The Sun BabelFish Blog

November 2nd: Join the Social Web Camp in Santa Clara

The W3C Social Web Incubator Group is organizing a free Bar Camp in the Santa Clara Sun Campus on November 2nd to foster a wide ranging discussion on the issues required to build the global Social Web.

Imagine a world where everybody could participate easily in a distributed yet secure social web. In such a world every individual will control their own information, and every business could enter into a conversation with customers, researchers, government agencies and partners as easily as they can now start a conversation with someone on Facebook. What is needed to go in the direction of The Internet of Subjects Manifesto? What existing technologies can we build on? What is missing? What could the W3C contribute? What could others do? To participate in the discussion and meet other people with similar interests, and push the discussion further visit the Santa Clara Social Web Camp wiki and

If you are looking for a reason to be in the Bay Area that week, then here are some other events you can combine with coming to the Bar Camp:

• The W3C is meeting in Santa Clara for its Technical Plenary that week in Santa Clara.
• The following day, the Internet Identity Workshop is taking place in Mountain View until the end of the week. Go there to push the discussion further by meeting up with the OpenId, OAuth, Liberty crowd, which are all technologies that can participate in the development of the Social Web.
• You may also want to check out ApacheCon which is also taking place that week.

If you can't come to the west coast at all due to budget cuts, then not all is lost. :-) If you are on the East coast go and participate in the ISWC Building Semantic Web Applications for Government tutorial, and watch my video on The Social Web which I gave at the Free and Open Source Conference this summer. Think: if the government wants to play with Social Networks, it certainly cannot put all its citizens information on Facebook.

Posted at 12:35AM Oct 16, 2009 [permalink/trackback] by Henry Story in SemWeb  |  Comments[0]

One month of Social Web talks in Paris

As I was in Berlin preparing to come to Paris, I wondered if I would be anywhere near as active in France as I had been in Germany. I had lived for 5 years in Fontainebleau, an hour from Paris, close but just too far to be in the swing of things. And from that position, I got very little feel for what was happening in the capital. This is what had made me long to live in Paris. So this was the occasion to test it out: I was going to spend one month in the capital. On my agenda there was just a Social Web Bar Camp and a few good contacts.

The Social Web Bar Camp at La Cantine which I blogged about in detail, was like a powder keg for my stay here. It just launched the whole next month of talks, which I detail below. It led me to make a very wide range of contacts, which led to my giving talks at 2 major conferences, 2 universities, one other Bar Camp, present to a couple of companies, get one implementation of foaf+ssl in Drupal, and meet a lot of great people.

Through other contacts, I also had an interview with a journalist from Le Monde, and met the very interesting European citizen journalism agency Cafe Babel (for more on them see this article).

Here follows a short summary of each event I presented the Social Web at during my short stay in Paris.

Friday, 18 September 2009

Arrived in plane from Berlin, and met the journalists at the Paris offices of Cafe Babel, after reading an article on them in the July/August issue of Internationale Politik, "Europa aus Erster Hand".

Saturday, 19 September 2009

Went to the Social Web Bar Camp at La Cantine which I blogged about in detail. Here I met a many people, who connected me up with the right people in the Paris conference scene, where I was then able to present. A couple of these did not work out due to calendar clashes, such as an attempted meeting with engineers and users of Elgg a distributed Open Source Social Networking Platform popular at Universities here in France and the UK.

Monday, 21 September 2009

Visited the offices of Le Monde, and had lunch with a journalist there. I explain my vision of the Social Web and the functioning of foaf+ssl. He won't be writing about it directly he told me, but will develop these ideas over time in a number of articles. ( I'll post updates here, though it is sadly very difficult to link to articles in Le Monde, as they change the URLs for their articles, make them paying only after a period of time, and then don't even make an abstract available for non paying members).

Friday, 25 September 2009

I visited the new offices of af83.com a startup with a history: they participated in the building of the web site of Ségolène Royal the contender with Nicholas Sarkozi, during the last French Presidential Elections.
There I met up with Damien Tournoud, and expert Drupal Developer, explained the basics of foaf+ssl, pointed him to the Open Source project foaf.me, and let him work on it. With a bit of help from Benjamin Nowack the creator of the ARC2 Semantic Web library for PHP, Damien had a working implementation the next day. We waited a bit, before announcing it the following Wednesday on the foaf-protocols mailing list.

Tuesday 29 September, 2009

La Cantine organised another Bar Camp, on a wide range of topics, which I blogged about in detail. There I met people from Google, Firefox, and reconnected up with others. We also had a more open round table discussion on the Social Web.

Thursday 1st and Friday 2nd October, 2009

I visited the Open World Forum, which started among others with a track on the Semantic Desktop "Envisioning the Open Desktop of the future", headed by Prof Stefan Decker, with examples of implementations in the latest KDE (K Desktop Environment).
I met a lot of people here, including Eric Mahé, previously Technology Advisor at Sun Microsystems France. In fact I met so many people that I missed most of the talks. One really interesting presentation by someone from a major open source code search engine, explained that close to 60% of Open Source software came from Eastern and Western Europe combined. (anyone with a link to the talk?)

Saturday, 3rd October 2009

I presented The Social Web in French at the Open Source Developer Conference France which took place in La Villette.
I was really happily surprised to find that I was part of a 3 hour track dedicated to the Semantic Web. This started with a talk by Oliver Berger "Bugtracking sur le web sémantique. Oliver has been working on the Baetle ontology as part of the 2 year government financed HELIOS project. This is something I talked about a couple of years ago and wrote about here in my presentation Connecting Software and People. It is really nice to see this evolving. I really look forward to seeing the first implementations :-)
Oliver's was followed by a talk by Jean-Marc Vanel, introducing Software and Ontology Development, who introduced many of the key Semantic Web concepts.

Tuesday 6th October, morning

Milan Stankovitch whom I had met at the European Semantic Web Conference, and again at the Social Web Bar Camp, invited me to talk to the developers of hypios.com, a very interesting web platform to help problem seekers find problem solvers. The introductory video is really worth watching. I gave them the talk I keep presenting, but with a special focus on how this could help them in the longer term make it easier for people to join and use their system.

Tuesday 6th September, afternoon

I talked and participated in a couple of round table talks at the 2nd Project Accelerator on Identity at the University of Paris 1, organised by the FING. Perhaps the most interesting talk there was the one by François Hodierne , who works for the Open Source Web Applications & Platforms company h6e.net, and who presented the excellent project La Distribution whose aim it is to make installing the most popular web applications as easy as installing an app on the iPhone. This is the type of software needed to make The Internet of Subjects Manifesto a reality. In a few clicks everyone should be able to get a domain name, install their favorite web software on it - Wordpress, mail, wikis, social network, photo publishing tool - and get on with their life, whilst owning their data, so that if they at a later time find the need to move, they can, and so that nobody can kick them off their network. This will require rewriting a little each of the applications so as to enable them to work with the distributed secure Social Web, made possible by foaf+ssl: an application without a social network no longer being very valuable.

Thurday 9th October, 2009

Pierre Antoine Champin from the CNRS, the National French Research organisation, had invited me to Lyon to present The Social Web. So I took the TGV from Paris at 10:54 and was there 2 hours later, which by car would have been a distance of 464km (288.3 miles) according to Google Maps. The talk was very well attended with close to 50 students showing up, and the session lasted two full hours: 1 hour of talks and by many good questions.
After a chat and a few beers, I took the train back to Paris where the train arrived just after 10pm.

Saturday October 10, 2009

I gave a talk on the Social Web at Paris-Web, on the last day of a 3 day conference. This again went very well.
After lunch I attended two very good talks that complemented mine perfectly:

• David Larlet had a great presentation on Data Portability, which sparked a very lively and interesting discussion. Issues of Data ownership, security, confidentiality, centralization versus decentralization came up. One of his slides made the point very well: by showing the number of Web 2.0 sites that no longer exist, some of them having disappeared by acquisition, others simply technical meltdown, leaving the data of all their users lost forever. (Also see David's Blog summary of Paris-Web. )
• Right after coffee we had a great presentation on the Semantic Web by Fabien Gandon, who managed to give in the limited amount of time available to him an overview of the Semantic Web stack from bottom to top, including OWL 1 and 2, Microformats, RDFa, and Linked data, and various very cool applications of it, that even I learned a lot. His slides are available here. He certainly inspired a lot of people.

Tuesday, 13 October 2009

Finally I presented at the hacker space La suite Logique, which takes place in a very well organized very low cost lodging space in Paris. They had presentations on a number of projects happening there:

• One project is to build a grid by taking pieces from the remains of computers that people have brought them. They have a room stashed full of those.
• Another projects is to add wifi to the lighting to remotely control the projectors for theatrical events taking place there.
• There was some discussion on how to add sensors to dancers, as one Daito Manabe a Japanese artist has done, in order to create a high tech butoh dance (see the great online videos).
• Three engineers presented the robots they are constructing for a well known robot fighting competition

Certainly a very interesting space to hang out in, meet other hackers, and get fun things done in.

Posted at 07:16PM Oct 12, 2009 [permalink/trackback] by Henry Story in travel  |  Comments[0]

Sketch of a RESTful photo Printing service with foaf+ssl

Let us imagine a future where you own your data. It's all on a server you control, under a domain name you own, hosted at home, in your garage, or on some cloud somewhere. Just as your OS gets updates, so all your server software will be updated, and patched automatically. The user interface for installing applications may be as easy as installing an app on the iPhone ( as La Distribution is doing).

A few years back, with one click, you installed a myPhoto service, a distributed version of fotopedia. You have been uploading all your work, social, and personal photos there. These services have become really popular and all your friends are working the same way too. When your friends visit you, they are automatically and seamlessly recognized using foaf+ssl in one click. They can browse the photos you made with them, share interesting tidbits, and more... When you organize a party, you can put up a wiki where friends of your friends can have write access, leave notes as to what they are going to bring, and whether or not they are coming. Similarly your colleagues have access to your calendar schedule, your work documents and your business related photos. Your extended family, defined through a linked data of family relationship (every member of your family just needs to describe their relation to their close family network) can see photos of your family, see the videos of your new born baby, and organize Christmas reunions, as well as tag photos.

One day you wish to print a few photos. So you go to web site we will provisionally call print.com. Print.com is neither a friend of yours, nor a colleague, nor family. It is just a company, and so it gets minimal access to the content on your web server. It can't see your photos, and all it may know of you is a nickname you like to use, and perhaps an icon you like. So how are you going to allow print.com access to the photos you wish to print? This is what I would like to try to sketch a solution for here. It should be very simple, RESTful, and work in a distributed and decentralized environment, where everyone owns and controls their data, and is security conscious.

Before looking at the details of the interactions detailed in the UML Sequence diagram below, let me describe the user experience at a general level.

1. You go to print.com site after clicking on a link a friend of your suggested on a blog. On the home web page is a button you can click to add your photos.
2. You click it, and your browser asks you which WebID you wish to use to Identify yourself. You choose your personal ID, as you wish to print some personal photos of yours. Having done that, your are authenticated, and print.com welcomes you using your nicknames and displays your icon on the resulting page.
3. When you click a button that says "Give Print.com access to the pictures you wish us to print", a new frame is opened on your web site
4. This frame displays a page from your server, where you are already logged in. The page recognized you and asks if you want to give print.com access to some of your content. It gives you information about print.com's current stock value on NASDAQ, and recent news stories about the company. There is a link to more information, which you don't bother exploring right now.
5. You agree to give Print.com access, but only for 1 hour.
6. When your web site asks you which content you want to give it access to, you select the pictures you would like it to have. Your server knows how to do content negotiation, so even though copying each one of the pictures over is feasible, you'd rather give print.com access to the photos directly, and let the two servers negotiate the best representation to use.
7. Having done that you drag and drop an icon representing the set of photos you chose from this frame to a printing icon on the print.com frame.
8. Print.com thanks you, shows you icons of the pictures you wish to print, and tells you that the photos will be on their way to your the address of your choosing within 2 hours.

