Software Agent & WebID Profile Document Creation

The OpenLink YouID certificate generation service ( http://id.myopenlink.net/youid/ ) can be used to create a Digital Identity for a local or one of the available social media user accounts, automatically providing a certificate and WebID profile document that can be used as the Software Agent for the application connection. Alternatively for organisation with the own certificate generation services/processes, these can be used the key requirement being the a suitable WebID is URL is associated with the SAN (Subject Alternate Name) attribute of the generated x509 certificate.

The steps below outline how this can be done using the OpenLink YouID certificate generation service ( http://id.myopenlink.net/youid/ ) using a suitable WebID or social media login i.e. Facebook in this case.

  1. Open the OpenLink YouID certificate generation service ( http://id.myopenlink.net/youid/ ) in a Web Browser and login using one of the presented Single Sign on (SSO) services for Authentication (in this case we chose Facebook):

  2. Once authenticated click on the Create New Identity Card button to start the certificate generation process:

  3. The YouID? Identity Card Generator page is presented:

    From which the following settings need to be made:
  • Set the Profile Data Provider option to WebID-Profile Document from the drop down list box
  • Set the ID Card Storage Provider option to Manual Upload from the top down list box
  • Set the WebID option to the URL for a suitable Web accessible document that can be edited
  • Set a password for the certificate

Click on the Create Identity Card button to generated the certificate.

4. The Web Scale Verifiable Digital Identity Card is presented:

From where:

  • The p12 public key can be downloaded for use when authenticating.
  • The text of the generate public key in N3/Turtle or any of the other supported formats should be copy and pasted to the WebID-Profile Document specified in the previous step.

5. Add the following content to the end of the WebID-Profile Document (https://id.myopenlink.net/DAV/home/hugh/YouID/WTD_id_myopenlink_net_hugh/facebook.ttl in this example) and save it:

## Profile Document combining credentials of Software Agent and Registered Users ##

## This document leverages the portability of relative hash-based HTTP URIs as Entity Identifiers ##

@prefix oplcert: <http://www.openlinksw.com/schemas/cert#> .
@prefix cert: <http://www.w3.org/ns/auth/cert#>. 
@prefix acl: <http://www.w3.org/ns/auth/acl#> . 
@prefix oplacl: <http://www.openlinksw.com/ontology/acl#> .

## Software Agent Credentials ##

foaf:name "A Software Agent" ;
oplcert:onBehalfOf <#wtd> ;
cert:key [
                 cert:exponent "65537"^^xsd:integer ;
] .

## User Credentials (OnBehalfOf relation participants) ##

oplacl:hasIdentityDelegate <#identity> .

Key Points

In the WebID-Profile Document the key points of note are that:

  1. It is being used as both the application software agent's and delegating users' shared profile document. If it is preferred to have separate delegating user profile documents, this can be done - the URL of each user's distinct profile document is simply pointed to by the oplcert:onBehalfOf property in the software agent's profile document, similar to the shared profile document example above. But there is a strong case for a single document being used for ease of management.
  2. The oplcert:onBehalfOf attribute is used to reference the WebIDs (each contained within a user profile document) of the users the software agent is authenticating on behalf of.
  3. The oplacl:hasIdentityDelegate attribute identifies the WebID of the software agent that acts as a delegate of connecting users, authenticating on their behalf. As indicated, the user WebIDs can be stored in separate user WebID profile document if preferred.
  4. The cert:key attribute contains the public key of the software agent certificate, which is actually included (but not shown here) in its YouID auto-generated profile document i.e. profile.ttl and thus can be seen from the generated content. Particularly if separate software agent and user profile documents are used (but still required if a combined document is used), inclusion of the software agent's public key in the user profile document provides a critical validation check between the software agent and the delegating user who is authorising the OnBehalfOf connection.
  5. Only one public key is required. Irrespective of whether a single or separate profile documents are used, it/they contain just the public key of the software agent. When using WebID authentication delegation, the users being authenticated do not require a public/private key pair. They require only a WebID - this can be provided without needing TLS, for instance by one of many third-party OAuth-based authentication services supported by VAL, and hence without needing a user key pair, so reducing the administration overhead when authenticating many users.