index.html

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML+RDFa 1.0//EN' 'http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd'>
<html dir="ltr" about="" property="dcterms:language" content="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:dcterms='http://purl.org/dc/terms/' xmlns:bibo='http://purl.org/ontology/bibo/' xmlns:foaf='http://xmlns.com/foaf/0.1/' xmlns:xsd='http://www.w3.org/2001/XMLSchema#'>
<head>
    <title>WebID 1.0</title>
    <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
    
<!--  
      === NOTA BENE ===
      For the three scripts below, if your spec resides on dev.w3 you can check them
      out in the same tree and use relative links so that they'll work offline,
      -->

<style type="text/css">
code           { font-family: monospace; }

span.hilite { color: red; /* font-weight: bold */ }

li p           { margin-top: 0.3em;
                 margin-bottom: 0.3em; }

div.explanation { background-color: #ADD8E6;
                   width: 80%;
                   margin: 12px; padding: 8px; }
div.explanation li { margin-top: 8px; }
div.explanation dd { margin: 4px; }

.adef { 
	font-family: monospace; 
	font-weight: bold; 
    color: #ff4500 !important;
}

.aref { 
	font-family: monospace; 
	font-weight: bold; 
    color: #ff4500 !important;
}

span.entity { color: red; }

span.element { color: green; }
</style>

     

<!--     <script src='/ReSpec.js/js/respec.js' class='remove'></script>  -->

    
  <link href="http://dev.w3.org/2009/dap/ReSpec.js/css/respec.css" rel="stylesheet" type="text/css" charset="utf-8" /><link href="http://www.w3.org/StyleSheets/TR/w3c-unofficial" rel="stylesheet" type="text/css" charset="utf-8" /></head><body style="display: inherit; "><div class="head"><p></p><h1 rel="dcterms:title" class="title" id="title">WebID 1.0</h1><h2 rel="bibo:subtitle" id="subtitle">Web Identification and Discovery</h2><h2 property="dcterms:issued" datatype="xsd:dateTime" content="2010-07-12T01:01:38+0000" id="unofficial-draft-11-july-2010">Unofficial Draft 11 July 2010</h2><dl><dt>Editor:</dt><dd rel="bibo:editor"><span typeof="foaf:Person"><span property="foaf:name">Manu Sporny</span>, <a rel="foaf:workplaceHomepage" href="http://blog.digitalbazaar.com/">Digital Bazaar, Inc.</a> <a rel="foaf:mbox" href="mailto:msporny@digitalbazaar.com">msporny@digitalbazaar.com</a> </span>
</dd>
<dt>Authors:</dt><dd><span><span>Toby Inkster</span></span>
</dd>
<dd><span><a content="Henry Story" href="http://bblfish.net/">Henry Story</a></span>
<dd><span>Bruno Harbulot</span>
</dd>
</dl><p class="copyright">This document is licensed under a <a class="subfoot" href="http://creativecommons.org/licenses/by/3.0/" rel="license">Creative Commons Attribution 3.0 License</a>.</p><hr></hr></div>
    <div id="abstract" class="introductory section" property="dcterms:abstract" datatype="" typeof="bibo:Chapter" about="#abstract"><h2>Abstract</h2>

<p>Identification and privacy have been at the center of how we
interact with sites on the Web. The explosion of Websites over the last decade
and a half has created a point of pain for anyone that uses the Web on a
regular basis. Remembering login details, passwords,
and sharing private information across the many websites that people use on a
daily basis has become more difficult and complicated than necessary. This 
specification outlines a simple universal identification mechanism that is
distributed, openly extensible, improves privacy, security and control over how 
one can identify themselves and control access to their information on the Web.
</p>
  
<div typeof="bibo:Chapter" about="#how-to-read-this-document" class="section">
<h3 id="how-to-read-this-document">How to Read this Document</h3>
  
<p>There are a number of concepts that are covered in this document that the
reader may want to be aware of before continuing. General knowledge of
<a href="http://en.wikipedia.org/wiki/Public_key_cryptography">public key cryptography</a> 
is necessary to understand how to implement this specification. 
WebID also uses HTTP over TLS [<a class="bibref" rel="biblioentry" href="#bib-HTTP-TLS">HTTP-TLS</a>], X.509 certificates
[<a class="bibref" rel="biblioentry" href="#bib-X509V3">X509V3</a>], and RDFa [<a class="bibref" rel="biblioentry" href="#bib-RDFA-CORE">RDFA-CORE</a>].</p>