In more detail then we have the following interactions:

1. Your browser GETs print.com's home page, which returns a page with a "publish my photos" button.
2. You click the button, which starts the foaf+ssl handshake. The initial ssl connection requests a client certificate, which leads your browser to ask for your WebID in a nice popup as the iPhone can currently do. Print.com then dereferences your WebId in (2a) to verify that the public key in the certificate is indeed correct. Your WebId (Joe's foaf file) contains information about you, your public keys, and a relation to your contact addition service. Perhaps something like the following:

   :me xxx:contactRegistration </addContact> .

   Print.com uses this information when it creates the resulting html page to point you to your server.
3. When you click the "Give Print.com access to the pictures you wish us to print" you are sending a POST form to the <addContact> resource on your server, with the WebId of Print.com <https://nasdaq.com/co/PRNT#co> in the body of the POST. The results of this POST are displayed in a new frame.
4. Your web server dereferences Print.com, where it gets some information about it from the NASDAQ URL. Your server puts this information together (4a) in the html it returns to you, asking what kind of access you want to give this company, and for how long you wish to give it.
5. You give print.com access for 1 hour by filling in the forms.
6. You give access rights to Print.com to your individual pictures using the excellent user interface available to you on your server.
7. When you drag and drop the resulting icon depicting the collection of the photos accessible to Print.com, onto its "Print" icon in the other frame - which is possible with html5 - your browser sends off a request to the printing server with that URL.
8. Print.com dereferences that URL which is a collection of photos it now has access to, and which it downloads one by one. Print.com had access to the photos on your server after having been authenticated with its WebId using foaf+ssl. (note: your server did not need to GET print.com's foaf file, as it still had a fresh version in its cache). Print.com builds small icons of your photos, which it puts up on its server, and then links to in the resulting html before showing you the result. You can click on those previews to get an idea what you will get printed.

So all the above requires very little in addition to foaf+ssl. Just one relation, to point to a contact-addition POST endpoint. The rest is just good user interface design.

What do you think? Have I forgotten something obvious here? Is there something that won't work? Comment on this here, or on the foaf-protocols mailing list.

Notes

print.com sequence diagram by Henry Story is licensed under a Creative Commons Attribution 3.0 United States License.
Based on a work at blogs.sun.com.

Posted at 09:15PM Oct 07, 2009 [permalink/trackback] by Henry Story in SemWeb  |  Comments[0]

RDFa parser for Sesame

RDFa is the microformat-inspired standard for embedding semantic web relations directly into (X)HTML. It is being used more and more widely, and we are starting to have foaf+ssl annotated web pages, such as Alexandre Passant's home page. This is forcing me to update my foaf+ssl Identity Provider to support RDFa.

The problem was that I have been using Sesame as my semweb toolkit, and there is currently was no RDFa parser for it. Luckily I found out that Damian Steer (aka. Shellac) had written a SAX bases rdfa parser for the HP Jena toolkit, which he had put up on the java-rdfa github server. With a bit of help from Damian and the Sesame team, I adapted the code to sesame, create a git fork of the initial project, and uploaded the changes on the bblfish java-rdfa git clone. Currently all but three of the 106 tests pass without problem.

To try this out get git, Linus Torvalds' distributed version control system (read the book), and on a unix system run:

$ git clone  git://github.com/bblfish/java-rdfa.git

This will download the whole history of changes of this project, so you will be able to see how I moved from Shellac's code to the Sesame rdfa parser. You can then parse Alex's home page, by running the following on the command line (thanks a lot to Sands Fish for the Maven tip in his comment to this blog):

$ mvn  exec:java -Dexec.mainClass="rdfa.parse" -Dexec.args="http://apassant.net/"

[snip output of sesame-java-rdfa compilation]

@prefix foaf: <http://xmlns.com/foaf/0.1/> .
@prefix geo: <http://www.geonames.org/ontology/> .
@prefix rel: <http://purl.org/vocab/relationship/> .
@prefix cert: <http://www.w3.org/ns/auth/cert#> .
@prefix rsa: <http://www.w3.org/ns/auth/rsa#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .


<http://apassant.net/> <http://www.w3.org/1999/xhtml/vocab#icon> <http://apassant.net/misc/favicon.ico> ;
        <http://www.w3.org/1999/xhtml/vocab#stylesheet> <http://apassant.net/sites/apassant.net/files/css/css_84042a598208a6aade8783e8c2937a8c.css> , 
                     <http://apassant.net/sites/apassant.net/files/css/css_ba2732162a421c6422a6f5a68742254e.css> .

<http://apassant.net/#id> rdfs:label "About"@en .

<http://apassant.net/alex> a foaf:Person ;
        foaf:name "Alexandre Passant"@en ;
        foaf:workplaceHomepage <http://deri.ie> , 
                               <http://nuigalway.ie> ;
        foaf:schoolHomepage <http://paris-sorbonne.fr> , 
                            <http://dauphine.fr> ;
        foaf:topic_interest <http://dbpedia.org/page/Social_software_%28computer_software%29> ,
                            <http://dbpedia.org/resource/Semantic_Web> ;
        foaf:currentProject <http://www.w3.org/2009/sparql/wiki/> , 
                <http://www.w3.org/2005/Incubator/socialweb/> ;
        <http://purl.org/vocab/bio/0.1/olb> """
\nDr. Alexandre Passant is a postdoctoral researcher at the Digital Enterprise Research Institute, National University
of Ireland, Galway. His research activities focus around the Semantic Web and Social Software: in particular, how these
fields can interact with and benefit from each other in order to provide a socially-enabled machine-readable Web,
leading to new services and paradigms for end-users. Prior to joining DERI, he was a PhD student at Université 
Paris-Sorbonne and carried out applied research work on \"Semantic Web technologies for Enterprise 2.0\" at
Electricité De France. He is the co-author of SIOC, a model to represent the activities of online communities on the
Semantic Web, the author of MOAT, a framework to let people tag their content using Semantic Web technologies, and
is also involved in various related applications as well as standardization activities.\n"""@en ;
        foaf:based_near <http://dbpedia.org/resource/Galway> ;
        geo:locatedIn <http://dbpedia.org/resource/Galway> ;
        rel:spouseOf <http://julie.letierce.net/#id> ;
        foaf:holdsAccount <http://www.flickr.com/people/terraces/> ,
                          <http://www.linkedin.com/pub/alexandre-passant/1/797/1ab> ,
                          <http://last.fm/user/terraces> , 
                          <http://slideshare.net/terraces> , 
                          <http://twitter.com/terraces> .

<http://apassant.net/#cert> a rsa:RSAPublicKey ;
        cert:identity <http://apassant.net/alex> .

_:node14efunnjjx1 cert:decimal "65537"@en .

<http://apassant.net/#cert> rsa:public_exponent _:node14efunnjjx1 .

_:node14efunnjjx2 cert:hex "8af4cb6d6ec004bd28c08d37f63301a3e63ddfb812475c679cf073c4dc7328bd20dadb9654d4fa588f155ca05e7ca61a6898fbace156edb650d2109ecee65e7f93a2a26b3928d3b97feeb7aa062e3767f4fadfcf169a223f4a621583a7f6fd8992f65ef1d17bc42392f2d6831993c49187e8bdba42e5e9a018328de026813a9f"@en .

<http://apassant.net/#cert> rsa:modulus _:node14efunnjjx2 .

[snip]

This graph can then be queried with SPARQL, merged with other graphs, and just as it links to other resources, those can in turn link back to it, and to elements defined therein. As a result Alexandre Passant can then use this in combination with an appropriate X509 certificate to log into foaf+ssl enabled web sites in one click, without needing to either remember a password or a URL.

Posted at 07:39PM Sep 09, 2009 [permalink/trackback] by Henry Story in Java  |  Comments[7]

How to write a simple foaf+ssl authentication servlet

After having set up a web server so that it listens to an https socket that accepts certificates signed by any Certification Authority (CA) (see the Tomcat post), we can write a servlet that uses these retrieved certificates to authenticate the user. I will detail one simple way of doing this here.

Retrieving the certificate from the servlet

In Tomcat compatible servlets it is possible to retrieve the certificates used in a connection with the following code:

import java.security.cert.X509Certificate;
protected void doGet(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
       //...
       X509Certificate[] certificates = (X509Certificate[]) request
                       .getAttribute("javax.servlet.request.X509Certificate");
       //...
 }

Verifying the WebId

This can be done very easily by using a class such as DereferencingFoafSslVerifier (see source), available as a maven project from so(m)mer repository (in the foafssl/ directory).

Use it like this:

  Collection<? extends FoafSslPrincipal> verifiedWebIDs = null;

  try {
     FoafSslVerifier FOAF_SSL_VERIFIER = new DereferencingFoafSslVerifier();
     verifiedWebIDs = FOAF_SSL_VERIFIER.verifyFoafSslCertificate(foafSslCertificate);
  } catch (Exception e) {
     redirect(response,...); //redirect appropriately
     return;
  }

If the certificate is authenticated by the WebId, you will then end up with a collection of FoafSslPrincipals, which can be used for as an identifier for the user who just logged in. Otherwise you should redirect the user to a page enabling him to login with either OpenId, or the usual username/password pair, or point him to a page such as this one where he can get a foaf+ssl certificate.

For a complete example application that uses this code, have a look at the Identity Provider Servlet, which is running at https://foafssl.org/srv/idp (note this servlet was trying to create a workaround for an iPhone bug. Ignore that code for the moment).

Todo

The current library is too simple and has a few gaping usability holes. Some of the most evident are:

• No support for rdfa or turtle formats.
• The Sesame RDF framework/database should be run as a service, so that it can be queried directly by the servlet. Currently the data gathered by the foaf file is lost as soon as the FOAF_SSL_VERIFIER.verifyFoafSslCertificate(foafSslCertificate); method returns. This is ok for a Identity Provider Servlet, but not for most other servers. A Java/RDF mapper such as the So(m)mer mapper would then make it easy for Java programmers to use the information in the database to personalize the site with the information given by the foaf file.
• develop an access control library that makes it easy to specify which resources can be accessed by which groups of users, specified declaratively. It would be useful for example to be able to specify that a number of resources can be accessed by friends of someone, or friends of friends of someone, or family members, ....

But this is good enough to get going. If you have suggestions on the best way to architect some of these improvements so that we have a more flexible and powerful library, please contact me. I welcome all contributions. :-)

Posted at 10:23AM Jul 24, 2009 [permalink/trackback] by Henry Story in Art  |  Comments[0]

How to setup Tomcat as a foaf+ssl server

foaf+ssl is a standards based protocol enabling one click identification/authentication to web sites, without requiring the user to enter either a username or a password. It can be used as a global distributed access control mechanism. It works with current browsers. It is RESTful, thereby working with Linked Data and especially linked foaf files, enabling thereby distributed social networks.

