Web, Logic, Sentences, and the Magic of Being You!

Situation Analysis

There is a common misconception that there are no good solutions for verifiable claims of identity that scale to the Web. We are supposedly doomed, when trying to handle such critical issues as privacy.

In this unintentionally long post, I demonstrate that this is false, that we can actually take control of our own identity — distinct from the identities of our software agents — en route to experiencing the magic of individuality, at Web-scale.

What Does Identity Control Mean?

Having control of one’s identity means having control over critical claims that constitute how one is described and recognized.

Why is Identity Control Important?

Identity control is the critical basis for accurately reflecting our individuality across all media. Fundamentally, it’s the key to calibrating one’s own vulnerability (a/k/a Privacy).

You should be able to uniquely identify yourself, in a variety of contexts, distinct from other entities — including the software agents/tools you use (such as Web Browsers) — en route to consuming or publishing content on a network such as the World Wide Web. In the simplest form, you (an author/creator) should be able to use a variety of identifiers to identify yourself to data publishers and consumers. Likewise, publishers should be able to constrain access — contextually — to the content they publish, based on the identity of its consumers.

This is already how we operate outside cyberspace — i.e., we hold a number of identity cards for a variety of services; and in some cases, the identity card’s lifespan is so brief that we refer to it as a ticket — e.g., when attending a concert or sporting event. The challenge lies in bringing this paradigm onto the network.

How Identity Control Works

The detailed guide that follows covers:

  1. Creation of a Digital Identity Card (Certificate)
  2. Publication of Data, constrained by Attribute-based Access Controls (ABAC) or Policies
  3. Access to Published Data using a variety of identities, through a variety of tools, demonstrating both the enforcement of data access policies and the power of switching the identity/ies associated with a Software Agent (Web Browser)

Tools used for this demonstration include:

  1. Existing open standards such as: URIs, HTTP, TLS, RDF Abstract Language, and RDF-Turtle Notation
  2. OpenLink Virtuoso — a multi-model data server that provides data access, virtualization, integration, and management as part of a single-server-oriented application that may be run on your desktop, an in-house server, or a cloud-hosted virtual machine
  3. YouID — an identity credential generator available for server-based deployment using Virtuoso or for local operation on various mobile devices running iOS or Android
  4. OpenLink Structured Data Sniffer (OSDS) — a browser extension that provides both (a) a simple UI for exploration of structured data embedded in HTML documents; and (b) the ability to switch identity, a critical feature that’s inexplicably missing from every current browser
  5. WebID — an HTTP URI (hyperlink) that identifies a Person, Organization, or Software Agent
  6. WebID-Profile Document — a document containing structured data (represented as a collection of RDF Language sentences/statements) that describes the Person, Organization, or Software Agent identified by a WebID
  7. WebID+TLS — a protocol that extends basic-TLS by adding a Public Key lookup, scoped to the WebID value found in the Subject Alternative Name (SAN) field of the X.509 Certificate used to initiate a TLS session and the value (object) of a cert:key relationship type in the WebID-Profile document to which the WebID resolves
  8. WebID+TLS+Delegation —an enhancement to WebID+TLS that uses the semantics of an “on behalf of” relationship type when looking up the Public Key, thereby enabling a Software Agent to authenticate on-behalf-of its Human controller without compromising any resource access controls (or policies) scoped to the identity of the actual Software User

Conceptually, the steps for setting this up are as follows:

  1. Commit to the use of URIs as Identifiers for all Entities (e.g., People, Organizations, Software Agents, or anything else)— i.e., use words (URIs) to identify things
  2. Commit to using HTTP URIs as Identifiers, as this creates an implicit lookup-link (connection) to documents that describe what each URI identifies — i.e., use terms (a more specific kind of word), rather than words (in the basic sense), to identify entities, so that access to meaning is implicit
  3. Use Profile Documents to specifically describe entities
  4. Use machine- and human-readable sentences/statements in your Profile Documents — for instance, subject→predicate→object sentence structure
  5. Create a Profile Document that describes a Software User (a Person)
  6. Create a Profile Document that describes a Software Agent
  7. Add sentences/statements to the Software Agent’s profile document indicating that it works on-behalf-of one or more Software Users (Identified by their HTTP URIs [a/k/a WebIDs, in this context])
  8. Add sentences/statements to the Software User’s profile document indicating that they have delegated identity verification to a specific Software Agent (Identified by the Software Agent’s WebID)
  9. Create a Digital Identity Card (or Certificate) for the Software Agent using the content of its Profile Document

