“FOAF+SSL is an authentication and authorization protocol that links a Web ID to a public key, thereby enabling a global, decentralized/distributed, and open yet secure social network.”
In my case my FOAF file http://www.3kbo.com/people/richard.hancock/foaf.rdf#i is my Web ID.
A site using FOAF+SSL is Shout Box. Once a user has logged in to Shout Box and left a comment Shout Box displays the users Web ID along side their comment.
A user logging in to Shout Box identifies themselves with a certificate stored in their browser. If a user has more than one certificate installed they can choose from the list of certificates presented by the browser certifcate manager (shown below for Firefox).
Selecting a certificate for a FOAF+SSL login is simpler and quicker than typing a user name and password.
The two obvious things are user needs in order to login with FOAF+SSL are:
- an X509 certificate and
- a Web ID (FOAF file).
FOAF+SSL also requires:
- A reference to the Web ID from the certificate. This is provided by setting the Web ID as the value for “X509v3 Subject Alternative Name”.
- The public key of the certificate published in the Web ID (FOAF file).
If the key published in the Web ID matches that contained in the certificate then the server can conclude that the person logging in is the owner of the Web ID (FOAF file).
I can check the details of the certificate I have been using and see the reference to my Web ID by first opening the Firefox Certificate Manager (by pasting chrome://pippki/content/certManager.xul into the brower location bar). The Certificate Manager lists all the installed certificates.
To see more information about this certificate I select it then click “View …” to get a dialog box with two tabs “General” and “Details”. Selecting the “Details” tab and “Certificate Subject Alt Name” shows that my Web ID, http://www.3kbo.com/people/richard.hancock/foaf.rdf#i is the value set for the “X509v3 Subject Alternative Name.
An easy way to create an X509 certificate with a reference to a Web ID is to follow the steps outlined in Henry Storys article creating a foaf+ssl cert in a few clicks. I used this process to create the other two certificates shown above.
I created my main X509 certificate by following the steps outlined by Henry in his earlier article foaf+ssl: a first implementation. This gives a good programmatic understanding of what’s happening.
( The code is under activate development so if you try it and have problems then check out revision 468 to get the code that matches the article i.e. svn checkout https://sommer.dev.java.net/svn/sommer/trunk sommer-r468 –username guest -r 468 )
Using this approach the main tasks for setting up a user with FOAF+SSL are:
- Running GenerateKey to create an X509 certificate , setting an existing FOAF file as the Web ID.
- Adding the RDF statements defining the public key to the FOAF file.
- Adding the X509 certificate to the users browser.
GenerateKey generates the RDF statements defining the public key in N3 format. If your FOAF file is in RDF/XML format like mine then you need to convert from N3 to the RDF/XML.
Adding the following worked for me:
<rsa:RSAPublicKey> <cert:identity rdf:resource="#i"/> <rsa:public_exponent cert:decimal="65537"/> <rsa:modulus cert:hex="d258d85da71a4f1199cae5e8e18a5ffa9127d9796526299b746de9fdcbc1364e074dc143d0ebbd3d3890d7e95b8b4931e3798a7a8f8dbd3441927b6601fb504ca2a919a803e31a6112fea227102dc1424946fb92f8f651f3da855ec43e496f8e0098b596f33af80e7b86d831d46948e040a656f3f00a67b724ccfb55fa4660d3" /> </rsa:RSAPublicKey>