Using a Blog Post with hCard inside, as an Identity Provider (IdP) Space for WebID

This post demonstrates how I can use a Blogspot-hosted blog post to store Identity oriented claims that mirror those in my local keychain-hosted X.509 certificate. Once in place, a WebID verifier can follow (de-reference) the WebID watermark of an X.509 certificate to the claims expressed using hCard.

The steps are as follows:

1. Write post -- this creates the place holder your claims

2. Publish post -- this gets you a URL for the location of your claims

3. Generate Certificate -- using a generator of your choice [1][2], generate an X.509 certificate with a WebID watermark in the subjectAlternateName slot using an HTTP scheme URI based Name of the form: <{Blog-Post-Permalink}#this>, e.g., <http://kidehen.blogspot.com/2012/01/hcard-inside-post-as-identity-provider.html#this>.

4. Then return to your blog post and insert an hCard snippet that mirrors the identity claims in the X.509 certificate you've just generated. (See snippet template and example further down.)

5. Save and publish blog post.

6. Use a WebID verifier [3][4] to verify your WebID, i.e., check your Blog post for the claims made in your X.509 certificate (specifically, that your WebID identifies the Subject of the Certificate).

7. Done!

hCard Template:

<div id="hcard" class="vcard">
<a class="url fn" href="{WebID}">@kidehen(BrowerID 2)</a>
<a class="email" href="{mailto: URI}">{Email-Address}</a>
<a class="key" href="{data: URI for Public Key in DER}">Public Key</a>
<a class="key" href="{Certificate URL}">Public Key Ref</a>
</div>

Acutal hCard Snippet

The snippet below shows the hCard microformats embedded in the the Blogspot-hosted post at <http://kidehen.blogspot.com/2012/01/hcard-inside-post-as-identity-provider.html>. You can use the "view source" action in your HTML Web browser to see:

<div class="vcard" id="hcard">
<a class="url fn" href="http://kidehen.blogspot.com/2012/01/hcard-inside-post-as-identity-provider.html#this">Kingsley Uyi Idehen (hCard via BlogSpot)</a>
<a class="email" href="mailto:kidehen@openlinksw.com">kidehen@openlinksw.com</a>
<a class="key" href="data:application/x-x509-user-cert;base64,MIIEjjCCA/egAwIBAgICAQQwDQYJKoZIhvcNAQENBQAwdjELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEzARBgNVBAcUCkJ1cmxpbmd0b24xHjAcBgNVBAoUFU9wZW5saW5rIFNvZnR3YXJlIEluYzEaMBgGA1UEAxQRaWQubXlvcGVubGluay5uZXQwHhcNMTIwMTE5MjI0ODExWhcNMTMwMTE4MjI0ODExWjB6MTEwLwYDVQQDEyhLaW5nc2xleSBVeWkgSWRlaGVuIChoQ2FyZCB2aWEgQmxvZ1Nwb3QpMR4wHAYDVQQKExVBIFBlcnNvbmFsIERhdGEgU3BhY2UxJTAjBgkqhkiG9w0BCQEWFmtpZGVoZW5Ab3Blbmxpbmtzdy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmbBp4K9jmYvO6zDuCnpU5df8SII2HmrfO6pyllHo32nI3p9kwPoenI8Tz7xiNCVXX5S0qPd8VuEvJnuv46+UHequ75stqJ11jvRi5sp2SOYN5ZD+ZvCAQtUKikfxE/FmPFVUig3ASGu9uzOmMxdQ9eiEcyVnkT1a4LZScQImTr9sifYRW5+WLWJdZ1gtuf6/dID9UFwndkAiuMXuFVqjRI5XeukC1f2cyf1Vod/RK9m2ijACeGDyB0WtQ3vm1UYFLe4gnNz7jFI+t68QvaSQg1z79sVxbPbHjoKRxyG1eunqOl6/76QI78SKmUxN/uiGoMukrBXX+PnludGkqH/SXAgMBAAGjggGhMIIBnTAdBgNVHQ4EFgQUYxXI4umWUEMG1tPOgmB+ZwqxyLgwdwYDVR0RBHAwboZUaHR0cDovL2tpZGVoZW4uYmxvZ3Nwb3QuY29tLzIwMTIvMDEvaGNhcmQtaW5zaWRlLXBvc3QtYXMtaWRlbnRpdHktcHJvdmlkZXIuaHRtbCN0aGlzgRZraWRlaGVuQG9wZW5saW5rc3cuY29tMC0GCWCGSAGG+EIBDQQgFh5WaXJ0dW9zbyBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwgaEGA1UdIwSBmTCBloAUYxXI4umWUEMG1tPOgmB+ZwqxyLiheqR4MHYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMRMwEQYDVQQHFApCdXJsaW5ndG9uMR4wHAYDVQQKFBVPcGVubGluayBTb2Z0d2FyZSBJbmMxGjAYBgNVBAMUEWlkLm15b3BlbmxpbmsubmV0ggIBBDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBDQUAA4GBACiRhrAaJTfi+hCR++/DGiW34vzu82Ndf7BCyDl6OCxpQH2hTsZlxWOMNgEvvysE1V8lhYqMXmsXl30Ql1u+Z+XRaYA3Fnc1SguWEOca28nL6DaB4aHBH9o+IMde8YRVW6otMD+Fys6tvCFiaWbiOwXG8PcVqYhtT68pdy5Kdfpb">Public Key</a>
</div>

WebID Verifier Support

Will any WebID verifier work with Identity claims expressed in hCard?

No; the WebID verifier must to be able to convert hCard microformats to an RDF-based (i.e., EAV + URIs) directed graph, en route to verifying the mirrored claims.

You can get around this limitation by producing a proxy URI via a Linked Data proxy service (e.g., URIBurner or any other Virtuoso instance that has its Linked Data middleware component enabled). You can then watermark your X.509 certificate by setting the WebID in the subjectAlternateName (SAN) slot to the proxy URI.

You can use the following pattern to produce a proxy URI via our URIBurner service or any Virtuoso instance:

<http://{virtuoso-host}/about/id/entity/{URIscheme}/{authority}/{local-path}>

For example:

<http://linkeddata.uriburner.com/about/id/entity/http/kidehen.blogspot.com/2012/01/hcard-inside-post-as-identity-provider.html#hcard>

or

<http://id.myopenlink.net/about/id/entity/http/kidehen.blogspot.com/2012/01/hcardwebid-identity-provider-test.html>


Related

1. URIBurner Service -- <http://uriburner.com>

2. How Virtuoso's Sponger Middleware Works -- <http://uriburner.com/sponger_architecture.vsp#how_it_works>

3. Simple WebID verifier -- <http://id.myopenlink.net/ods/webid_demo.vsp>

4. Other WebID verifiers (ping me if you know of a verifier missing from the list!) -- <http://delicious.com/kidehen/webid_verifier>

5. Simple X.509 Certificate Generator that includes proxy services to Web 2.0 Identity Providers -- <http://id.myopenlink.net/certgen/>

6. Other WebID based Identity Providers (IdPs) -- <http://delicious.com/kidehen/webid_idp> .
PhotoPhotoPhotoPhotoPhoto
12 Photos - View album
Shared publiclyView activity