<p>A general <a href="#introduction">Introduction</a> is provided for all that
would like to understand why this specification is necessary to simplify usage
of the Web.</p>

<p>The terms used throughout this specification are listed in the section
titled <a href="#terminology">Terminology</a>.</p>

<p>Developers that are interested in implementing this specification will be
most interested in the sections titled 
<a href="#authentication-sequence">Authentication Sequence</a> and 
<a href="#authentication-sequence-details">Authentication Sequence Details</a>.
  
</p></div>
</div><div id="sotd" class="introductory section" typeof="bibo:Chapter" about="#sotd"><h2>Status of This Document</h2><p>This document is merely a public working draft of a potential specification. It has no official standing of any kind and does not represent the support or consensus of any standards organisation.</p>

<!--  <p>This document has been reviewed by W3C Members, by software
developers, and by other W3C groups and interested parties, and is
endorsed by the Director as a W3C Recommendation. It is a stable
document and may be used as reference material or cited from another
document. W3C's role in making the Recommendation is to draw attention
to the specification and to promote its widespread deployment. This
enhances the functionality and interoperability of the Web.</p>  -->


The source code for this document is available via Github at the following
URL: <a href="http://github.com/msporny/webid-spec">http://github.com/msporny/webid-spec</a>

</div><div id="toc" typeof="bibo:Chapter" about="#toc" class="section"><h2 class="introductory">Table of Contents</h2><ul class="toc"><li class="tocline"><a href="#introduction" class="tocxref"><span class="secno">1. </span>Introduction</a><ul class="toc"><li class="tocline"><a href="#motivation" class="tocxref"><span class="secno">1.1 </span>Motivation</a></li><li class="tocline"><a href="#relation-to-openid" class="tocxref"><span class="secno">1.2 </span>Relation to OpenID</a></li><li class="tocline"><a href="#relation-to-oauth" class="tocxref"><span class="secno">1.3 </span>Relation to OAuth</a></li></ul></li><li class="tocline"><a href="#the-webid-protocol" class="tocxref"><span class="secno">2. </span>The WebID Protocol</a><ul class="toc"><li class="tocline"><a href="#terminology" class="tocxref"><span class="secno">2.1 </span>Terminology</a></li><li class="tocline"><a href="#authentication-sequence" class="tocxref"><span class="secno">2.2 </span>Authentication Sequence</a></li><li class="tocline"><a href="#authentication-sequence-details" class="tocxref"><span class="secno">2.3 </span>Authentication Sequence Details</a><ul class="toc"><li class="tocline"><a href="#initiating-a-tls-connection" class="tocxref"><span class="secno">2.3.1 </span>Initiating a TLS Connection</a></li><li class="tocline"><a href="#exchanging-the-identification-certificate" class="tocxref"><span class="secno">2.3.2 </span>Exchanging the Identification Certificate</a></li><li class="tocline"><a href="#processing-the-webid-profile" class="tocxref"><span class="secno">2.3.3 </span>Processing the WebID Profile</a></li><li class="tocline"><a href="#extracting-identification-url-details" class="tocxref"><span class="secno">2.3.4 </span>Extracting Identification URL Details</a></li><li class="tocline"><a href="#determining-access-privileges" class="tocxref"><span class="secno">2.3.5 </span>Determining Access Privileges</a></li></ul></li></ul></li><li class="tocline"><a href="#references" class="tocxref"><span class="secno">A. </span>References</a><ul class="toc"><li class="tocline"><a href="#normative-references" class="tocxref"><span class="secno">A.1 </span>Normative references</a></li><li class="tocline"><a href="#informative-references" class="tocxref"><span class="secno">A.2 </span>Informative references</a></li></ul></li></ul></div>



<div class="informative section" id="introduction" typeof="bibo:Chapter" about="#introduction">

<!-- OddPage -->
<h2><span class="secno">1. </span>Introduction</h2><p><em>This section is non-normative.</em></p>