Software User WebID-Profile Document Creation

Using one of my personal profile document examples, here’s a sampling of sentences/statements that I used to describe myself:

@prefix oplcert: <http://www.openlinksw.com/schemas/cert#> .
@prefix cert: <http://www.w3.org/ns/auth/cert#> .
@prefix acl: <http://www.w3.org/ns/auth/acl#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
## About the Profile Document (or, document metadata)
<http://kingsley.idehen.net/DAV/home/kidehen/profile.ttl> a foaf:Document .
<http://kingsley.idehen.net/DAV/home/kidehen/profile.ttl> a schema:WebPage .
<http://kingsley.idehen.net/DAV/home/kidehen/profile.ttl> schema:name "Personal Profile Document" .
<http://kingsley.idehen.net/DAV/home/kidehen/profile.ttl> dcterms:created "2013–08–13"^^xsd:date .
<http://kingsley.idehen.net/DAV/home/kidehen/profile.ttl> dcterms:modified "2016–07–07"^^xsd:date .
<http://kingsley.idehen.net/DAV/home/kidehen/profile.ttl> foaf:primaryTopic <http://kingsley.idehen.net/DAV/home/kidehen/profile.ttl#i> .
<http://kingsley.idehen.net/DAV/home/kidehen/profile.ttl> foaf:maker <http://kingsley.idehen.net/DAV/home/kidehen/profile.ttl#i> .
## About me, identified by relative URI <#i> 
<http://kingsley.idehen.net/DAV/home/kidehen/profile.ttl#i> a foaf:Person .
<http://kingsley.idehen.net/DAV/home/kidehen/profile.ttl#i> foaf:name "Kingsley Uyi Idehen" .
<http://kingsley.idehen.net/DAV/home/kidehen/profile.ttl#i> owl:sameAs <https://twitter.com/kidehen#this> .
<http://kingsley.idehen.net/DAV/home/kidehen/profile.ttl#i> owl:sameAs <https://www.linkedin.com/in/kidehen#this> .
<http://kingsley.idehen.net/DAV/home/kidehen/profile.ttl#i> owl:sameAs <http://kingsley.idehen.net/dataspace/person/kidehen#this> .

Software Agent WebID-Profile Document Creation

Here’s an excerpt from the actual Software Agent profile document used in my live WebID+TLS+Delegation demos:


@prefix oplcert: <http://www.openlinksw.com/schemas/cert#> .
@prefix cert: <http://www.w3.org/ns/auth/cert#> .
@prefix acl: <http://www.w3.org/ns/auth/acl#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
## Document Metadata
<http://kingsley.idehen.net/DAV/home/kidehen/agent-profile-document.ttl> a foaf:Document .
<http://kingsley.idehen.net/DAV/home/kidehen/agent-profile-document.ttl> a schema:WebPage .
<http://kingsley.idehen.net/DAV/home/kidehen/agent-profile-document.ttl> schema:name "My Software Agent Profile Document Template" .
<http://kingsley.idehen.net/DAV/home/kidehen/agent-profile-document.ttl> dcterms:created "2016–04–11"^^<http://www.w3.org/2001/XMLSchema#date> .
<http://kingsley.idehen.net/DAV/home/kidehen/agent-profile-document.ttl> dcterms:modified "2016–07–07"^^<http://www.w3.org/2001/XMLSchema#date> .
<http://kingsley.idehen.net/DAV/home/kidehen/agent-profile-document.ttl> foaf:primaryTopic <http://kingsley.idehen.net/public_home/kidehen/profile.ttl#i> .
<http://kingsley.idehen.net/DAV/home/kidehen/agent-profile-document.ttl> foaf:maker <http://kingsley.idehen.net/public_home/kidehen/profile.ttl#i> .
## About My Software Agent 
<http://kingsley.idehen.net/DAV/home/kidehen/agent-profile-document.ttl#i> foaf:name "A Software Agent" .
<http://kingsley.idehen.net/DAV/home/kidehen/agent-profile-document.ttl#i> foaf:firstName "Software" .
<http://kingsley.idehen.net/DAV/home/kidehen/agent-profile-document.ttl#i> foaf:familyName "Agent" .