I will show here what is needed to get foaf+ssl working for Tomcat 6x. The general principles are documented on the Tomcat ssl howto page, which should be used for detailed reference. Here I will document the precise setup needed for foaf+ssl. If you want to play with this protocol quickly without bothering with this procedure I recommend using the foaf+ssl Identity Provider service which you can point to on your web pages, and which will then redirect your users to the service of your choosing with the URLEncoded WebId of your visitor.

foaf+ssl works by having the server request a client certificate on an https connection. The server therefore needs an https end point which can be specified in Tomcat by adding the following connector to the conf/server.xml file:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="50" scheme="https" secure="true"
           sslProtocol="TLS"/>

Servers authentify themselves by sending the client a certificate signed by a well known Certificate Authority (CA) whose public key is shipped in all browsers. Browsers use the public key to verify the signature sent by the server. If the server sends a certificate that is not signed by one of these CAs (perhaps it is self signed) then the web browser will usually display some pretty ugly error message, warning the user to stay clear of that site, with some complex way of bypassing the warning, which if the user is courageous and knowledgeable enough will allow him to add the certificate to a list of trusted certs. This warning will put most people off. It is best therefore to buy a CA certified cert.(I found one for €15 at trustico.) Usually the CA's will have very detailed instructions for installing the cert for a wide range of servers. In the case of Tomcat you will end up with the following addition property values:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="50" scheme="https" secure="true"
           keystoreFile="conf/yourServerCert.kdb" 
               keystoreType="JKS" keystorePass="changeme" 
           sslProtocol="TLS"/>

And of course this requires placing the server cert file at the keystoreFile path.

There are usually two ways for the server to respond to the client not sending a (valid) certificate. Either it can simply fail, or it can allow the server app to decide what to do. Automatic failure is not a good option, especially for a login service, as the user will then be confronted with a blank page. Much better is to allow the server to redirect the user to another page explaining how to get a certificate and giving him the option of authentication using OpenId or simply the well known username/password pattern. To enable Tomcat to respond this way you need to add the clientAuth="want" attribute value pair:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="50" scheme="https" secure="true"
           keystoreFile="conf/yourServerCert.kdb" 
               keystoreType="JKS" keystorePass="changeme" 
           sslProtocol="TLS" clientAuth="want" />

Most Java Web Servers on receiving a client certificate, attempt to automatically validate it, by verifying that it is correctly signed by one of the CA's shipped with the Java Runtime Environment (JRE), verifying that the cert is still valid, ... As the SSL library that ships with the JRE does not implement foaf+ssl we will need to do the authentication at the application layer. We therefore need to bypass the SSL Implementation. To do this Bruno Harbulot put together the JSSLUtils library available on Google Code. As mentioned in the JSSLUtils Tomcat documentation page this will require you to place two jars in the Tomcat lib directory: jsslutils-0.5.1.jar and jsslutils-extra-apachetomcat6-0.5.2.jar (the version numbers may differ as the library evolves). You will also need to specify the SSLImplementation in the conf file as follows:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="50" scheme="https" secure="true"
           keystoreFile="conf/yourServerCert.kdb" 
               keystoreType="JKS" keystorePass="changeme" 
           SSLImplementation="org.jsslutils.extra.apachetomcat6.JSSLutilsImplementation" 
           sslProtocol="TLS" clientAuth="want" />

Usually servers send in the request to the client a list of Distinguished Names of certificates authorities (CA) they trust, so that the client can filter from the certificates available in the browser those that match. Getting client certificates signed by CA's is a complex and expensive procedure, which in part explains why requesting client certificates is very rarely used: very few people have certificates signed by well known CAs. Instead those services that rely on client certificate tend to sign those certificates themselves, becoming their own CA. This means that certificates end up being valid for only one domain. foaf+ssl bypasses this problem by accepting certificates signed by any CA, going so far as to allow even self signed certs. The server must therefore send an empty list of CAs meaning that the browser can send any certificate (TLS 1.1). With the JSSLutils library available to Tomcat, this is specified in the conf/server.xml file with the acceptAnyCert=true attribute.

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="50" scheme="https" secure="true"
           keystoreFile="conf/yourServerCert.kdb" 
               keystoreType="JKS" keystorePass="changeme" 
           SSLImplementation="org.jsslutils.extra.apachetomcat6.JSSLutilsImplementation"
           acceptAnyCert="true" sslProtocol="TLS" clientAuth="want" />

At this point you have set up your Apache Server correctly. A user that arrives at your SSL endpoint and that has a couple of certificates will be asked to choose between them. Your client code can the extract the certificate with the following code:

       X509Certificate[] certificates = (X509Certificate[]) request
                       .getAttribute("javax.servlet.request.X509Certificate");

You can use these certificates then to extract the WebId, and verify the SSL certificates. I will write more about how to do this in my next blog post.

Posted at 06:25PM Jul 23, 2009 [permalink/trackback] by Henry Story in Java  |  Comments[3]

two months of foaf+ssl talks

For the past one and a half months I have been traveling through Europe giving talks on foaf+ssl, the RESTful authentication protocol for the Social Web. Here is a short summary of where I have been.

18 May 2009, Salzburg Research

On my way cycling from Fontainebleau to Vienna, I stopped by in Salzburg, Austria, where the offices of the organisers of the EU sponsored KIWI (Knowledge in a Wiki) project, which Sun is participating in, are located. I introduced the group there to foaf+ssl, and they are now working on an implementation for their award winning semantic wiki.

20 May 2009, Semantic Web Company

Right after arriving in Vienna, I met up with Andreas Blumauer, editor of the recently published Springer Book "Social Semantic Web". Hopefully my presentation will make its way in some form or another into the next edition :-). Andreas also gave me an overview of the powerful yet easy to use thesaurus management system named Pool Party, they are developing.

1 May 2009, European Semantic Web Conference, Heraklion

Ian Jacobi who had come to Crete for the occasion, helped me present the paper FOAF+SSL: RESTful Authentication for the Social Web in the SPOT track. The other papers presented in that track all fitted together very well, giving a very good overview of the topics that need to be covered in this space. I will be rereading them soon. The ESWC conference was also a great opportunity to do a number of quick one to one presentations by demoing it working on the iPhone. ( Sadly the latest OS release broke the SSL stack, making my iPhone so much less useful )

18 June, Vienna University of Technology

In Crete I met Christoph Grün who helped organize a slot to present at the Institute of Software Technology & Interactive Systems. Christoph is working on Online Tourism web services, which would be a great use case for foaf+ssl. Imagine a group of people deciding to organize an outing on a tourism wiki site, where all members of the group would get access to that outing after a simple drag and drop of a foaf:Group URL onto the outing project console.... No account setup required.

23 June, Metalab Hacker's Club, Vienna

While in Vienna I gave a presentation at the Metalab, an open meeting space for hackers of all walks of life. As it happened a journalist from the well known French newspaper "Le Monde" happened to be present and wrote up an article "Les nouvelles tribus du Net" (now paying) on the lab, mentioning my presentation en passant.

2-3 July, Sun Microsystems Kiwi Meeting, Prague

The Kiwi group met in Prague for a couple of days to synchronize their work. After having won the best semantic web application prize at the European Semantic Web Conference in Crete, the mood was very positive. This was a good place to introduce the rest of the group to the potential of foaf+ssl, which is currently being implemented in Kiwi by Stefanie Stroka.

13 July, University of Leipzig

I spent a whole day with the excellent Agile Knowledge Engineering and Semantic Web team at the University of Leipzig. After an update on their latest work with DBPedia, Ontowiki, xOperator, ... I presented foaf+ssl. After lunch we then spent the afternoon on a very helpful hands on session. There are still enough rough edges in the different implementations of foaf+ssl that a bit of guidance can save a lot of time. End result, a few days later Sebastian Dietzold notified me that Philipp Frischmuth had written a first implementation available publicly at http://trunk.ontowiki.net/. During our session we also discovered a bug on http://foaf.me/, which was soon fixed.

15 July, University of Potsdam

Hagen organised a very well attended meeting at the University of Potsdam. The questions following the talk were very good, and showed a large interest. Sadly we did not have time for a hands on session, as my next meeting was just a few hours later. Hands on sessions are still very important, as they help turn a talk into an experience. It helps a lot that Melvin Carvalho enhanced foaf.me to make it very easy to create both a foaf file and a linked certificate, so with time these hands on sessions should be easier and shorter to do.

15 July, New Thinking Store, Berlin

I finished the day with a presentation at the New Thinking Store in Berlin, organized by Martin Schmidt. This was an opportunity again to present to Web 2.0 and more directly practical people.

Posted at 05:16PM Jul 20, 2009 [permalink/trackback] by Henry Story in travel  |  Comments[0]

Sun Initiates Social Web Interest Group

I am very pleased to announce that Sun Microsystems is one of the initiating members of the Social Web Incubator Group launched at the W3C.

Quoting from the Charter:

The mission of the Social Web Incubator Group, part of the Incubator Activity, is to understand the systems and technologies that permit the description and identification of people, groups, organizations, and user-generated content in extensible and privacy-respecting ways.

The topics covered with regards to the emerging Social Web include, but are not limited to: accessibility, internationalization, portability, distributed architecture, privacy, trust, business metrics and practices, user experience, and contextual data. The scope includes issues such as widget platforms (such as OpenSocial, Facebook and W3C Widgets), as well as other user-facing technology, such as OpenID and OAuth, and mobile access to social networking services. The group is concerned also with the extensibility of Social Web descriptive schemas, so that the ability of Web users to describe themselves and their interests is not limited by the imagination of software engineers or Web site creators. Some of these technologies are independent projects, some were standardized at the IETF, W3C or elsewhere, and users of the Web shouldn't have to care. The purpose of this group is to provide a lightweight environment designed to foster and report on collaborations within the Social Web-related industry or outside which may, in due time affect the growth and usability of the Social Web, rather than to create new technology.

I am glad we are supporting this along with these other prestigious players:

• ASemantics
• Boeing
• Cisco
• DERI Galway at the National University of Ireland, Galway, Ireland
• Garlik
• Institut National de Recherche en Informatique et en Automatique (INRIA)
• Institute of Informatics and Telecommunications (IIT), NCSR
• NICTA
• Rochester Institute of Technology
• SUN Microsystems
• Talis
• Telecom Italia
• University of Bristol
• University of Edinburgh
• Universidad Politécnica de Madrid
• University of Versailles
• Vrije Universiteit
• Vodafone

This should certainly help create a very interesting forum for discussing what I believe is one of the most important issue on the web today.

Posted at 10:22AM Apr 07, 2009 [permalink/trackback] by Henry Story in SemWeb  |  Comments[4]

howto get a foaf+ssl certificate to your iPhone

In my previous post I showed that a passwordless distributed social web is already possible on the iPhone. It just requires one to upload a foaf+ssl certificate to it. Here is a relatively easy way to do this. I leave it up to the readers of this blog to build even better ways to do it.

First of course you need to have a foaf+ssl certificate. If you don't have a foaf file, then you may want to first check out foafbuilder to create a foaf file and help you tie your distributed persona on the web together. It would be great if foafbuilder could also create those foaf+ssl certs.... For the moment they don't so the easiest way to get it is using the foafssl.org certificate creation service. That will load the certicicate right in your browser, and help you test it.

Once you have a certificate in your browser - I am assuming Firefox here - you just need to export it to the hard drive. In FF go to Preferences, and click on the advanced tab, and choose the encryption section.

I have a number of foaf+ssl certificates as you can see here. Choose one of them and click the Backup button. This will open another window asking you where you wish to save your certificate. Save it somewhere obvious in pkcs12 format. Make sure the file ends with a .p12 extension. You will also be asked for a password to encrypt your certificate, so it can't be opened in transit. You can use a complex password here as you will only need to remember it once.

Then just mail yourself that .p12 file using an account you can access on the iPhone of course. It is just a matter then of going to your iPhone, and opening your mail. In my mail I added a link to the web service I wanted to use next, to save me typing later.

When you click on the p12 link in your iphone, it will then ask you if you wish to install it. The certificate will most likely not be verified by another party. But that's ok, because you are the person who verified it. It is a certificate about you, and you know yourself better than most other people (except your mama of course).

You are then asked to enter the password you used to encrypt the certificate earlier. Once this is done your certificate will be installed on your iPhone, where it can stay happily for a very long time.

If you wish to have a number of different personalities on the web you can create different foaf profiles of yourself, where you can link different pieces of your web life together. As all detective films show it is very difficult to keep things forever secret. But you can at least keep pieces of your life clearly seperated, to keep nosy people busy.