<p>
The WebID specification is designed to help alleviate the difficultly that
remembering different logins, passwords and settings for websites has created. 
It is also designed to provide a universal and extensible mechanism to express 
public and private information about yourself. This section outlines the 
motivation behind the specification and the relationship to other similar 
specifications that are in active use today.
</p>

<div class="informative section" id="motivation" typeof="bibo:Chapter" about="#motivation">
<h3><span class="secno">1.1 </span>Motivation</h3><p><em>This section is non-normative.</em></p>

<p>
It is a fundamental design criteria of the Web to enable individuals and
organizations to control how they interact with the rest of society. This
includes how one expresses their identity, public information and personal 
details to social networks, Web sites and services.
</p>

<p>
Semantic Web vocabularies such as Friend-of-a-Friend (FOAF) permit distributed 
hyperlinked social networks to exist. This vocabulary, along with other 
vocabularies, allow one to add information and services protection to 
distributed social networks.
</p>

<p>
One major criticism of open networks is that they seem to have no way of
protecting the personal information distributed on the web or limiting
access to resources. Few people are willing to make all their personal
information public, many would like large pieces to be protected, making
it available only to a select group of agents. Giving access to
information is very similar to giving access to services. There are many
occasions when people would like services to only be accessible to
members of a group, such as allowing only friends, family members,
colleagues to post an article, photo or comment on a blog. How does one do
this in a flexible way, without requiring a central point of
access control?
</p>

<p>
Using an process made popular by OpenID, we show how one can tie a User
Agent to a URL by proving that one has write access to the URL. WebID is
a simpler alternative to OpenID (fewer connections), that uses X.509 
certificates to tie a User Agent (Browser) to a Person identified via a URL. 
WebID also provides a few additional features to OpenID. These
features include trust management, via digital signatures, and free-form 
extensibility via RDFa. By using the existing SSL certificate exchange
mechanism, WebID integrates more smoothly with existing Web browsers, including
browsers on mobile devices. WebID also permits automated session login
in addition to interactive session login. Additionally, all data is encrypted
and guaranteed to only be received by the person or organization that was 
intended to receive it.
</p>

</div>

<div class="informative section" id="relation-to-openid" typeof="bibo:Chapter" about="#relation-to-openid">
<h3><span class="secno">1.2 </span>Relation to OpenID</h3><p><em>This section is non-normative.</em></p>

<p>While some may say that OpenID and WebID conflict, WebID is 100% compatible
with OpenID since both use a URL for identification. Therefore, WebID does not
intend to replace OpenID, but can work beside OpenID just as easily as providing
a complete solution. That said, there are a number of benefits that WebID
achieves over OpenID:
</p>

<p>WebID gives people and other agents a Web ID URL for identification, just
like OpenId does. However, in the case of WebID, the user does not need to
remember the URL, the browser or User Agent does. A login button on a
WebID web site is just a button. No need to enter any identifier like one
has to for OpenID. Just click the button. Your browser will then ask you what 
identity you wish to use. The person that is browsing does not need to 
remember either the WebID URL or the website password. The only password one
needs to remember is the one that is used to access their collection of
WebIDs in their browser.</p>

<p>The WebID protocol requires just one direct network connection to establish
identity via the client. The server requires one connection to the client and
one connection to retrieve the WebID Profile if it does not have the credential
information cached. Compare this to the much more complex OpenID sequence, which
requires six connections by the client to establish a login. In a world of 
distributed data where each site can point to data on any other site, multiple 
connections become costly to manage.</p>

<p>WebID builds on well established Internet and Web standards;
<a href="http://en.wikipedia.org/wiki/REST">REST</a>, 
RDF [<a class="bibref" rel="biblioentry" href="#bib-RDF-PRIMER">RDF-PRIMER</a>], RDFa [<a class="bibref" rel="biblioentry" href="#bib-RDFA-CORE">RDFA-CORE</a>], TLS [<a class="bibref" rel="biblioentry" href="#bib-HTTP-TLS">HTTP-TLS</a>], and X.509 
[<a class="bibref" rel="biblioentry" href="#bib-X509V3">X509V3</a>]. By building on previous standards, it makes both explaining and 
implementing WebID easier on developers.</p>