Software Agent Digital Identity Card (Certificate) Generation

Here’s an illustrated, step-by-step guide that walks you through the process of generating a Digital Identity Card for your Software Agent (e.g., a Web Browser, or any other piece of software that supports the HTTP protocol):

[1] Identity Credentials Generator Start Page

[2] Profile Data Provider Options — ranging from services like Facebook, Twitter, LinkedIn, Google+, Dropbox, Box.net, etc., to FOAF or WebFinger profile documents

[3] Profile Data from the Selected Source — in this case, a Profile Document where content was created using terms from the FOAF (Friend of a Friend) Vocabulary

[4] Select a persistence option for the Software Agent’s Identity credentials — Manual Upload indicates an intention to manually add Public Key data to your profile document

[5] Generate Agent Identity Credentials associated with the Agent’s WebID

[6] Software Agent Identity Credentials — the “Download Pkcs12 Certificate Bundle” button will download a bundled file, comprised of the PKCS#12 Certificate and Private Key

[7] Add Public Key Data to Software Agent Profile Document.

[8] Load Identity Credentials from Credentials Store (a PKCS#12 file) into your local Keystore (in this case, Keychain.app on Mac OS X).

[9] Agent Credentials start in an Untrusted State — because the claims have not been countersigned by a member of the Certificate Authority Network

[10] Set the Trust Level for Agent Identity Credentials.

[11] Now Trusted, Agent Credentials in local Keystore (again, Keychain.app on Mac OS X)

Verifying Software Agent Identity Claims

Having generated an X.509-based Digital Identity Card (Certificate) with a connection to the Software Agent’s profile document — via its WebID being used as the value for the Subject Alternative Name field — we are ready to verify the Software Agent’s identity claims, using a simple verification tool that supports the WebID+TLS protocol.

Adding “On-Behalf-Of” Relations to Software User WebID-Profile Documents

Now that the Software Agent’s Identity has been verified, we can create some additional sentences/statements in the Software User profile document, to associate the Software User (in this case, me) with the Software Agent:

@prefix oplcert: <http://www.openlinksw.com/schemas/cert#> .
@prefix cert: <http://www.w3.org/ns/auth/cert#> .
@prefix acl: <http://www.w3.org/ns/auth/acl#> .
## Software User profile statements used to verify “OnBehalfOf” 
## relationship type with Software Agent
<http://kingsley.idehen.net/DAV/home/kidehen/profile.ttl#i> oplcert:hasIdentityDelegate <http://kingsley.idehen.net/DAV/home/kidehen/agent-profile-document.ttl#i> .
## Software Agent Public Key Data from its X.509 Certificate 
## that has <http://kingsley.idehen.net/DAV/home/kidehen/agent-profile-document.ttl#i>
## as the Subject Alternative Name field value.
cert:key [
cert:exponent "65537"^^xsd:integer ;
cert:modulus "cacda4a1405b2193225edff193ab6aaeb59e89510e0fd2e3f25815fcfb895acf781286c6e85760a819747013decc1741ac41ace6f294fbdb344e77e4f9b6f8476422ec8d9dc8d804e1c823a4ce1e6aeaba522656f0e02e2d1abe9bace3091e5c131f12e023325d405e112913010f6334fdf412ad78e939c1d79b7021386c7af5d10e17c2e023ae137334e07275fb58b53cba637e3f5951bdafd6b8ec7e3f5f4dd8fd07b119747806c19e4ea7ccfe81438f6a341d7cafdbda881e1d8154ad01534e315478bf303a9f6bee8e8c0a92dc57b0b05d9a8d5d41ef0724bef1c62c1911b4257bf21cbbe423e0443849b31d94dd27293454cb3a3d678ecb73a569fd3111"^^xsd:hexBinary
] .

Adding “On-Behalf-Of” Relationship Types to Software Agent WebID-Profile Documents

The same process is repeated in the Software Agent profile document, using a relationship type that’s the inverse of the one used in the Software User profile document (i.e., oplcert:onBehalfOf which is the inverse of oplcert:hasIdentityDelegate) :

@prefix oplcert: <http://www.openlinksw.com/schemas/cert#> .
@prefix cert: <http://www.w3.org/ns/auth/cert#> .
@prefix acl: <http://www.w3.org/ns/auth/acl#> .
oplcert:onBehalfOf <http://kingsley.idehen.net/public_home/kidehen/profile.ttl#i> .

Attribute-based Access Controls Definition

With the WebIDs and WebID-Profile documents in place for a Software User (myself) and a Software Agent, I can create protected resource access controls, based on the Software User’s Identity.