Posted at 07:19PM Apr 03, 2009 [permalink/trackback] by Henry Story in SemWeb  |  Comments[2]

Global Identity in the iPhone browser

Typing user name/passwords on cell phones is extreemly tedious. Here we show how identification & authentication can be done in two clicks. No URL to type in, no changes to the iPhone, just using bog standard SSL technology tied into a distributed global network of trust, which is known as foaf+ssl.

After having installed a foaf+ssl certificate on my phone (which I will explain how to do in my next post), I directed Safari to foaf.me, which is a foaf+ssl enabled web site. This brought up the following screen:

This is a non personalised page. In the top right is a simple foaf+ssl login button. This site was not designed for the iPhone, or it would have been a lot more prominent. (This is easy to change for foaf.me of course). So I the zoomed onto the login link as shown in the following snapshot. Remember that I don't have an account on foaf.me. This could be the first time ever I go there. But nevertheless I can sign up: just click that link.

So clicking on this foaf+ssl enabled link brings up the following window in Safari. Safari warns me first that the site requires a certificate. The link I clicked on sent me to a page that is requesting my details.

As I do in fact want to login, I click the continue button. The iPhone then presents me with an identity selector, asking me which of my two certificates I want to use to log in:

Having selected the second one, the certificate containing my bblfish.net WebId is sent to the server, which authenticates me. The information from my foaf file is then used to personalise my foaf.me experience. Here foaf.me gives me a nice human readable view of my foaf file. I can even explore my social network right there and then, by clicking on the links to my friends. Again, this will work even if you never did go to foaf.me before. All you need is of course a well filled out foaf file, which services such as foafbuilder.qdos.com are making very easy to do. Anyway, here is the foaf.me personalised web page. It really knows a lot about me after just 2 clicks!

The foaf.me site currently has another tab, showing my activity stream of all the chats I have on the web, which it can piece together since I linked all my accounts together in my foaf file, as I explained in the post "Personalising my Blog" a few months ago.

Other web sites could use this information very differently. My web server itself may also decide to show selected information to selected servers... Implementing this is it turns out quite easy. More on that on this blog and on the foaf-protocols mailing list.

Posted at 06:14PM Apr 03, 2009 [permalink/trackback] by Henry Story in SemWeb  |  Comments[3]

The W3C Workshop on the Future of Social Networking Position Papers

I am in Barcelona, Spain (the country of Dali) for the W3C Workshop on the Future of Social Networking. To prepare for this I decided to read through the 75 position papers. This is the conference I have been the best prepared for ever. It really changes the way I can interact with other attendees. :-)

I wrote down a few notes on most paper I read through, to help me remember what I read. This took me close to a week, a good part of which I spent trying to track down the authors on the web, find their pictures, familiarise myself with their work, and fill out my Address Book. Anything I could do to help me find as many connections as possible to help me remember the work. I used delicious to save some subjective notes, which can be found on under the w3csn tag. I was going to publish this on Wednesday, but had not quite finished reading through all the papers. I got back to my hotel this evening to find that Libby Miller, who co-authored the foaf ontology, had beat me to it with the extend and quality of her reviews which she published in a two parts:

• Part one covers papers 1 to 42
• Part two covers paper 43 to 72 and the three late ones

Amazing work Libby!

70 papers is more than most people can afford to read. If I were to recommend just a handful of papers that stand out in my mind for now these would be:

ruby script to set skype and adium mood message with twitter on osx

Twitter is a great way to learn many little web2.0ish things. I wanted to set the status message on my Skype and Adium clients using my last twitter message. So I found a howto document by Michael Tyson which I adapted a bit to add Skype support and to only post twits that were not replies to someone else - I decide there was just too much loss of context for that to make sense.

#!/usr/bin/env ruby
#
# Update iChat/Adium/Skype status from Twitter
#
# Michael Tyson 
# http://michael.tyson.id.au
# Contributor: Henry Story

# Set Twitter username here
Username = 'bblfish'

require 'net/http'
require 'rexml/document'
include REXML

# Download timeline XML and extract latest entry
url = "http://twitter.com/statuses/user_timeline/" + Username + ".atom"
xml_data = Net::HTTP.get_response(URI.parse(url)).body
doc    = REXML::Document.new(xml_data)

latest = XPath.match(doc,"//content").detect { |c| not /@/.match(c.text)}
message = latest.text.gsub(/^[^:]+:\s*/, '')
exit if ! message

# Apply to status
script = 'set message to "' + message.gsub(/"/, '\\"') 
         + "\"\n" +
         'tell application "System Events"' 
         + "\n" +
         'if exists process "iChat" then tell application "iChat" to set the status message to message' 
         + "\n" +
         'if exists process "Adium" then tell application "Adium" to set status message of every account to message' 
         + "\n" +
         'if exists process "Skype" then tell application "Skype" to send command "set profile mood_text "'
         + ' & message script name "twitter"'
         + "\n" +
         'end tell' + "\n"

IO.popen("osascript", "w") { |f| f.puts(script) }

This can then be added to the unix crontab as explained in Michael's article, and all is good.

What can one learn with this little exercise? Quite a lot:

• Ruby - this is my first Ruby hack
• Atom - twitter uses an atom xml feed to publish its posts
• unix crontab
• AppleScript to send messages to all these silly OSX apps
• vi to edit all of this, but that's not obligatory, you can use less viral ones
• the value of reusing data accross applications

Posted at 02:18PM Dec 12, 2008 [permalink/trackback] by Henry Story in Java  |  Comments[0]

video on distributed social network platform NoseRub

I just came across this video on Twitter by pixelsebi explaining Distributed social networks in a screencast, and especially a php application NoseRub. Here is the video.

Distributed Social Networking - An Introduction from pixelsebi on Vimeo.

On a "Read Write Web" article on his video, pixelsebi summarizes how all these technologies fit together:

To sum it up - if I would have to describe it somebody who has no real clue about it at all:

1. Distributed Social Networking is an architecture approach for the social web.
2. DiSo and Noserub are implementations of this "social web architecture"
3. OpenSocial REST API is one of many ways to provide data in this distributed environment.
4. OpenOScial based Gadgets might run some time at any node/junction of this distributed environment and might be able to handle this distributed social web architecture.

So I would add that foaf provides semantics for describing distributed social networks, foaf+ssl is one way to add security to the system. My guess is that the OpenSocial Javascript API can be decoupled from the OpenSocial REST API and produce widgets however the data is produced (unless they made the mistake of tying it too closely to certain URI schemes)

Posted at 12:49PM Dec 04, 2008 [permalink/trackback] by Henry Story in SemWeb  |  Comments[0]

foaf+ssl: adding security to open distributed social networks

For the "W3C Workshop on the Future of Social Networking", taking place in Barcelona January 2009

Attending:

Henry Story

Contributors:

Bruno Harbulot, Ian Jacobi, Toby Inkster

Enthusiastic:

Melvin Carvalho

Semantic Web vocabularies such as foaf permit distributed hyperlinked social networks to exist. We would like to discuss a group of related ways we are exploring (mailing list) to add information and services protection to such distributed networks.

One major criticism of open networks is that they seem to have no way of protecting the personal information distributed on the web or limiting access to resources. Few people are willing to make all their personal information public, many would like large pieces to be protected, making it available only to a select group of agents. Giving access to information is very similar to giving access to services. There are many occasions when people would like services to only be accessible to members of a group, such as allowing only friends, family members, colleagues to post a blog, photo or comment on a site. How does one do this in a maximally flexible way, without requiring any central point of access control?

Using an intuition made popular by OpenID we show how one can tie a User Agent to a URI by proving that he has write access to it. foaf+ssl is architecturally a simpler alternative to OpenID (fewer connections), that uses X.509 certificates to tie a User Agent (Browser) to a Person identified via a URI. However, foaf+ssl can provide additional features, in particular, some trust management, relying on signing FOAF files, in conjunction with set of locally trusted keys, as well as a bridge with traditional PKIs. By using the existing SSL certificate exchange mechanism, foaf+ssl integrates more smoothly with existing browsers (pictures with Firefox) including mobile devices, and permits automated sessions in addition to interactive ones.

The steps in the protocol can be summarised simply:

1. A web page points to a protected resources using a https URL, e.g. https://juliette.net/location
2. The client fetches the secure http URL .
3. As part of that exchange the server requests the client certificate. The client returns Romeo's (possible self signed) certificate, containing the little known X.509 v3 extensions section:

           X509v3 extensions:
              ...
              X509v3 Subject Alternative Name: 
                              URI:http://romeo.net/#romeo
   

   Because the connection is encrypted, Juliet's server knows that Romeo's client knows the private key of the public key that is also passed in the certificate. Something like:

         Subject Public Key Info:
               Public Key Algorithm: rsaEncryption
               RSA Public Key: (1024 bit)
                   Modulus (1024 bit):
                       00:b6:bd:6c:e1:a5:ef:51:aa:a6:97:52:c6:af:2e:
                       71:94:8a:b6:da:9e:5a:5f:08:6d:ba:75:48:d8:b8:
                       01:50:d3:92:11:7d:90:13:89:48:06:2e:ec:6e:cb:
                       57:45:a4:54:91:ee:a0:3a:46:b0:a1:c2:e6:32:4d:
                       54:14:4f:42:cd:aa:05:ca:39:93:9e:b9:73:08:6c:
                       fe:dc:8e:31:64:1c:f7:f2:9a:bc:58:31:0d:cb:8e:
                       56:d9:e6:da:e2:23:3a:31:71:67:74:d1:eb:32:ce:
                       d1:52:08:4c:fb:86:0f:b8:cb:52:98:a3:c0:27:01:
                       45:c5:d8:78:f0:7f:64:17:af
                   Exponent: 65537 (0x10001)
   

4. Juliet's server dereferences the URI found in the certificate, fetching a document .
5. The document's log:semantics is queried for information regarding the public key contained in the previously mentioned X.509. This can be done in part with a SPARQL query such as:

   PREFIX cert: <http://www.w3.org/ns/auth/cert#>
   PREFIX rsa: <http://www.w3.org/ns/auth/rsa#>
   SELECT ?modulus ?exp
   WHERE { 
      ?key cert:identity <http://romeo.net/#romeo>;
           a rsa:RSAPublicKey;
           rsa:modulus [ cert:hex ?modulus; ];
           rsa:public_exponent [ cert:decimal ?exp ] .   
   }                   
   

   If the public keys in the certificate is found to be identical to the one published in the foaf file, the server knows that the client has write access over the http://romeo.net/ resource.
6. Romeo's identity is then checked as to its position in a graph of relations (including frienship ones) in order to determine trust according to some criteria . Juliet's server can get this information by crawling the web starting from her foaf file, or by other means.
7. Access is granted or denied .

We have tested this on multiple platforms in a number of different languages, (Java™, Python, ...) and across a number of existing web browsers (Firefox, Safari, more to come).

foaf+ssl is one protocol that we would like to concentrate on due to its simplicity. But there are a number of other ways of achieving the same thing, by using OpenID for example. All of them require some extra pieces:

• An ontology to describe what can be done with the data (copied, republished,...) or what obligations incur in using a service .
• An ontology to describe who has access to the service. This would be useful to help people decide if they should bother trying to access it, or what else they need to do such as become friends with someone, or reveal a bug in the software somewhere .
• Other things that might come up .

We will discuss our experience implementing this, the problems we have encountered and where we think this is leading us to next.

Posted at 07:36PM Dec 02, 2008 [permalink/trackback] by Henry Story in SemWeb  |  Comments[3]

personalising my blog

Those who read me via news feeds (I wonder how many those are), may not have seen the recent additions I have made to my blog pages. I have added a view onto:

• my recent flickr pictures
• my del.icio.us bookmarks
• my twitter discussion
• the music I am listening to

This is quite a lot of personal info. With my friend of a friend network it should be clear how you have more and more of the type of information you could find in social networking sites such as facebook on my blog. And this could keep growing of course.