<p>Since WebID is RESTful, you can perform basic HTTP operations to 
<code>GET</code> your WebID, and if you needed update it, you can use
HTTP <code>PUT</code> semantics. You can also create a WebID via 
<code>POST</code>. This is improved from the OpenID specification, which
requires a new set of operations described in the OpenID Attribute Exchange
specification.</p>

<p>It is easy to extend a WebID with new attributes via RDF. The power of
RDF and RDFa allows developers to add extensions to WebID by defining new
vocabularies that they publish. There is no authorization process necessary
and thus WebID allows for distributed innovation. Every WebID property is
a URI, which when clicked, can give you yet more information about what the
property means. A developer can create new usage classes by extending their
vocabulary at will. A developer can add relationships to a WebID by simply
adding more HTML to the developer's page. OpenID does not provide any type of
distributed innovation akin to RDF or RDFa.</p>

<p>WebID is built on RDF and thus enables all of the advanced semantic web
concepts that RDF enables. For example, a developer may perform machine
reasoning with a WebID. One can construct machine-executable statements like
"If this WebID claims to be a friend of one of our partner WebIDs that is
trusted and the relationship is bi-directional, trust the WebID." 
While OpenID attempts to support this use case by mapping OpenID to RDF, it's
far easier to do with WebID because WebID is natively RDF-aware.</p>

<p>Implementing WebID is easier than OpenID because all of the basic 
technologies have been working and integrated into Web browsers for many years. 
There were already three interoperable implementations of WebID before this 
specification was written.</p>

<p>WebID is truly decentralized - with WebID you get a web of trust. 
OpenID only supports the Web of Trust model if you indirectly trust the
OpenID provider. In other words - OpenID is not truly decentralized. In OpenID
you must trust OpenID providers. With WebID you only have to trust the people
and the organizations with which you are communicating. In other words, you
don't have to ask anyone whether or not you can trust your friends. You can
query people that you trust directly to see if someone is trustworthy or not.
There is no need for a central WebID authority.
</p>

<p>WebID is fully distributed, anyone can setup a WebID by placing a single
file on a web server of their choosing. There is no need for a special 
OpenID-like provider service. The only thing anyone that wants a WebID needs
is a web account where you can post your WebID file, ideally on your own domain 
name. You can also use a WebID hosting provider, but it's not necessary for
WebID to work. While it is possible to run an OpenID server, other
OpenID applications may not trust you and thus you won't be able to fully
utilize your private OpenID credentials. The reason that there are a few
large OpenID providers and very few small OpenID providers is because of this
trust design issue related to OpenID.</p>

<p>WebID does not require HTTP redirects. Redirects are are problematic on many
cell phones, because telecoms heavily rely on proxys, which selectively block
redirects.</p>

<p>A WebID provider is 100% compatible with an OpenID provider and thus can 
inter-operate with OpenID-powered networks.</p>

</div>

<div class="informative section" id="relation-to-oauth" typeof="bibo:Chapter" about="#relation-to-oauth">
<h3><span class="secno">1.3 </span>Relation to OAuth</h3><p><em>This section is non-normative.</em></p>

<p>
OAuth and WebID are mutually beneficial when used together. WebID can be
used to provide RSA parameters to the RSA-SHA1 signature method required by
OAuth 1.0. WebID can also be used to establish the consumer_key and HTTPS 
connection that will be used to transmit OAuth Tokens in OAuth 2.0.
</p>

</div>
</div>

<div class="normative section" id="the-webid-protocol" typeof="bibo:Chapter" about="#the-webid-protocol">

<!-- OddPage -->
<h2><span class="secno">2. </span>The WebID Protocol</h2>

<div class="normative section" id="terminology" typeof="bibo:Chapter" about="#terminology">
<h3><span class="secno">2.1 </span>Terminology</h3>

<dl>

<dt><dfn title="Verification_Agent" id="dfn-verification_agent">Verification Agent</dfn></dt>
<dd>Performs authentication on provided WebID credentials and determines if
an <a class="tref internalDFN" title="Identification_Agent" href="#dfn-identification_agent">Identification Agent</a> can have access to a particular 
resource. A <a class="tref internalDFN" title="Verification_Agent" href="#dfn-verification_agent">Verification Agent</a> is typically a Web server, but 
may also be a peer on a peer-to-peer network.</dd>

