vapor report page identified by the URI above.You should add one of the following relations to the document to rectify this problem: foaf:primaryTopic, wdrs:isdescribedby, dcterms:subject .Hello Kingsley,Thank you. It appears I don't fully understand the way WebID works :-). From what I gathered, the WebID URI should resolve to data about a person (an agent).
Yes i.e., a WebID identifies an instance of a foaf:Agent, for which a foaf:Person is a subclass. The above also implies that a WebID, when de-referenced, will resolve to a WebID-Profile document. In that profile document are RDF statements that describe the foaf:Agent identified by the WebID. This implies that when a WebID-TLS agent looks up a WebID, it needs to be presented with RDF content (from a document) where a cert:key relation associates WebID with a Public Key (used in the TLS handshake) .
These data could be referenced in a profile, but is it really necessary for such a profile to exist?I have now made a profile with URI http://lod.geodan.nl/org/profile_frans_knibbe. The profile data are linked to data about me via foaf:primaryTopic. So now I have 1) A foaf:PersonalProfileDocument identified by http://lod.geodan.nl/org/profile_frans_knibbe. I think this is the /WebID Profile URI/, in terms of this WebID specification <https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html>; 2) A foaf:Person identified by http://lod.geodan.nl/org/frans_knibbe. I suppose this is the /WebID URI/...I could now use http://lod.geodan.nl/org/frans_knibbe (i.e. the WebID URI, not the WebID profile URI) to generate a certificate on http://id.myopenlink.net/certgen/. But I don't understand how it works.
Here's whats happening re., WebID-TLS (the authentication protocol).1. You made a certificate using our cert. generator -- this generator successfully de-referenced your WebID (i.e., it was able to confirm that your WebID actually identifies an instance of a foaf:Agent)
2. The generator made an X.509 certificate that includes a WebID watermark by way of the WebID value it placed in the Subject Alternative Name field
3. When you then attempt to verify your WebID using a WebID-TLS compliant authentication service the triangulation described above is tested, as an extension to the usual TLS handshake i.e., the cert:key relation is looked up to see if the relation object matches the public key data used in the basic TLS handshake.
I have changed no data in http://lod.geodan.nl/org/frans_knibbe, and those data do not contain a reference to my profile. How did certificate generator know that a profile was published?
See my comments above :)Also look at: http://bit.ly/enterprise-identity-management-and-attribute-based-access-controls (note: the full ABAC functionality is only part of our commercial edition).
Kingsley
Anyway, I now have a certificate, so I can continue. Greetings, Frans-- Regards, Kingsley Idehen Founder & CEO OpenLink Software Company Web:http://www.openlinksw.com Personal Weblog 1:http://kidehen.blogspot.com Personal Weblog 2:http://www.openlinksw.com/blog/~kidehen Twitter Profile:https://twitter.com/kidehen Google+ Profile:https://plus.google.com/+KingsleyIdehen/about LinkedIn Profile:http://www.linkedin.com/in/kidehen Personal WebID:http://kingsley.idehen.net/dataspace/person/kidehen#this ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Virtuoso-users mailing list Virtuoso-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/virtuoso-users------------------------------------------------------------------------ Frans Knibbe Geodan President Kennedylaan 1 1079 MB Amsterdam (NL) T +31 (0)20 - 5711 347 E frans.kni...@geodan.nlwww.geodan.nl <http://www.geodan.nl> | disclaimer <http://www.geodan.nl/disclaimer>------------------------------------------------------------------------ ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Virtuoso-users mailing list Virtuoso-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/virtuoso-users
-- Regards, Kingsley Idehen Founder & CEO OpenLink Software Company Web: http://www.openlinksw.com Personal Weblog 1: http://kidehen.blogspot.com Personal Weblog 2: http://www.openlinksw.com/blog/~kidehen Twitter Profile: https://twitter.com/kidehen Google+ Profile: https://plus.google.com/+KingsleyIdehen/about LinkedIn Profile: http://www.linkedin.com/in/kidehen Personal WebID: http://kingsley.idehen.net/dataspace/person/kidehen#this
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Virtuoso-users mailing list Virtuoso-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/virtuoso-users