The current personalization is mostly powered by JavaScript (with one flash application for last.fm ). Here is the code I added to my blog template, pieces of which I found here and there on the web, often in templates provided by the web services themselves.

 <h2>Recent Photos</h2><!-- see http://veerle.duoh.com/blog/comments/fickr_badge_w3c_valid/ -->
    <div id="flickr"><script type="text/javascript" 
   src="http://www.flickr.com/badge_code_v2.gne?count=6&display=latest&size=s&layout=x&source=user&user=88952050%40N00">
  </script>
    </div>
    <div class="recentposts">
     <script type="text/javascript" 
     src="http://feeds.delicious.com/v2/js/bblfish?title=My%20Recent%20Bookmarks&icon=s&count=5&sort=date&tags&extended">
    </script>   
    </div>
    <h2>Twittering</h2>
    <div id="twitter_div" class="recentposts">
    <a href="http://twitter.com/bblfish">last 5 entries:</a><br/>
<ul id="twitter_update_list"></ul>
</div>
<script src="http://twitter.com/javascripts/blogger.js" type="text/javascript"></script>
<script src="http://twitter.com/statuses/user_timeline/bblfish.json?callback=twitterCallback2&count=5" type="text/javascript">
</script>
  <h2>Listening To</h2>
<!-- I am looking for something lighter than this! -->
<style type="text/css">table.lfmWidgetchart_0bbc5b054e26d39362c0a10c7761f484 td 
  {margin:0 !important;padding:0 !important;border:0 !important;}
 table.lfmWidgetchart_0bbc5b054e26d39362c0a10c7761f484 tr.lfmHead 
  a:hover
 {background:url(http://cdn.last.fm/widgets/images/en/header/chart/recenttracks_regular_blue.png) 
     no-repeat 0 0 !important;}
 table.lfmWidgetchart_0bbc5b054e26d39362c0a10c7761f484 tr.lfmEmbed object {float:left;}
 table.lfmWidgetchart_0bbc5b054e26d39362c0a10c7761f484 tr.lfmFoot td.lfmConfig a:hover 
    {background:url(http://cdn.last.fm/widgets/images/en/footer/blue.png) no-repeat 0px 0 !important;;}
 table.lfmWidgetchart_0bbc5b054e26d39362c0a10c7761f484 tr.lfmFoot td.lfmView a:hover 
    {background:url(http://cdn.last.fm/widgets/images/en/footer/blue.png) no-repeat -85px 0 !important;}
 table.lfmWidgetchart_0bbc5b054e26d39362c0a10c7761f484 tr.lfmFoot td.lfmPopup a:hover 
    {background:url(http://cdn.last.fm/widgets/images/en/footer/blue.png) no-repeat -159px 0 !important;}
</style>
<table class="lfmWidgetchart_0bbc5b054e26d39362c0a10c7761f484" cellpadding="0" cellspacing="0" border="0" 
   style="width:184px;"><tr class="lfmHead">
   <td><a title="bblfish: Recently Listened Tracks" href="http://www.last.fm/user/bblfish" target="_blank" 
       style="display:block;overflow:hidden;height:20px;width:184px;background:url(http://cdn.last.fm/widgets/images/en/header/chart/recenttracks_regular_blue.png)
         no-repeat 0 -20px;text-decoration:none;border:0;">
   </a></td></tr>
   <tr class="lfmEmbed"><td>
   <object type="application/x-shockwave-flash" data="http://cdn.last.fm/widgets/chart/friends_6.swf" 
     codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=7,0,0,0" 
     id="lfmEmbed_210272050" width="184" height="199"> 
   <param name="movie" value="http://cdn.last.fm/widgets/chart/friends_6.swf" /> 
  <param name="flashvars" value="type=recenttracks&user=bblfish&theme=blue&lang=en&widget_id=chart_0bbc5b054e26d39362c0a10c7761f484" /> 
   <param name="allowScriptAccess" value="always" /> 
    <param name="allowNetworking" value="all" /> 
    <param name="allowFullScreen" value="true" /> 
    <param name="quality" value="high" /> <param name="bgcolor" value="6598cd" /> 
    <param name="wmode" value="transparent" /> <param name="menu" value="true" /> 
    </object></td></tr><tr class="lfmFoot">
    <td style="background:url(http://cdn.last.fm/widgets/images/footer_bg/blue.png) repeat-x 0 0;text-align:right;">
    <table cellspacing="0" cellpadding="0" border="0" style="width:184px;">
    <tr><td class="lfmConfig">
   <a href="http://www.last.fm/widgets/?colour=blue&chartType=recenttracks&user=bblfish&chartFriends=1&from=code&widget=chart" 
    title="Get your own widget" target="_blank" 
   style="display:block;overflow:hidden;width:85px;height:20px;float:right;background:url(http://cdn.last.fm/widgets/images/en/footer/blue.png)
          no-repeat 0px -20px;text-decoration:none;border:0;">
    </a></td><td class="lfmView" 
     style="width:74px;">
    <a href="http://www.last.fm/user/bblfish" title="View bblfish's profile" 
     target="_blank" style="display:block;overflow:hidden;width:74px;height:20px;background:url(http://cdn.last.fm/widgets/images/en/footer/blue.png)
        no-repeat -85px -20px;text-decoration:none;border:0;">
    </a>
    </td><td class="lfmPopup"
     style="width:25px;">
    <a href="http://www.last.fm/widgets/popup/?colour=blue&chartType=recenttracks&user=bblfish&chartFriends=1&from=code&widget=chart&resize=1" 
       title="Load this chart in a pop up" 
       target="_blank" 
       style="display:block;overflow:hidden;width:25px;height:20px;background:url(http://cdn.last.fm/widgets/images/en/footer/blue.png) 
             no-repeat -159px -20px;text-decoration:none;border:0;" 
       onclick="window.open(this.href + '&resize=0','lfm_popup','height=299,width=234,resizable=yes,scrollbars=yes'); return false;"
></a></td>
   </tr></table>
   </td></tr>
   </table>

So that as you can see is quite a lot of extra html every time someone wants to download my web page. This would not be too bad, but the above javascript widgets themselves go and fetch a lot of html, javascript, code and other content to further slow down the responsiveness of the web pages. This data is served to everyone whether they want to see all that information or not. Well, if they don't they can subscribe to the rss feed by dragging this page into a feed reader. In which case they will just see the blog posts themselves, and not the sidebar.

Why add this information to my blog? Well it gives people an idea of where they can find out more about me. A lot of people don't know that I have a del.icio.us feed, so they may not know that they can follow what I am reading over there. This gives the initial feeling of what it would be like to have a deeper view on my activities.

But as mentioned previously, there are a few problems with this.

• This makes this page heavier.
• Every page view on my blog will download that information and start those applets. ( A great way for those services to track the number of people directly visiting these pages btw. )
• This can become tedious. People who want to follow me can do so by coming to this web page from time. But with enough sites like that this is going to become a bit difficult to do. One does not want to spend all day reading the different feeds of information of one's friends. This is what Facebook does for people: it is a giant web based feed reader of social information.
• Difficult to track change: If I switch to a different book marking service, perhaps a semantic one like faviki, I will have to redo this page, and all my friends are going to have to update their feeds.
• If I add more of the resources I am working on this page is going to become unmaintainably long
• People who read my feed will not notice the changes occurring here.

So those are the problems that Web 3.0, the semantic web is going to solve. By just downloading my foaf file, you should have access to my network of friends via linked data, and via pointers to all the other resources on the web that I may be using. Whatever tool you use will be able to then keep all this data easily up to date, and with great search tools, enhance your view of the many linked networks you will be part of and tracking.

The whole code you see above could then be replaced with one link to my foaf file. That foaf file can itself be point to further resources in case it becomes large. To give a list of some of my the most interesting accounts I have I added the following N3 to my foaf file today:

@prefix : <http://bblfish.net/people/henry/card#> .
@prefix foaf: <http://xmlns.com/foaf/0.1/> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .

:me foaf:holdsAccount 
              [ a foaf:OnlineAccount ;
                rdfs:label "Henry Story's skype account"@en;
                foaf:accountName "bblfish";
                foaf:accountServiceHomepage <http://www.skype.com/>
              ],
              [ a foaf:OnlineAccount ;
                rdfs:label "Henry Story's flickr pictures account"@en;
                foaf:accountName "bblfish";
                foaf:accountServiceHomepage <http://www.flickr.com/>
                foaf:accountProfilePage <http://www.flickr.com/people/bblfish>
              ], 
              [ a foaf:OnlineAccount ;
                rdfs:label "Henry Story's last.fm music account"@en;
                foaf:accountName "bblfish";
                foaf:accountServiceHomepage <http://www.last.fm/>
                foaf:accountProfilePage <http://www.last.fm/user/bblfish>
              ], 
              [ a foaf:OnlineAccount ;
                rdfs:label "Henry Story's delicious bookmarking account"@en;
                foaf:accountName "bblfish";
                foaf:accountServiceHomepage <http://delicious.com/>
                foaf:accountProfilePage <http://delicious.com/bblfish>
              ], 
              [ a foaf:OnlineAccount ;
                rdfs:label "Henry Story's java.net developer account"@en;
                foaf:accountName "bblfish";
                foaf:accountServiceHomepage <http://java.net/>
              ], 
              [ a foaf:OnlineAccount ;
                rdfs:label "Henry Story's twitter micro blogging account"@en;
                foaf:accountName "bblfish";
                foaf:accountServiceHomepage <http://twitter.com/>
                foaf:accountProfilePage <http://twitter.com/bblfish>
              ], 
              [ a foaf:OnlineAccount ;
                rdfs:label "Henry Story's twine semantic aggregation account"@en;
                foaf:accountName "bblfish";
                foaf:accountServiceHomepage <http://twine.com/>
                foaf:accountProfilePage <http://www.twine.com/user/bblfish>
              ], 
              [ a foaf:OnlineAccount ;
                rdfs:label "Henry Story's facebook social networking account"@en;
                foaf:accountName "bblfish";
                foaf:accountServiceHomepage <http://www.facebook.com/>
              ], 
              [ a foaf:OnlineAccount ;
                rdfs:label "Henry Story's linked in business social network account"@en;
                foaf:accountName "bblfish";
                foaf:accountServiceHomepage <http://www.linkedin.com/>
                foaf:accountProfilePage <http://www.linkedin.com/pub/0/482/680>
              ] .

First of all it should be clear that the above is a lot more readable that the javascript code shown earlier in this post. Secondly I listed over twice as many online accounts there than I currently have in my side bar. And finally this is in a file that a client would not need to download unless it had an interest in knowing more about me. This could easily be cached over a period of time, and need not be served up again on each page request.

Again for one possible view on the above data it is worth installing the Tabulator Firefox extension and then clicking on my foaf icon. There are of course many more things specialized software could do with that infomation than present it like that.

On this topic, you may want to continue by looking at the recently published, excellent and beautiful presentation on the subject of the Social Semantic Web, by John Breslin.

Posted at 07:45PM Nov 30, 2008 [permalink/trackback] by Henry Story in SemWeb  |  Comments[3]

variation on @timoreilly: hyperdata is the new intel outside

Context: Tim O'Reilly said "Data is the new Intel Inside".

Recently in a post "Why I love Twitter":

What's different, of course, is that Twitter isn't just a protocol. It's also a database. And that's the old secret of Web 2.0, Data is the Intel Inside. That means that they can let go of controlling the interface. The more other people build on Twitter, the better their position becomes.

The meme was launched in the well known "What is Web 2.0" paper in the section entitled "Data is the next Intel Inside"

Applications are increasingly data-driven. Therefore: For competitive advantage, seek to own a unique, hard-to-recreate source of data.