In this example, I have the following database documents, each identified by a Virtuoso-internal Named Graph Identifier:

  1. <file:OpenPermID-bulk-assetClass-20151111_095807.ttl.gz>
  2. <file:OpenPermID-bulk-industry-20151111_095806.ttl.gz>

Here are some key excerpts that describe the Conditional Group and Attribute-based ACLs (Authorizations or Data Access Policies) used in my live demos:

## Description of <#groupBasicNetID>, a conditional group used 
## to facilitate multi-protocol authentication
a <http://www.openlinksw.com/ontology/acl#ConditionalGroup> ;
<http://xmlns.com/foaf/0.1/name> "Identities Denoted using a NetID based Identifier" ;
a <http://www.openlinksw.com/ontology/acl#GroupCondition>,
<http://www.openlinksw.com/ontology/acl#GenericCondition> ;
<http://www.openlinksw.com/ontology/acl#NetID> ;
<http://www.openlinksw.com/ontology/acl#IsNotNull> ;
<http://www.openlinksw.com/ontology/acl#hasValue> 1
] .
## ACL that allows any authenticated Identity, irrespective of 
## the authentication protocol used for authentication, to
## access sentences/statements (Data) in the Database Document
## (a/k/a Named Graph in SPARQL parlance) identified by the
## Internal Virtuoso Document Identifier: <file:OpenPermID-bulk-assetClass-20151111_095807.ttl.gz>
a acl:Authorization ;
rdfs:label "Private Named Graph ACL (HTTP Realm) for Named Graph Identified by Internal Virtuoso Document Identifier: <file:OpenPermID-bulk-assetClass-20151111_095807.ttl.gz>" ;
foaf:maker <http://kingsley.idehen.net/dataspace/person/kidehen#this> ;
oplacl:hasAccessMode oplacl:Read ;
acl:accessTo <file:OpenPermID-bulk-assetClass-20151111_095807.ttl.gz> ;
acl:agent <#groupBasicNetID> ;
oplacl:hasScope oplacl:PrivateGraphs ;
oplacl:hasRealm oplacl:DefaultRealm .
## ACL that allows specific identities to access 
## sentences/statements (Data) in the Database Document (a/k/a
## Named Graph in SPARQL parlance) identified by the Internal Virtuoso Document Identifier:
## <file:OpenPermID-bulk-industry-20151111_095806.ttl.gz>
@prefix oplacl: <http://www.openlinksw.com/ontology/acl#> .
@prefix acl: <http://www.w3.org/ns/auth/acl#> .
a acl:Authorization ;
rdfs:label "Private Named Graph ACL (HTTP Realm) for Named Graph Identified byInternal Virtuoso Document Identifier: <file:OpenPermID-bulk-industry-20151111_095806.ttl.gz>" ;
foaf:maker <http://kingsley.idehen.net/dataspace/person/kidehen#this> ;
oplacl:hasAccessMode oplacl:Read ;
acl:accessTo <file:OpenPermID-bulk-industry-20151111_095806.ttl.gz> ;
<http://kingsley.idehen.net/public_home/kidehen/profile.ttl#i> ;
oplacl:hasScope oplacl:PrivateGraphs ;
oplacl:hasRealm oplacl:DefaultRealm .

Visualization of Attribute-based Access Controls described in the Turtle based nanotations above.

Access Controls Description Snippet via OpenLink Structured Data Sniffer

At this juncture, we are ready to test the effects of the statements made in the profile documents combined with claims that exist in the Software Agents X.509-based Digital Identity Card (Certificate). To ease performance of this task, I am going to use the OpenLink Structured Data Sniffer (OSDS) browser extension and its feature for registering multiple WebIDs.

Setting up OSDS to handle Identity Toggling

[1] WebID Registration in OSDS

[2] Selection of Active WebID

[3] Test Demonstrating Access to Protected Resource — Faceted Browsing over HTTP-accessible Data from a public access point

[4] Test Demonstrating Access to Protected Resource — SPARQL Query Service that provides access to HTTP-accessible Data



Any entity (person, organization, or software agent) can now use the power of combined open standards to preserve their individuality, and as a consequence, their privacy. In addition, we also have a powerful ability to create new and innovative business models that align naturally with the architecture behind the World Wide Web, rather than being shoehorned into the increasingly obsolete approach of bullhorn advertising based on intrusive injection of media (video, sound, and images), devoid of context.

As an individual, you know yourself better than anyone else. Whimsicality is the innate tool that ultimately provides “You” with the master key into the entity relationship graph (network, web, cloud) that represents your individuality.