<dt><dfn title="Identification_Agent" id="dfn-identification_agent">Identification Agent</dfn></dt>
<dd>Provides identification credentials to a Verification Agent. The
<a class="tref internalDFN" title="Identification_Agent" href="#dfn-identification_agent">Identification Agent</a> is typically also a User Agent.</dd>

<dt><dfn title="Identification_Certificate" id="dfn-identification_certificate">Identification Certificate</dfn></dt>
<dd>An X.509 [<a class="bibref" rel="biblioentry" href="#bib-X509V3">X509V3</a>] Certificate that <em class="rfc2119" title="must">must</em> contain an
a <code>Subject Alternative Name</code> extension with a URI entry. The URI in this entry <em class="rfc2119" title="must">must</em> be
dereference-able and result in a document containing RDF data. For example, 
the certificate would contain <code>http://example.org/webid#public</code>,
known as a <a class="tref internalDFN" title="WebID_URL" href="#dfn-webid_url">WebID URL</a>, in
the <code>Subject Alternative Name</code> extension:
<code><pre>
X509v3 extensions:
   ...
   X509v3 Subject Alternative Name:
      URI:http://example.org/webid#public
</pre></code>

</dd><dt><dfn title="WebID_URL" id="dfn-webid_url">WebID URL</dfn></dt>
<dd>A URL specified in a URI entry of the <code>Subject Alternative Name</code> extension of the
<a class="tref internalDFN" title="Identification_Certificate" href="#dfn-identification_certificate">Identification Certificate</a> that identifies a 
<a class="tref internalDFN" title="WebID_Profile" href="#dfn-webid_profile">WebID Profile</a> document.</dd>

<dt><dfn title="WebID_Profile" id="dfn-webid_profile">WebID Profile</dfn></dt>
<dd>
A structured document that contains identification credentials for the 
<a class="tref internalDFN" title="Identification_Agent" href="#dfn-identification_agent">Identification Agent</a> expressed using the Resource Description
Framework [<a class="bibref" rel="biblioentry" href="#bib-RDF-CONCEPTS">RDF-CONCEPTS</a>].
The mechanism providing the WebID Profile document (e.g. a Web Service) <em class="rfc2119" title="must">must</em> at least support 
the XML+RDF [<a class="bibref" rel="biblioentry" href="#bib-RDF-SYNTAX-GRAMMAR">RDF-SYNTAX-GRAMMAR</a>] or
the XHTML+RDFa 1.1 [<a class="bibref" rel="biblioentry" href="#bib-XHTML-RDFA">XHTML-RDFA</a>] serialization
formats. Alternate RDF serialization formats, such as N3 [<a class="bibref" rel="biblioentry" href="#bib-N3">N3</a>] or
Turtle [<a class="bibref" rel="biblioentry" href="#bib-TURTLE">TURTLE</a>] <em class="rfc2119" title="may">may</em> also be supported by the mechanism providing the 
WebID Profile document.
</dd>

</dl>

</div>

<div class="normative section" id="authentication-sequence" typeof="bibo:Chapter" about="#authentication-sequence">
<h3><span class="secno">2.2 </span>Authentication Sequence</h3>

<p>The following steps are executed by Verification Agents and Identification
Agents to determine if access should be granted to a particular resource.
</p>

<ol>
<li>The <a class="tref internalDFN" title="Identification_Agent" href="#dfn-identification_agent">Identification Agent</a> attempts to access a resource
using HTTP over TLS [<a class="bibref" rel="biblioentry" href="#bib-HTTP-TLS">HTTP-TLS</a>] via the <a class="tref internalDFN" title="Verification_Agent" href="#dfn-verification_agent">Verification Agent</a>.</li>

<li>The <a class="tref internalDFN" title="Verification_Agent" href="#dfn-verification_agent">Verification Agent</a> <em class="rfc2119" title="must">must</em> request the 
<a class="tref internalDFN" title="Identification_Certificate" href="#dfn-identification_certificate">Identification Certificate</a> of the <a class="tref internalDFN" title="Identification_Agent" href="#dfn-identification_agent">Identification Agent</a>
as a part of the TLS client-cerificate retrieval protocol.</li>