Most of the data is outside your database. It can only be that way, the world is huge, and you are just one small link in the human chain. Linking that data is knowledge and value creation. Hyperdata is the foundation of Web 3.0.

Posted at 03:19PM Nov 30, 2008 [permalink/trackback] by Henry Story in SemWeb  |  Comments[0]

foaf+ssl: a first implementation

The first very simple implementations for the foaf+ssl protocol are now out: the first step in adding simple distributed security to the global open distributed decentralized social network that is emerging.

Update Feb 2009: I put up a service to create a foaf+ssl service in a few clicks. Try that out if you are short on time first.

The foaf+ssl protocol has been discussed in detail in a previous blog: "FOAF & SSL: creating a global decentralised authentication protocol", which goes over the theory of what we have implemented here. For those of you who have more time I also recommend my JavaOne 2008 presentation Building Secure, Open and Distributed Social Network Applications, which explains the need for a protocol such as this, gives some background understanding of the semantic web, and covers the working of this protocol in detail, all in a nice to listen to slideshow with audio.

In this article we are going to be rather more practical, and less theoretical, but still too technical for the likes of many. I could spend a lot of time building a nice user interface to help make this blog a point and click experience. But we are not looking for point and click users now, but people who feel at home looking at some code, working with abstract security concepts, who can be critical and find solutions to problems too, and are willing to learn some new things. So I have simplified things as much as needs be for people who fall into that category (and made it easy enough for technical managers to follow too, I hope ).

To try this out yourself you need just download the source code in the So(m)mer repository. This can be done simply with the following command line:

$ svn checkout https://sommer.dev.java.net/svn/sommer/trunk sommer --username guest

This is downloading a lot more code than is needed by the way. But I don't have time to spend on isolating all the dependencies, bandwidth is cheap, and the rest of the code in there is pretty interesting too, I am sure you will agree. Depending on your connection speed, this will take some time to download, so we can do something else in the meantime, such as have a quick look at the uml diagram of the foaf+ssl protocol:

Let us make clear who is playing what role. You are Romeo. You want your client - a simple web browser such as Firefox or Safari will do - to identify yourself to Juliette's Web server. Juliette as it happens is a semantic web expert and she trusts that if you are able to read through this blog, understand it, create your X509 certificate and set up your foaf file so that it publishes your public key information correctly then you are human, intelligent, avant-garde, and you have enough money to own a web server which is all to your advantage. As a result her semantically enabled server will give you the secret information you were looking for.

Juliette knows of course that at a later time things won't be that simple anymore, when distributed social networks will be big enough that the proportion of fools will be large enough for their predators to take an interest in this technology, and the tools for putting up a certificate will come packaged with everyone's operating system, embedded in every tool, etc... At that point things will have moved on and Juliette will have added more criteria to give access to her secret file. Not only will your certificate have to match the information in your foaf file as it does now, but given that she knows your URL and what you have published there of your social graph, she will be able to use that and your position in the social graph of her friends to enabling her server to decide how to treat you.

Creating a certificate and a foaf file

So the first thing to do is for you to create yourself a certificate and a foaf file. This is quite easy. You just need to do the following in a shell.

$ cd sommer/misc/FoafServer/

$ java -version
java version "1.5.0_16"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_16-b06-284)
Java HotSpot(TM) Client VM (build 1.5.0_16-133, mixed mode, sharing)

$ ant jar

Currently one needs at least Java 5 to run this.

Before you create your certificate, you need to know what your foaf URL is going to be. If you allready have a foaf file, then that is easy, and the following will get you going:

$ java -cp dist/FoafServer.jar net.java.dev.sommer.foafserver.utils.GenerateKey  -shortfoaf

Enter full URL of the person to identify (no relative urls allowed): 
for example: http://bblfish.net/people/henry/card#me
http://bblfish.net/people/henry/card#me

Enter password for new keystore :enterAnewPasswordForNewStore     
publish the triples expressed by this n3
# you can use use cwm to merge it into an rdf file
# or a web service such as http://www.rdfabout.com/demo/validator/ to convert it to rdf/xml
# Generated by sommer.dev.java.net
@prefix cert: <http://www.w3.org/ns/auth/cert#> .
@prefix rsa: <http://www.w3.org/ns/auth/rsa#> .
@prefix foaf: <http://xmlns.com/foaf/0.1/> .
<http://bblfish.net/people/henry/card#me> a foaf:Person; 
    is cert:identity of [ 
          a rsa:RSAPublicKey;
          rsa:public_exponent "65537"^cert:decimal ;
          rsa:modulus """b6bd6ce1a5ef51aaa69752c6af2e71948ab6da
9e5a5f086dba7548d8b80150d392117d90138948062eec6ecb5745a45491eea03a46b0a1c2e6324d
54144f42cdaa05ca39939eb973086cfedc8e31641cf7f29abc58310dcb8e56d9e6dae2233a317167
74d1eb32ced152084cfb860fb8cb5298a3c0270145c5d878f07f6417af"""^cert:hex ;
          ] .

the public and private keys are in the stored in cert.p12
you can list the contents by running the command
$ openssl pkcs12 -clcerts -nokeys -in cert.p12 | openssl x509 -noout -text

If you do then run the openssl command you will find that the public key components should match the rdf above.

$  openssl pkcs12 -clcerts -nokeys -in cert.p12 | openssl x509 -noout -text
Enter Import Password:
MAC verified OK
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=http://bblfish.net/people/henry/card#me
        Validity
            Not Before: Nov 19 10:58:50 2008 GMT
            Not After : Nov 10 10:58:50 2009 GMT
        Subject: CN=http://bblfish.net/people/henry/card#me
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b6:bd:6c:e1:a5:ef:51:aa:a6:97:52:c6:af:2e:
                    71:94:8a:b6:da:9e:5a:5f:08:6d:ba:75:48:d8:b8:
                    01:50:d3:92:11:7d:90:13:89:48:06:2e:ec:6e:cb:
                    57:45:a4:54:91:ee:a0:3a:46:b0:a1:c2:e6:32:4d:
                    54:14:4f:42:cd:aa:05:ca:39:93:9e:b9:73:08:6c:
                    fe:dc:8e:31:64:1c:f7:f2:9a:bc:58:31:0d:cb:8e:
                    56:d9:e6:da:e2:23:3a:31:71:67:74:d1:eb:32:ce:
                    d1:52:08:4c:fb:86:0f:b8:cb:52:98:a3:c0:27:01:
                    45:c5:d8:78:f0:7f:64:17:af
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Key Agreement, Certificate Sign
            Netscape Cert Type: 
                SSL Client, S/MIME
            X509v3 Subject Key Identifier: 
                85:CD:66:A3:F7:23:DA:42:4B:F6:44:A1:90:A8:FE:27:9E:55:64:FE
            X509v3 Authority Key Identifier: 
                keyid:85:CD:66:A3:F7:23:DA:42:4B:F6:44:A1:90:A8:FE:27:9E:55:64:FE
            X509v3 Subject Alternative Name: 
                URI:http://bblfish.net/people/henry/card#me
    Signature Algorithm: sha1WithRSAEncryption
        a6:e0:3f:7c:cb:78:9b:f1:75:7f:62:ca:20:9e:a3:bb:87:61:
        29:59:3f:b9:bb:70:c5:06:bd:9a:62:fc:98:32:b7:f4:8b:53:
        ca:69:fc:5e:01:6a:4c:d8:85:5c:b3:a1:84:ec:1c:d2:6f:a8:
        0f:dd:c0:ff:9f:88:d2:84:8f:77:48:2e:f0:91:fb:2c:2a:22:
        96:07:be:ce:b2:98:87:ee:40:bd:16:32:fa:11:55:fb:0f:96:
        fb:c4:f8:be:66:3f:98:fa:62:61:0b:2f:b5:02:98:97:53:35:
        b5:46:32:c4:38:01:4c:97:66:aa:79:40:1a:67:45:bd:a0:e1:
        97:72

Notice also that the X509v3 Subject Alternative Name, is your foaf URL. The Issuer Distinguished name (starting with CN= here) could be anything.
This by the way, is the certificate that you will be adding to your browser in the next section.

If you don't have a foaf file, then the simplest way to do this is to:

1. decide where you are going to place the file on your web server
2. decide what the name of it is
3. Put a fake file there named cert.rdf
4. get that file with a browser by typing in the full url there
5. your foaf url with then be http://yourhost.com/path/cert.rdf#me

Then you can use the following command to create your foaf file:

$ java -cp dist/FoafServer.jar net.java.dev.sommer.foafserver.utils.GenerateKey

That is the same as the first one but without the -shortfoaf argument. You will be asked for some information to fill up your foaf file, so as to make it a little more realistic -- you might as well get something useful out of this. You can then use either cwm or a web service to convert that N3 into rdf/xml, which you can then publish at the correct location. Now entering your url into a web browser should get your foaf file.

Adding the certificate to the browser

The previous procedure will have created a certificate cert.p12, which you now need to import into your browser. The software that creates the certificate could I guess place it in your browser too, but that would require some of work to make it cross platform. Something to do for sure, but not now. On OSX adding certs programmatically to the Keychain application is quite easy.

So to add the certificate to your browsers store, open up Firefox's preferences and go to the Advanced->Encryption tab as shown here

Click on "View Certificates" button, and you will get the Certificate Manager window pictured here.

Click the import button, and import the certificate we created in the previous section. That's it.

Starting Juliette's server

In a few days time Ian Jacobi will have a python based server working with the new updated certificate ontology. I will point to that as soon as he has it working. In the mean time you can run Juliette's test server locally like this:

$ ant run

This will start her server on your computer on localhost on port 8843 where it will be listening on a secure socket.

Connecting your client to Juliette's server

So now you can just go to https://localhost:8843/servlet/CheckClient in your favorite browser. This is Juliette's protected resource by the way, so we have moved straight to step 2 in the above UML diagram.

Now because this is a server running locally, and it has a secure port open that emits a certificate that is not signed by a well established security authority things get more complicated than they usually need be. So the following steps appea only because of this and so, to make it clear that this is just a result of this experiment, I have placed the following paragraph in a blue background. You will only need to do this the first time you connect in this experminent, so be weary of the blues.

Firefox gave me the following warning the first time I tried it.

This is problematic because it just warns that the server's certificate is not trusted, but does not allow you to specify that you trust it (after all, perhaps you just mailed you the public key in the certificate and you could use that information to decide that you trust the server).

On trying again, shift reloading perhaps, I am not sure, I finally got Firefox to present me with the following secure connection failed page:

Safari had done the right things first off. Since we trust localhost:8843 (having just started it and even inspected some of the code ) we just need to click the "Or you can add an exception ..." link, which brings up the dialog below:

They are trying to frighten users here of course. And so they should. Ahh if only we had a localhost signed certificate by a trusted CA, I would not have to write this whole part of the blog!

So of course you go there and click "Add Exception...", and this brings up the following dialog.

So click "Get Certificate" and get the server certificate. When done you can see the certificate

And confirm the security Exception.

Again all of this need not happen. But since it also makes clear what is going on, it can be helpful to show it.

Choose your certificate

Having accepted the server's certificate, it will now ask you for yours. As a result of this Firefox opens up the following dialog.

