# vocabulary to allow a RelyingParty to make a report on an attempt at a WebID authentication. @prefix cert: . @prefix rsa: . @prefix earl: . @prefix rdf: . @prefix rdfs: . @prefix dct: . @prefix dc: . @prefix skos: . @prefix owl: . @prefix wit: . @prefix foaf: . @prefix log: . <#> a owl:Ontology . <> a foaf:Document; dc:author ; dc:contributor ; rdfs:comment "Document describing a vocabulary to allow a RelyingParty to make a report on an attempt at a WebID authentication."; rdfs:seeAlso . # # Classes # wit:WebIDClaim a rdfs:Class; rdfs:comment "A WebID Claim is a graph that consists of a claim that a public key identifies some WebID.". # # Properties # wit:claimedKey a rdfs:Property; rdfs:comment "Public key of a WebID Claim."; rdfs:domain wit:WebIDClaim; rdfs:range rsa:RSAPublicKey. wit:claimedIdentity a rdfs:Property; rdfs:comment "Identitiy URI of a WebID Claim."; rdfs:domain wit:WebIDClaim. # # pure certificate tests # wit:certificateProvided a earl:TestCase; dct:title "Did the client provide a X509 certificate?"; skos:note "If the client provided an certificate, the earl:pointer property must point to it. The certificate is described with the class cert:Certificate using the property cert:base64der. The property cert:principal_key must point to the contained public key. The public key is described with a rsa:publicKey which contains the properties rsa:modulus and rsa:public_exponent. The log:semantics property must point to a blank node that contains a log:includes property for every WebIDClaim.". wit:certificateProvidedSAN a earl:TestCase; dct:title "Does the client certificate contain a subject alternative name?"; skos:note "The earl:subject property must point to the certificate. The earl:pointer must contain the complete subject alternative name string. The certificate is described with the class cert:Certificate using the property cert:base64der. The property cert:principal_key should point to the contained public key.". wit:certificateDateOk a earl:TestCase; dct:title "Is the current timestamp between begin and end date of the certificate?"; skos:note "The earl:subject property must point to the certificate. The certificate is described with the class cert:Certificate using the property cert:base64der. The property cert:principal_key should point to the contained public key.". wit:certificatePubkeyRecognised a earl:TestCase; dct:title "Could the public key be recognised?"; dct:description "The public key in the certificate is recognised by the WebId code. If it is not then it is not going to be possible to match it with the remote certificate."; skos:note "The earl:subject property must point to the certificate. The earl:pointer must point to the public key. The certificate is described with the class cert:Certificate using the property cert:base64der. The property cert:principal_key should point to the contained public key. The public key is described with the class rsa:RSAPublicKey with the properties rsa:modulus and rsa:public_exponent like described in the WebID specification.". wit:certificateCriticalExtensionsOk a earl:TestCase; dct:title "Does the certificate contain no unnecessary critical extensions?"; dct:description "Critical Extensions are not a direct problem for WebID, but can cause many servers to reject the certificate before the WebID code gets to see the certificate. These tests should not generate errors but only warnings"; skos:note "The earl:subject property must point to the certificate. The certificate is described with the class cert:Certificate using the property cert:base64der. The property cert:principal_key should point to the contained public key.". wit:certificateOk a earl:TestRequirement; dct:title "Does the certificate fulfill all requirements for a WebID certificate?"; dct:hasPart wit:certificateProvided, wit:certificateProvidedSAN, wit:certificateDateOk, wit:certificatePubkeyRecognised, wit:certificateCriticalExtensionsOk; skos:note "If any of the child test cases fails this test requirement must return earl:failed.". # # profile tests # wit:profileGet a earl:TestCase; dct:title "Is the WebID Profile accessible and downloadable?"; skos:note "The earl:subject property must point to a resource with a owl:sameAs property that contains a reduced serialized form of the profile as literal. The reduced profile must contain the particular rsa:RSAPublicKey resource with the cert:ident, rsa:modulus, rsa:public_exponent properties.". wit:profileWellFormed a earl:TestCase; dct:title "Is the profile well formed?"; dct:description "The WebId Profile is parseable Content and transformable to RDF". wit:profileAllKeysWellFormed a earl:TestCase; dct:title "Does the profile contain only well formed keys for that WebID?"; dct:description "All the keys in the profile are well formed and not misleading"; skos:note "One does not need to test all keys in a profile, only those that are tied to the WebIDs found in the X509 cert. But to help users one could give them a deeper test of the profile."; dct:hasPart wit:profileWellFormedPubkey. wit:profileWellFormedPubkey a earl:TestRequirement; dct:title "Is the public key well formed?"; dct:description "A particular Public key is well formed"; skos:note "The current cert ontology doesn't include properties for DSA, what will be the best way to integrate those?"; dct:hasPart wit:pubkeyRSAModulus, wit:pubkeyRSAExponent. wit:pubkeyRSAModulus a earl:TestCase; dct:title "Is the RSA modulus well formed?"; dct:hasPart wit:pubkeyRSAModulusFunctional, wit:pubkeyRSAModulusLiteral. wit:pubkeyRSAModulusFunctional a earl:TestCase; dct:title "Does the public key contain only one modulus?"; dct:description "More than one modulus if they don't convert to the same number will lead to erratic behavior (one server will choose one the other server will chose the other)". wit:pubkeyRSAModulusLiteral a earl:TestCase; dct:title "Is the RSA modulus a literal number?"; dct:description "In the current ontology we have moved to literals as the standard way of describing modulus and exponents". wit:pubkeyRSAExponent a earl:TestCase; dct:title "Is the RSA public exponent well formed?"; dct:hasPart wit:pubkeyRSAExponentFunctional, wit:pubkeyRSAExponentLiteral. wit:pubkeyRSAExponentFunctional a earl:TestCase; dct:title "Does the public key contain only one public exponent?"; dct:description "More than one exponent if they don't convert to the same number is very likely to create erratic behavior (one server will choose one the other server will chose the other)". wit:pubkeyRSAExponentLiteral a earl:TestCase; dct:title "Is the RSA public exponent a literal number?"; dct:description "In the current ontology we have moved to literals as the standard way of describing modulus and exponents". wit:profileOk a earl:TestRequirement; dct:title "Does the profile fulfill all requirements for WebID authentication?"; dct:hasPart wit:profileGet, wit:profileWellFormed, wit:profileAllKeysWellFormed. wit:pubkeyRSAModulusOldFunctional a earl:TestCase; dct:title "If modulus is using non literal notation, is there only one cert:hex relation to plain literal?"; skos:note "this should be a deprecated test sooner rather than later. Warn people to move to newer notation.". wit:pubkeyRSAExponentOldFunctional a earl:TestCase; dct:title "If public exponent is using non literal notation, is there only one cert:decimal relation to plain literal?". wit:pubkeyOldOk a earl:TestRequirement; dct:title "Is the public key present in valid old non literal notation?"; dct:hasPart wit:pubkeyRSAModulusOldFunctional, wit:pubkeyRSAExponentOldFunctional. # # webid protocol tests: ie: tying pubkey and Webid in certificate to remote WebID identifying description # wit:webidClaim a earl:TestRequirement; dct:title "Could the particular WebID claim be verified?"; dct:description "Verification of a particular WebID claim"; dct:hasPart wit:certificateOk, wit:profileOk. wit:webidAuthentication a earl:TestRequirement; dct:title "Could at least one WebID claim be verified?"; dct:description "At least one WebID claimed in the certificate has public key that verifies."; dct:hasPart wit:webidClaim.