This HTML5 document contains 50 embedded RDF statements represented using HTML+Microdata notation.

The embedded RDF content will be recognized by any processor of HTML5 Microdata.

Subject Item

n8:this

foaf:made

n2:VirtODSFOAFSSL

Subject Item

n6:this

sioc:creator_of

n2:VirtODSFOAFSSL

Subject Item

n25:item

n26:services_of

n2:VirtODSFOAFSSL

Subject Item

n12:this

sioc:creator_of

n2:VirtODSFOAFSSL

Subject Item

n18:VOS

sioc:container_of

n2:VirtODSFOAFSSL

atom:entry

n2:VirtODSFOAFSSL

atom:contains

n2:VirtODSFOAFSSL

Subject Item

n2:VirtPubSubHub

sioc:links_to

n2:VirtODSFOAFSSL

Subject Item

n2:VirtODSFOAFSSL

rdf:type

atom:Entry sioct:Comment

dcterms:created

2017-06-13T05:43:03.414145

dcterms:modified

2017-06-29T07:43:22.788279

rdfs:label

VirtODSFOAFSSL

foaf:maker

n4:this n8:this

dc:title

VirtODSFOAFSSL

opl:isDescribedUsing

n10:rdf

sioc:has_creator

n6:this n12:this

sioc:attachment

n23:png n24:png n27:png n28:png n29:png

sioc:content

---+FOAF+SSL Support in <nowiki>OpenLink</nowiki> Data Spaces ---++What? <b>FOAF+SSL</b> is an authentication and authorization protocol that links a ''[Web ID]'' or "[[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/GetAPersonalURIIn5MinutesOrLess][Personal URI]]" to a public key to create a global, decentralized, distributed, and secure authentication system that functions with existing browsers. FOAF+SSL uses PKI standards ? usually thought of as hierarchical trust management tools ? [[http://blogs.sun.com/bblfish/entry/foaf_ssl_pki_and_the][in a decentralized web-of-trust way]]. The web of trust is built using semantic web vocabularies (particularly [[http://www.foaf-project.org/][FOAF]]) published in RESTful manner to form [Linked Data]. Based on well known existing standards, FOAF+SSL is currently in development, and is being discussed on the [[http://lists.foaf-project.org/mailman/listinfo/foaf-protocols][FOAF protocols mailing list]]. For the most recent description of the protocol, read the one-page ''[[http://blogs.sun.com/bblfish/entry/foaf_ssl_adding_security_to][FOAF+SSL: Adding Security to Open Distributed Social Networks]]''. For a more detailed explanation of how the authentication works, see ''[[http://blogs.sun.com/bblfish/entry/more_on_authorization_in_foaf][FOAF+SSL: Creating a Web of Trust without Key Signing Parties]]''. ---++Why? Automatic discovery of interpersonal trust relationships enables automatic application of appropriate permissions. In other words, data owners can set fuzzy permissions like "only let my friends see this" or "only let my family edit this." Applications can discover the relationships between the data owner and the data requester/user, and permit (or disallow) any attempted actions, without needing the data owner to explicitly set permissions for each potential user. One example might be a parent setting permissions on a photo gallery, to permit viewing only by "immediate family". The parent need not list each and every such relative specifically for this application -- and need not add new permissions for a new family member (whether by marriage, birth, or otherwise), though they *do* need to be added to the owner's FOAF. When a new user comes and asks to see the pictures, the gallery application would check the relationships declared by each person (the owner and the visitor), and if they matched up (in other words, the visitor could not get in simply by *claiming* a family relationship; the relationship must be confirmed by the owner's FOAF data), the pictures would be shown. ---++How? ---+++ x.509 certificate The FOAF+SSL consumer needs an x509 certificate with v3 extension "Subject Alternate Name". This attribute is used for the owner's Web ID. For testing purposes we used OpenSSL demo CA to generate such certificates. If you are not using the OpenSSL demo CA, you must first setup a self-signed CA; read OpenSSL documents on how to do this. 1 Add the following line to the <code>[usr_cert]</code> section of the <code>openssl.cnf</code> file &mdash; <verbatim> subjectAltName=$ENV::ALTNAME </verbatim> 1 Set the environment variable <code>ALTNAME</code> to the owner's Web ID, e.g., <verbatim> export ALTNAME=URI:http://localhost/dataspace/person/myname#this </verbatim> 1 Make a self-signed certificate, e.g., <verbatim> $ CA.pl -newreq (follow the dialog) $ CA.pl -sign </verbatim> 1 When asked to commit the certificate, make sure you see several lines above, like &mdash; <verbatim> X509v3 Subject Alternative Name: URI:http://localhost/dataspace/person/myname#this </verbatim> 1 If your browser wants a <code>PKCS#12</code> bundle, you must make one &mdash; <verbatim> $ openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out mycert.p12 </verbatim> 1 Rename <code>newcert.pem</code> and <code>newkey.pem</code>, to <code>mycert.pem</code> and <code>mykey.pem</code> for example. The PEM format of the certificate will be needed below. ---+++ Setting up Virtuoso HTTPS To enable the HTTPS listener, you will need another certificate. Existing certificates may not have Subject Alternate Name, so you may want to generate one as in the previous section. 