<li>The <a class="tref internalDFN" title="Verification_Agent" href="#dfn-verification_agent">Verification Agent</a> <em class="rfc2119" title="must">must</em> extract the <a class="tref internalDFN" title="WebID_URL" href="#dfn-webid_url">WebID URL</a> 
contained in the <code>Subject Alternative Name</code> extension of the 
<a class="tref internalDFN" title="Identification_Certificate" href="#dfn-identification_certificate">Identification Certificate</a>. The <a class="tref internalDFN" title="WebID_Profile" href="#dfn-webid_profile">WebID Profile</a> document
<em class="rfc2119" title="must">must</em> be dereferenced and all triples pertaining to the public key associated 
with the <a class="tref internalDFN" title="WebID_URL" href="#dfn-webid_url">WebID URL</a> <em class="rfc2119" title="must">must</em> be extracted.
</li>

<li>The remote document triples <em class="rfc2119" title="must">must</em> be queried for information about the 
public key contained in the <a class="tref internalDFN" title="Identification_Certificate" href="#dfn-identification_certificate">Identification Certificate</a>. 
If the public key in the certificate is found in the list of public keys 
associated with the <a class="tref internalDFN" title="WebID_URL" href="#dfn-webid_url">WebID URL</a>, the <a class="tref internalDFN" title="Verification_Agent" href="#dfn-verification_agent">Verification Agent</a>
<em class="rfc2119" title="must">must</em> assume that the client has write access to the <a class="tref internalDFN" title="WebID_Profile" href="#dfn-webid_profile">WebID Profile</a> and
therefore owns the document.</li>

<li>At this point, the <a class="tref internalDFN" title="Verification_Agent" href="#dfn-verification_agent">Verification Agent</a> has verified that the
<a class="tref internalDFN" title="WebID_Profile" href="#dfn-webid_profile">WebID Profile</a> is owned by the <a class="tref internalDFN" title="Identification_Agent" href="#dfn-identification_agent">Identification Agent</a>. The
<a class="tref internalDFN" title="Verification_Agent" href="#dfn-verification_agent">Verification Agent</a> <em class="rfc2119" title="must">must</em> use the now verified public key contained 
in the <a class="tref internalDFN" title="Identification_Certificate" href="#dfn-identification_certificate">Identification Certificate</a> for all TLS-based communication
with the <a class="tref internalDFN" title="Identification_Agent" href="#dfn-identification_agent">Identification Agent</a>.
</li></ol>

<p>
The <a class="tref internalDFN" title="Identification_Agent" href="#dfn-identification_agent">Identification Agent</a> <em class="rfc2119" title="may">may</em> re-establish a different identity at 
any time by executing all of the steps in the Authentication Sequence again. 
Additional algorithms, detailed in the next section, <em class="rfc2119" title="may">may</em> be performed to 
determine if the <a class="tref internalDFN" title="Verification_Agent" href="#dfn-verification_agent">Verification Agent</a> can access a particular 
resource after the last step of the Authentication Sequence has been
completed.
</p>

</div>

<div class="normative section" id="authentication-sequence-details" typeof="bibo:Chapter" about="#authentication-sequence-details">
<h3><span class="secno">2.3 </span>Authentication Sequence Details</h3>

<p>This section covers details about each step in the authentication process.
</p>

<div class="normative section" id="initiating-a-tls-connection" typeof="bibo:Chapter" about="#initiating-a-tls-connection">
<h4><span class="secno">2.3.1 </span>Initiating a TLS Connection</h4>

<p class="issue">This section will detail how the TLS connection process is
started and used by WebID to create a secure channel between the 
Identification Agent and the Verification Agent.</p>
</div>

<div class="normative section" id="exchanging-the-identification-certificate" typeof="bibo:Chapter" about="#exchanging-the-identification-certificate">
<h4><span class="secno">2.3.2 </span>Exchanging the Identification Certificate</h4>

<p class="issue">This section will detail how the certificate is selected and
sent to the Verification Agent.</p>
</div>

<div class="normative section" id="processing-the-webid-profile" typeof="bibo:Chapter" about="#processing-the-webid-profile">
<h4><span class="secno">2.3.3 </span>Processing the WebID Profile</h4>