Since you only have one client certificate this is an easy choice. If you had a number of them, you could choose which persona to present to the site. When you click Ok, the certificate will be sent back to the server. This is the end of stage 2 in the UML diagram above. At that point Juliette's server ( on localhost ) will go and get your foaf file (step 3), and compare the information about your public key to the one in the certificate you just presented (step 4) by making the following query on your foaf file, as shown in the CheckClient class:

      TupleQuery query = rep.prepareTupleQuery(QueryLanguage.SPARQL,
                                "PREFIX cert: " +
                                "PREFIX rsa: " +
                                "SELECT ?mod ?exp " +
                                "WHERE {" +
                                "   ?sig cert:identity ?person ." +
                                "   ?sig a rsa:RSAPublicKey;" +
                                "        rsa:modulus [ cert:hex ?mod ] ;" +
                                "        rsa:public_exponent [ cert:decimal ?exp ] ." +
                                "}");
       query.setBinding("person", vf.createURI(uri.toString()));
       TupleQueryResult answer = query.evaluate();

The source code for all that is not far, and you will see that the algorithms used are very simple. This proves that the minimal piece, which is equivalent to what OpenID does, works. Next we will need to build up the server so that it can make decisions based on a web of trust. But by then you will have your foaf file, and filled up your social network a little for this to work.

Further Work

Discussions on this and on a number of other protocols in the same space is currently happening on the foaf protocols mailing list. You are welcome to join the sommer project to work on the code and debug it. As I mentioned Ian Jacobi has a public server running which he should be updating soon with the new certificate ontology that we have been using here.

Clearly it would be really good to have a number of more advanced servers running this in order to experiment with access controls that add social proximity requirements.

Things to look at:

• What other browsers does this work with?
• Can anyone get this to work with Aladdin USB e-Token keys or similar tools?
• Work on access controls that take social proximity into account
• Does this remove the need for cookie identifiers on web sites?

I hope to be able to present this at the W3C Workshop on the Future of Social Networking in January 2009.

Posted at 07:04PM Nov 20, 2008 [permalink/trackback] by Henry Story in Java  |  Comments[3]

REST APIs must be hypertext driven

Roy Fielding recently wrote in "REST APIs must be hypertext-driven"

I am getting frustrated by the number of people calling any HTTP-based interface a REST API. Today's example is the SocialSite REST API. That is RPC. It screams RPC. There is so much coupling on display that it should be given an X rating.

That was pretty much my thought when I saw that spec. In a comment to his post he continues.

The OpenSocial RESTful protocol is not RESTful. It could be made so with some relatively small changes, but right now it is just wrapping RPC results in common Web media types.

Clarification of Roy's points

• REST API should not be dependent on any single communication protocol, though its successful mapping to a given protocol may be dependent on the availability of metadata, choice of methods, etc. In general, any protocol element that uses a URI for identification must allow any URI scheme to be used for the sake of that identification.

  In section 2.2 of the O.S. protocol we have the following JSON representation for a Person.

  {
      "id" : "example.org:34KJDCSKJN2HHF0DW20394",
      "displayName" : "Janey",
      "name" : {"unstructured" : "Jane Doe"},
      "gender" : "female"
  }
  

  Note that the id is not a URI. Further down in the XML version of the above JSON, it is made clear that by appending "urn:guid:" you can turn this string into a URI. By doing this the protocol has in essence tied itself to a URI scheme, since there is no way of expressing another URI type in the JSON - the JSON being the key representation in this Javascript specific API by the way, the aim of the exercise being to make the writing of social network widgets interoperable. Furthermore this scheme has some serious limitations such as for example that it limits one to 1 social network per internet domain, is tied to a quite controversial XRI spec that has been rejected by OASIS, and does not provide a clear mechanism for retrieving information about it. But that is not the point. The definition of the format is tying itself unnecessarily to a URI scheme, and moreover one that ties one to what is clearly a client/server model.

• A REST API should not contain any changes to the communication protocols aside from filling-out or fixing the details of underspecified bits of standard protocols, such as HTTP's PATCH method or Link header field.

• A REST API should spend almost all of its descriptive effort in defining the media type(s) used for representing resources and driving application state, or in defining extended relation names and/or hypertext-enabled mark-up for existing standard media types. Any effort spent describing what methods to use on what URIs of interest should be entirely defined within the scope of the processing rules for a media type (and, in most cases, already defined by existing media types). [Failure here implies that out-of-band information is driving interaction instead of hypertext.]

  Most of these so called RESTful APIs spend a huge amount of time specifying what response a certain resource should give to a certain message. Note for example section 2.1 entitled Responses

• A REST API must not define fixed resource names or hierarchies (an obvious coupling of client and server). Servers must have the freedom to control their own namespace. Instead, allow servers to instruct clients on how to construct appropriate URIs, such as is done in HTML forms and URI templates, by defining those instructions within media types and link relations. [Failure here implies that clients are assuming a resource structure due to out-of band information, such as a domain-specific standard, which is the data-oriented equivalent to RPC's functional coupling].

  In section 6.3 one sees this example:

  /activities/{guid}/@self                -- Collection of activities generated by given user
  /activities/{guid}/@self/{appid}        -- Collection of activities generated by an app for a given user
  /activities/{guid}/@friends             -- Collection of activities for friends of the given user {guid}
  /activities/{guid}/@friends/{appid}     -- Collection of activities generated by an app for friends of the given user {guid}
  /activities/{guid}/{groupid}            -- Collection of activities for people in group {groupid} belonging to given user {uid}
  /activities/{guid}/{groupid}/{appid}    -- Collection of activities generated by an app for people in group {groupid} belonging to given user {uid}
  /activities/{guid}/@self/{appid}/{activityid}   -- Individual activity resource; usually discovered from collection
  /activities/@supportedFields            -- Returns all of the fields that the container supports on activity objects as an array in json and a repeated list in atom.
  

  For some reason it seems that this protocol does require a very precise lay out of the patterns of URLs. Now it is true that this is then meant to be specified in an XRDS document. But this document is not linked to from any of the representations as far as I can see. So there is some "out of band" information exchange that has happened and on which the rest of the protocol relies. Furthermore it ties the whole service again to one server. How open is a service which ties you to one server?

• A REST API should never have "typed" resources that are significant to the client. Specification authors may use resource types for describing server implementation behind the interface, but those types must be irrelevant and invisible to the client. The only types that are significant to a client are the current representation's media type and standardized relation names. [ditto]

  Now clearly one does want to have URIs name resources, things, and these things have types. I think Roy is here warning against the danger that expectations are placed on types that depend on the resources themselves. This seems to be tied to the previous point that one should not have fixed resource names or hierarchies as we saw above. To see how this is possible check out my foaf file:

  
  $ cwm http://bblfish.net/people/henry/card --ntriples | grep knows | head
      <http://bblfish.net/people/henry/card#me>     <http://xmlns.com/foaf/0.1/knows> <http://axel.deri.ie/~axepol/foaf.rdf#me> .
      <http://bblfish.net/people/henry/card#me>     <http://xmlns.com/foaf/0.1/knows> <http://b4mad.net/FOAF/goern.rdf#goern> .
      <http://bblfish.net/people/henry/card#me>     <http://xmlns.com/foaf/0.1/knows> <http://bigasterisk.com/foaf.rdf#drewp> .
      <http://bblfish.net/people/henry/card#me>     <http://xmlns.com/foaf/0.1/knows> <http://crschmidt.net/foaf.rdf#crschmidt> .
      <http://bblfish.net/people/henry/card#me>     <http://xmlns.com/foaf/0.1/knows> <http://danbri.org/foaf.rdf#danbri> .
      <http://bblfish.net/people/henry/card#me>     <http://xmlns.com/foaf/0.1/knows> <http://data.boab.info/david/foaf.rdf#me> .
      <http://bblfish.net/people/henry/card#me>     <http://xmlns.com/foaf/0.1/knows> <http://davelevy.info/foaf.rdf#me> .
      <http://bblfish.net/people/henry/card#me>     <http://xmlns.com/foaf/0.1/knows> <http://dblp.l3s.de/d2r/page/authors/Christian_Bizer> .
      <http://bblfish.net/people/henry/card#me>     <http://xmlns.com/foaf/0.1/knows> <http://dbpedia.org/resource/James_Gosling> .
      <http://bblfish.net/people/henry/card#me>     <http://xmlns.com/foaf/0.1/knows> <http://dbpedia.org/resource/Roy_Fielding> .
  

  Notice that there is no pattern in the URIs to the right. (As it happens there are no ftp URLs there, but it would work just as well if there were). Yet the Tabulator extension for Firefox knows from the relations above alone that (if it believes my foaf file of course) the URIs to the right refer to people. This is because the foaf:knows relation is defined as

  
  @prefix foaf: <http://xmlns.com/foaf/0.1/> .
  
  foaf:knows  a rdf:Property, owl:ObjectProperty;
           :comment "A person known by this person (indicating some level of reciprocated interaction between the parties).";
           :domain <http://xmlns.com/foaf/0.1/Person>;
           :isDefinedBy <http://xmlns.com/foaf/0.1/>;
           :label "knows";
           :range foaf:Person .
  

  This information can then be used by a reasoner (such as the javascript one in the tabulator) to deduce that the resources pointed to by the URIs to the right and to the left of the foaf:knows relation are members of the foaf:Person class.

  Note also that there is no knowledge as to how those resources are served. In many cases they may be served by simple web servers sending resources back. In other cases the RDF may be generated by a script. Perhaps the resources could be generated by java objects served up by Jersey. The point is that the Tabulator does not need to know.

  Furthermore, the ontology information above is not out of band. It is GETable at the foaf:knows URIs itself. The name of the relation links to the information about the relations, which gives us enough to be able to deduce further facts. This is hypertext - hyperdata in this case - at its best. Compare that with the JSON example given above. There is no way to tell what that JSON means outside of the context of the totally misnamed 'Open Social RESTful API'. This is a limitation of JSON, or at least this name space less version. One would have to add a mime type to the JSON to make it clear that the JSON had to be interpreted in a particular manner for this application, but I doubt most JSON tools would know what to do with mime typed JSON versions. And do you really want to go through a mime type registration process every time a social networking application wants to add a new feature or interact with new types of data?

  as Roy summarizes in one one of the replies to this blog post:

  When representations are provided in hypertext form with typed relations (using microformats of HTML, RDF in N3 or XML, or even SVG), then automated agents can traverse these applications almost as well as any human. There are plenty of examples in the linked data communities. More important to me is that the same design reflects good human-Web design, and thus we can design the protocols to support both machine and human-driven applications by following the same architectural style.

  To get a feel of this it really helps to play with other hyperdata applications, other than ones residing in web browsers The semantic address book is one such, that I spent some time writing.

• A REST API should be entered with no prior knowledge beyond the initial URI (bookmark) and set of standardized media types that are appropriate for the intended audience (i.e., expected to be understood by any client that might use the API). From that point on, all application state transitions must be driven by client selection of server-provided choices that are present in the received representations or implied by the user‚Äôs manipulation of those representations. The transitions may be determined (or limited by) the client's knowledge of media types and resource communication mechanisms, both of which may be improved on-the-fly (e.g., code-on-demand). [Failure here implies that out-of-band information is driving interaction instead of hypertext.]

  That is the out of band point made previously, and confirms the point made about the danger of protocols that depend on URI patterns or resources that are somehow typed at the protocol level. You should be able to pick up a URI and just go from there. With the tabulator plugin you can in fact do just that on any of the URLs listen in my foaf file, or in other RDF.

What's the point?

Engineers under the spell of the client/server architecture, will find some of this very counter intuitive. This is indeed why Roy's thesis, and the work done by the people who engineered the web before that and whose wisdom is distilled in various writings by the Technical Architecture Group did something that was exceedingly original. These very simple principles that can feel unintuitive to someone who is not used to thinking at a global information scale, make a lot of sense when you do come to think at that level. When you do write such an Open system, that can allow people to access information globally, you want it to be such that you can send people a URI to any resource you are working with, so that both of you can speak about the same resource. Understanding what the resource that URL is about should be found by GETting the meaning of the URL. If the meaning of that URL depends on the way you accessed it, then you will no longer be able to just send a URL, but you will have to send 8 or 9 URLs with explanations on how to jump from one representation to the other. If some out of band information is needed to understand that one has to inspect the URL itself to understand what it is about, then you are not setting up an Open protocol, but a secret one. Secret protocols may indeed be very useful in some circumstances, and so as Roy points out may non RESTful ones be:

That doesn’t mean that I think everyone should design their own systems according to the REST architectural style. REST is intended for long-lived network-based applications that span multiple organizations. If you don’t see a need for the constraints, then don’t use them. That’s fine with me as long as you don’t call the result a REST API. I have no problem with systems that are true to their own architectural style.

encoding knowledge within clients and servers of the other side’s implementation mechanism is what we are trying to avoid.