1 The next step is to move <code>newcert.pem</code>, <code>newkey.pem</code>, and <code>cacert.pem</code> into the server's working directory. In our test case, we put the keys in a '<code>keys</code>' sub-directory, and added the following lines to the <code>[HTTPServer]<code> section of the Virtuoso INI file, <code>virtuoso.ini<code>: <verbatim> SSLPort = 4443 SSLCertificate = ./keys/localhost.cert.pem SSLPrivateKey = ./keys/localhost.key.pem X509ClientVerifyCAFile = ./keys/localhost.ca.pem X509ClientVerify = 1 X509ClientVerifyDepth = 15 </verbatim> 1 Also in the Virtuoso INI file, in the <code>[URIQA]<code> section, <code>DefaultHost</code> (<code>localhost:8890</code> below) must be edited to correspond to the DNS-resolvable host name ("CNAME") of the Virtuoso host, combined with the <code>ServerPort</code> as set in the <code>[HTTPServer]<code> section of the same INI file. <verbatim> [URIQA] DynamicLocal = 1 DefaultHost = localhost:8890 </verbatim> For instance, if the CNAME of the host is <code>virtuoso.example.com</code>, and the <code>ServerPort</code> is <code>4321</code>, the <code>DefaultHost</code> should be set to <code>virtuoso.example.com:4321</code> <verbatim> [URIQA] DynamicLocal = 1 DefaultHost = virtuoso.example.com:4321 </verbatim> 1 Start the Virtuoso server, and look at the log file. Once HTTPS is up, you should see something like &mdash; <verbatim> HTTPS Using X509 Client CA .... HTTPS/X509 server online at 4443 </verbatim> ---+++ Setting Up Firefox 1 In the Preferences dialog, open the Advanced tab, and click the "View certificates" button. %BR%%BR%<img src="%ATTACHURLPATH%/Picture_1.png" style="wikiautogen"/>%BR%%BR% 1 Click the "Add exception" button ,and enter the address of the HTTPS server you've just configured, i.e., https://virtuoso.example.com:4443/ 1 Click OK, and confirm the exception. %BR%%BR%<img src="%ATTACHURLPATH%/Picture_2.png" style="wikiautogen"/>%BR%%BR% 1 Click to the "Your Certificates" tab, and import <code>mycert.p12</code>. ---+++ Configuring ODS Account to use FOAF+SSL 1 Log in to your ODS account, and edit your profile. 1 Click to the Security Tab, and scroll to the bottom, where you will find the X.509 certificate entry area. 1 Copy & paste the PEM format of the certificate (i.e., the content of <code>mykey.pem</code>, from earlier). 1 Press "Save Certificate" button, and you are set. ---+++ Testing the setup To test, we recommend [[http://www.mozilla.com/firefox/][Firefox]] v3 with the [[https://addons.mozilla.org/en-US/firefox/addon/5596][Tabulator extension]]. Firefox must be set to ask for RDF, as instructed in the [[http://dig.csail.mit.edu/2007/tab/][Tabulator documentation]]. 1 Enter an ODS user's URI in the address bar, and the fun begins. 1 You should see a protected document's URI. Note that there is no specific "address" data seen: %BR%%BR%<img src="%ATTACHURLPATH%/Picture_3.png" style="wikiautogen"/>%BR%%BR% 1 When clicked, the browser will ask the user to select a certificate (note: certificate details are erased in picture below). %BR%%BR%<img src="%ATTACHURLPATH%/Picture_4.png" style="wikiautogen"/>%BR%%BR% 1 Now the protected document includes the private address data alongside the previously visible public data! %BR%%BR%<img src="%ATTACHURLPATH%/Picture_5.png" style="wikiautogen"/>%BR%%BR% ---+++ FOAF+SSL ACLs You can set FOAF+SSL ACLs from the [[VirtAuthServerUI][Virtuoso Authentication Server UI]]. A sample tutorial can be viewed [[VirtAuthFOAFSSLACL][here]].

sioc:id

ee63cba5e83967fb8d7b190ae7c37a2b

sioc:link

n2:VirtODSFOAFSSL

sioc:has_container

n18:VOS

n26:has_services

n25:item

atom:title

VirtODSFOAFSSL

sioc:links_to

n2:VirtAuthServerUI n7: n11:OpenSSL n11:ServerPort n13:GetAPersonalURIIn5MinutesOrLess n15:foaf-protocols n16:foaf_ssl_adding_security_to n16:foaf_ssl_pki_and_the n20: n11:DefaultHost n21: n2:VirtAuthFOAFSSLACL n31: n16:more_on_authorization_in_foaf n32:5596

atom:source

n18:VOS

atom:author

n8:this

atom:published

2017-06-13T05:43:03Z

atom:updated

2017-06-29T07:43:22Z

sioc:topic

n18:VOS