<p>A Verification Agent <em class="rfc2119" title="must">must</em> be able to process documents in
RDF/XML [<a class="bibref" rel="biblioentry" href="#bib-RDF-SYNTAX-GRAMMAR">RDF-SYNTAX-GRAMMAR</a>]
and XHTML+RDFa [<a class="bibref" rel="biblioentry" href="#bib-XHTML-RDFA">XHTML-RDFA</a>].
A server responding to a WebID Profile request <em class="rfc2119" title="must">must</em> be able to
return a representation in RDF/XML (using media type <code>application/rdf+xml</code>) or 
XHTML+RDFa (using either media type <code>text/html</code> or media type <code>application/xhtml+xml</code>).
In addition, either parties <em class="rfc2119" title="may">may</em> support any other RDF format
via HTTP content-type negotiation.
</p>


</p><p class="issue">This section will explain how a Verification Agent extracts 
semantic data describing the identification credentials from a WebID Profile.</p>
</div>

<div class="normative section" id="extracting-identification-url-details" typeof="bibo:Chapter" about="#extracting-identification-url-details">
<h4><span class="secno">2.3.4 </span>Extracting Identification URL Details</h4>

<p>
The <a class="tref internalDFN" title="Verification_Agent" href="#dfn-verification_agent">Verification Agent</a> may use a number of different methods to
extract the public key information from the <a class="tref internalDFN" title="WebID_Profile" href="#dfn-webid_profile">WebID Profile</a>.
</p>
The following SPARQL query outlines one way in which the public key
could be extracted from the <a class="tref internalDFN" title="WebID_Profile" href="#dfn-webid_profile">WebID Profile</a>:
<code><pre>
PREFIX cert: &lt;http://www.w3.org/ns/auth/cert#&gt;
PREFIX rsa: &lt;http://www.w3.org/ns/auth/rsa#&gt;
SELECT ?modulus ?exp
WHERE {
   ?key cert:identity &lt;http://example.org/webid#public&gt;;
      a rsa:RSAPublicKey;
      rsa:modulus [ cert:hex ?modulus; ];
      rsa:public_exponent [ cert:decimal ?exp ] .
}
</pre></code>

<p class="issue">This section still needs more information.</p>

</div>

<div class="normative section" id="determining-access-privileges" typeof="bibo:Chapter" about="#determining-access-privileges">
<h4><span class="secno">2.3.5 </span>Determining Access Privileges</h4>

<p class="issue">This section will explain how a Verification Agent may
use the information discovered via a WebID URL to determine if one should
be able to access a particular resource. It will explain how a Verification
Agent can use links to other RDFa documents to build knowledge about the
given WebID.</p>

</div>

</div>

<div id="appendix" typeof="bibo:Chapter" about="#appendix" class="section">

<div class="informative section" id="history" typeof="bibo:Chapter" about="#history">
<h4>Change History</h4><p><em>This section is non-normative.</em></p>
<p>2010-07-11 Initial version.</p>
</div>

<div class="informative section" id="acknowledgements" typeof="bibo:Chapter" about="#acknowledgements">
<h4>Acknowledgments</h4><p><em>This section is non-normative.</em></p>

<p>The following people have been instrumental in providing thoughts, feedback,
reviews, criticism and input in the creation of this specification:</p>

<ul>
<li>Melvin Carvalho</li>
<li>Bruno Harbulot</li>
<li>Toby Inkster</li>
<li>Ian Jacobi</li>
<li>Jeff Sayre</li>
<li>Henry Story</li>
</ul>