Posted at 02:02PM Nov 11, 2008 [permalink/trackback] by Henry Story in SemWeb  |  Comments[0]

Possible Worlds and the Web

Tim Berner's Lee pressed to define his creation said recently (from memory): "...my short definition is that the web is a mapping from URI's onto meaning".

Meaning is defined in terms of possible interpretations of sentences, also known as possible worlds. Possible Worlds under the guise of the 5th and higher dimensions are fundamental components of contemporary physics. When logic and physics meet we are in the realm of metaphysics. To find these two meet the basic architecture of the web should give anyone pause for thought.

The following extract from RDF Semantics spec is a good starting point:

The basic intuition of model-theoretic semantics is that asserting a sentence makes a claim about the world: it is another way of saying that the world is, in fact, so arranged as to be an interpretation which makes the sentence true. In other words, an assertion amounts to stating a constraint on the possible ways the world might be. Notice that there is no presumption here that any assertion contains enough information to specify a single unique interpretation. It is usually impossible to assert enough in any language to completely constrain the interpretations to a single possible world, so there is no such thing as 'the' unique interpretation of an RDF graph. In general, the larger an RDF graph is - the more it says about the world - then the smaller the set of interpretations that an assertion of the graph allows to be true - the fewer the ways the world could be, while making the asserted graph true of it.

A few examples may help here. Take the sentence "Barack Obama is the 44th president of the U.S.A". There are many many ways the world/universe/complete 4 dimensional space time continuum from the beginning of the universe to the end if there is one, yes, there are many ways the world could be and that sentence be true. For example I could not have bothered to write this article now, I could have written it just a little later, or perhaps even not at all. There is a world in which you did not read it. There is a world in which I went out this morning to get a baguette from one of the many delicious local french bakeries. The world could be all these ways and yet still Barack Obama be the 44th president of the United States.

In N3 we speak about the meaning of a sentence by quoting it with '{' '}'. So for our example we can write:

@prefix dbpedia: <http://dbpedia.org/resource/> .
{ dbpedia:Barack_Obama a dbpedia:President_of_the_United_States . } = :g1 .

:g1 is the set of all possible worlds in which Obama is president of the USA. The only worlds that are not part of that set, are the worlds where Obama is not President, but say McCain or Sarah Palin is. That McCain might have become president of the United States is quite conceivable. Both those meanings are understandable, and we can speak about both of them

@prefix dbpedia: <http://dbpedia.org/resource/> .
{ dbpedia:Barack_Obama a dbpedia:President_of_the_United_States . } = :g1 .
{ dbpedia:John_McCain a dbpedia:President_of_the_United_States . } = :g2 .
:g1 hopedBy :george .
:g2 feardedBy :george .
:g1 fearedBy :jane .

Ie. we can say that George hopes Barack Obama to be the 44th president of the United States, but that Jane fears it.

Assume wikipedia had a resource for each member of the list of presidents of the USA, and that we were pointing to the 44th element above. Then even though we can speak about :g1 and :g2, there is no world that fits them both: The intersection of both :g1 and :g2 is { } , the empty set, whose extension according to David Lewis' book on Mereology is the fusion of absolutely all possibilities. The thing that is everything and everywhere and around at all times. Ie. you don't make any distinction when you say that: you don't say anything.

The definition of meaning in terms of possible worlds, make a few things very simple to explain. Implication being one of them. If every president has to be human, then

@prefix log: <http://www.w3.org/2000/10/swap/log#> .
{ dbpedia:Barack_Obama a dbpedia:President_of_the_United_States . } log:implies { dbpedia:Barack_Obama a dbpedia:Human . }

Ie the set of possible worlds in which Obama is a president of the United States is a subset of the set of worlds in which he is Human. There are worlds after all where Barack is just living a normal Lawyer's life.

So what is this mapping from URIs to meaning that Tim Berners Lee is talking about? I interpret him as speaking of the log:semantics relation.

@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
log:semantics a rdf:Property;
         :label "semantics";
         :comment """The log:semantics of a document is the formula.
         achieved by parsing representation of the document.
          For a document in Notation3, log:semantics is the
          log:parsedAsN3 of the log:contents of the document.
          For a document in RDF/XML, it is parsed according to the
          RDF/XML specification to yield an RDF formula [snip]""";
         :domain foaf:Document;
         :range log:Formula .

Of course it is easier to automate the mapping from resources that return RDF based representations, but log:semantics can be applied to any document. Any web page, even those written in natural languages, have some semantics. It is just that they currently require very advanced wetware processors to interpret them. These can indeed be very specialised wetware processors, as for example those that one meets at air ports.

Posted at 12:14PM Nov 10, 2008 [permalink/trackback] by Henry Story in Philosophy  |  Comments[0]

The coming postmodern era

Kevin Kelly argued convincingly that the growth in technology is creating a new world wide super organism, something Nova Spivack likes to call One Mind (OM). I argue here that this One Mind will have to be a postmodern mind: it will have to take points of view as a fundamental given. In other words it is a world of Many Many Minds (MMM) that is being born.

Concepts can take a long time from their birth to their acceptance by society. Democritus reasoned in 400BC that the earth was round, that there were other stars, and that they had planets which had life. It took a 2400 years, a trip to the moon, satellite television, mass air travel to turn these deep insights into common sense.

I think one can make the case that the massive intrusion of the Personal Computer in the 1980ies into huge numbers of household and businesses led to the strengthening of the concepts of 'efficiency' and the self. The metaphor of the brain as computer took hold silencing previous behaviorist intuitions. The computer could be programmed. It could think. Some could think faster than others. Every year they became more efficient. The PC was the icon of the age. It was alone and did not communicate. It was the era of selfish competition: the 'me' generation. As Margaret Thatcher, prime minister of Britain at the time said: "There is no such thing as society".

In the 1990ies the internet entered public consciousness, and with it the realization of how the network was overtaking the PC in importance. Information moved from being mostly on a computer to being mostly in the network cloud. The network was slow, so the experience people had was primarily of being connected to information and commerce. The experience of globalization of commerce and information blended with a modernistic view of the future unity of humanity moving towards one end: the end of history.

Behind the growth of the web and the internet, hidden to many, lay the strength of community. Unix, Linux, Apache, Open Source software, that had been the cause of the huge growth of the Network became more apparent, and became visible to the majority in the form of the read/write web under the banner of blogging. The last 8 years have been the discovery of the web as a platform for each individual voice to be heard, of community and mostly protected social networks. The end of the 20th century was also the end of the read only society as Lawrence Lessig argues so well. Millions of different points of view came to express themselves on innumerable topics.

Where next? What will happen as we move from a human readable read/write web to a machine readable one? What happens when we manage to break through the autism of current tools? What happens when software becomes widely available that can ask you if you want to reason over data you believe, or if you'd rather look at what your parents believe, or what republicans tend to believe, or what your children believe? This is as I argued recently the fundamentally new thing the semantic web is making possible; something unlike anything that humanity has ever witnessed before. The first tools that can make the step out of autism.

Of course, we mostly all come to understand around the age of 4 that other people believe different things from us, and that different people may think incompatible things about the world. But what happens when this everyday intuition becomes mechanized, objectified in tools that each year become more efficient? Most people always knew that society was very important, but the growth of the PC in the 1980ies created a strong icon in public discourse around which concepts of the self could cluster. In a similar way the growth of software that can point out contradictions between different points of views expressed in a distributed way around the web, would by doing this place a huge emphasis on the notion of points of views. If it were to make exploring these views easy, easier than it is for a normal human being living a normal life nowadays, then we can imagine that people may start exploring points of views much more often, more easily, in more detail, without thinking too much of it. Just like people now may drive 35 miles to work because they can, we can imagine people thinking more about others because some of the hard work has now been automated for them. Discovering conflicts in belief before they lead to conflicting actions could remove a lot of problems before they occur. ( Hopefully it won't lead us into some crazy world such as that described in the movie Being John Malkovitch ).

So how does this fit in with Post Modernism? Well, post modernism is a fuzzy concept, possibly even fuzzier than Web 2.0 or for that matter Web 3.0. It arose out of the disillusionment with all deterministic explanations of the future given by many of the western schools of thought, from christian evangelism to Marxism, Futurism, Consumerism ... Weary of all totalitarian explanations of everything, baffled by their sheer number, thinkers came to look at the different theories not from the inside, but from the outside, Instead of looking for a theory in which to believe trying to find a theory that would subsume all others, postmodernism, as I understand it, accepted the multiplicity of viewpoints, and found it more interesting to understand their differences. By putting more emphasis on understanding than on Truth, it was possible to look at the multiplicity of different points of view in the world. The pygmy in his tribe was no longer someone in need of conversion to the Truth, but someone one should try to understand in his context. This was felt by many to lead to a dangerous relativism, where the notion of truth itself seemed like it was loosing its meaning. In fact truth has never been better and more precisely defined: It is at its core a disquotation mechanism. According to Tarski's definition of truth:

"Snow is white" is true, in English if and only if snow is white .

  @prefix log: <http://www.w3.org/2000/10/swap/log#> .

  { { ?s ?r ?o } a log:Truth } <=> { ?s ?r ?o } .

PREFIX log: <http://www.w3.org/2000/10/swap/log#>
CONSTRUCT { ?subject ?relation ?object }
WHERE {
   GRAPH ?g { ?subject ?relation ?object }
   ?g a log:Truth .
}

Ie, if you hear someone say something, and you believe what they said to be true then you believe what they said. That is so simple it is self evident. So what has it got us? Well believing something is not neutral. Because we infer things from what we believe, and because we act on what we believe, to believe something is also to act and to be predisposed to act. And that is where the contact with reality ends up being felt at some point or another. If someone shouts "Une voiture arrive a ta gauche" in French and you understand it then you might add the following to your database:

{ _:c a :Car; 
      :moving [ :closeProximityTo :you ] .
  _:c positionleftOf :you .
} saidBy :joe .

At that point you just believe that Joe believes this. It makes a big difference when you come to believe the same content, namely

[] a :Car;
   :moving [ :closeProximityTo :you ] .
  _:c positionleftOf :you .

The disquotation mechanism (In N3 the removing of the '{' '}' ) is therefore an essential part of communication. One should not believe everything one hears - one may after all have misunderstood what was said. To remember who said what, and when one heard it is essential to good thinking. And sometimes who is right is really not that important anyway. Sometimes understanding is more important still. And that means putting oneself into other person's shoes, trying to look at things from their point of view - in essence, realizing that there are many many minds (MMM). So again what will happen when all tools we use every day make it as easy for us to explore points of view as it is to look at a web page, or take the car to work?

And where does this leave the absolute conception of Truth? Metcalf's Law gives a good explanation of the value of such a conception. Remember that this law states that the value of a network grows exponentially with the size of the network. The search for the Truth was always the search for an explanation that could explain as many things as possible: i.e. to create the biggest possible network, to predict as much as possible, to englobe all points of view, to create a framework that could link all of them together.

But what if the largest possible network has to take into account points of views as basic constitutive elements of the network?

Posted at 04:30PM Nov 05, 2008 [permalink/trackback] by Henry Story in Philosophy  |  Comments[3]