FOAF+SSL uses PKI standards ? usually thought of as hierarchical trust management tools ? in a decentralized web-of-trust way. The web of trust is built using semantic web vocabularies (particularly FOAF) published in RESTful manner to form [Linked Data].
Based on well known existing standards, FOAF+SSL is currently in development, and is being discussed on the FOAF protocols mailing list.
For the most recent description of the protocol, read the one-page ''FOAF+SSL: Adding Security to Open Distributed Social Networks''. For a more detailed explanation of how the authentication works, see ''FOAF+SSL: Creating a Web of Trust without Key Signing Parties''.
Automatic discovery of interpersonal trust relationships enables automatic application of appropriate permissions.
In other words, data owners can set fuzzy permissions like "only let my friends see this" or "only let my family edit this." Applications can discover the relationships between the data owner and the data requester/user, and permit (or disallow) any attempted actions, without needing the data owner to explicitly set permissions for each potential user.
One example might be a parent setting permissions on a photo gallery, to permit viewing only by "immediate family". The parent need not list each and every such relative specifically for this application -- and need not add new permissions for a new family member (whether by marriage, birth, or otherwise), though they do need to be added to the owner's FOAF. When a new user comes and asks to see the pictures, the gallery application would check the relationships declared by each person (the owner and the visitor), and if they matched up (in other words, the visitor could not get in simply by claiming a family relationship; the relationship must be confirmed by the owner's FOAF data), the pictures would be shown.
The FOAF+SSL consumer needs an x509 certificate with v3 extension "Subject Alternate Name". This attribute is used for the owner's Web ID. For testing purposes we used OpenSSL? demo CA to generate such certificates. If you are not using the OpenSSL? demo CA, you must first setup a self-signed CA; read OpenSSL? documents on how to do this.
[usr_cert]
section of the openssl.cnf
file —
subjectAltName=$ENV::ALTNAME
ALTNAME
to the owner's Web ID, e.g.,
export ALTNAME=URI:http://localhost/dataspace/person/myname#this
$ CA.pl -newreq (follow the dialog) $ CA.pl -sign
X509v3 Subject Alternative Name: URI:http://localhost/dataspace/person/myname#this
PKCS#12
bundle, you must make one —
$ openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out mycert.p12
newcert.pem
and newkey.pem
, to mycert.pem
and mykey.pem
for example.
The PEM format of the certificate will be needed below.To enable the HTTPS listener, you will need another certificate. Existing certificates may not have Subject Alternate Name, so you may want to generate one as in the previous section.
newcert.pem
, newkey.pem
, and cacert.pem
into the server's working directory.
In our test case, we put the keys in a 'keys
' sub-directory, and added the following lines to the [HTTPServer] section of the Virtuoso INI file, virtuoso.ini:
SSLPort = 4443
SSLCertificate = ./keys/localhost.cert.pem
SSLPrivateKey = ./keys/localhost.key.pem
X509ClientVerifyCAFile = ./keys/localhost.ca.pem
X509ClientVerify = 1
X509ClientVerifyDepth = 15
[URIQA] section, DefaultHost?
(localhost:8890
below) must be edited to correspond to the DNS-resolvable host name ("CNAME") of the Virtuoso host, combined with the ServerPort?
as set in the [HTTPServer] section of the same INI file.
[URIQA]
DynamicLocal = 1
DefaultHost = localhost:8890
For instance, if the CNAME of the host is virtuoso.example.com
, and the ServerPort?
is 4321
, the DefaultHost?
should be set to virtuoso.example.com:4321
[URIQA]
DynamicLocal = 1
DefaultHost = virtuoso.example.com:4321
HTTPS Using X509 Client CA .... HTTPS/X509 server online at 4443
mycert.p12
.mykey.pem
, from earlier).
To test, we recommend Firefox v3 with the Tabulator extension. Firefox must be set to ask for RDF, as instructed in the Tabulator documentation.
You can set FOAF+SSL ACLs from the Virtuoso Authentication Server UI. A sample tutorial can be viewed here.