</div>
</div>
  


</div><div id="references" class="appendix section" typeof="bibo:Chapter" about="#references">
<!-- OddPage -->
<h2><span class="secno">A. </span>References</h2><div id="normative-references" typeof="bibo:Chapter" about="#normative-references" class="section"><h3><span class="secno">A.1 </span>Normative references</h3><dl class="bibliography" about=""><dt id="bib-HTTP-TLS">[HTTP-TLS]</dt><dd rel="dcterms:requires">E. Rescorla. <a href="http://www.ietf.org/rfc/rfc2818.txt"><cite>HTTP Over TLS.</cite></a> May 2000. Internet RFC 2818. URL: <a href="http://www.ietf.org/rfc/rfc2818.txt">http://www.ietf.org/rfc/rfc2818.txt</a> 
</dd><dt id="bib-N3">[N3]</dt><dd rel="dcterms:requires">Tim Berners-Lee; Dan Connolly. <a href="http://www.w3.org/TeamSubmission/2008/SUBM-n3-20080114/"><cite>Notation3 (N3): A readable RDF syntax.</cite></a> 14 January 2008. W3C Team Submission. URL: <a href="http://www.w3.org/TeamSubmission/2008/SUBM-n3-20080114/">http://www.w3.org/TeamSubmission/2008/SUBM-n3-20080114/</a> 
</dd><dt id="bib-RDF-SYNTAX-GRAMMAR">[RDF-SYNTAX-GRAMMAR]</dt><dd rel="dcterms:requires">Dave Beckett. <a href="http://www.w3.org/TR/2004/REC-rdf-syntax-grammar-20040210"><cite>RDF/XML Syntax Specification (Revised).</cite></a> 10 February 2004. W3C Recommendation. URL: <a href="http://www.w3.org/TR/2004/REC-rdf-syntax-grammar-20040210">http://www.w3.org/TR/2004/REC-rdf-syntax-grammar-20040210</a> 
</dd><dt id="bib-RDFA-CORE">[RDFA-CORE]</dt><dd rel="dcterms:requires">Shane McCarron; et al. <a href="http://www.w3.org/TR/2010/WD-rdfa-core-20100422"><cite>RDFa Core 1.1: Syntax and processing rules for embedding RDF through attributes.</cite></a>22 April 2010. W3C Working Draft. URL: <a href="http://www.w3.org/TR/2010/WD-rdfa-core-20100422">http://www.w3.org/TR/2010/WD-rdfa-core-20100422</a> 
</dd><dt id="bib-TURTLE">[TURTLE]</dt><dd rel="dcterms:requires">David Beckett, Tim Berners-Lee. <a href="http://www.w3.org/TeamSubmission/turtle/">Turtle: Terse RDF Triple Language</a> January 2008. W3C Team Submission. URL: <a href="http://www.w3.org/TeamSubmission/turtle/">http://www.w3.org/TeamSubmission/turtle/</a> 
</dd><dt id="bib-X509V3">[X509V3]</dt><dd rel="dcterms:requires"><cite>ITU-T Recommendation X.509 version 3 (1997). "Information Technology - Open Systems Interconnection - The Directory Authentication Framework"  ISO/IEC 9594-8:1997</cite>.
</dd><dt id="bib-XHTML-RDFA">[XHTML-RDFA]</dt><dd rel="dcterms:requires">Shane McCarron; et. al. <a href="http://www.w3.org/TR/2010/WD-xhtml-rdfa-20100422"><cite>XHTML+RDFa 1.1.</cite></a> 22 April 2010. W3C Working Draft. URL: <a href="http://www.w3.org/TR/2010/WD-xhtml-rdfa-20100422">http://www.w3.org/TR/WD-xhtml-rdfa-20100422</a> 
</dd></dl></div><div id="informative-references" typeof="bibo:Chapter" about="#informative-references" class="section"><h3><span class="secno">A.2 </span>Informative references</h3><dl class="bibliography" about=""><dt id="bib-RDF-CONCEPTS">[RDF-CONCEPTS]</dt><dd rel="dcterms:references">Graham Klyne; Jeremy J. Carroll. <a href="http://www.w3.org/TR/2004/REC-rdf-concepts-20040210"><cite>Resource Description Framework (RDF): Concepts and Abstract Syntax.</cite></a> 10 February 2004. W3C Recommendation. URL: <a href="http://www.w3.org/TR/2004/REC-rdf-concepts-20040210">http://www.w3.org/TR/2004/REC-rdf-concepts-20040210</a> 
</dd><dt id="bib-RDF-PRIMER">[RDF-PRIMER]</dt><dd rel="dcterms:references">Frank Manola; Eric Miller. <a href="http://www.w3.org/TR/2004/REC-rdf-primer-20040210/"><cite>RDF Primer.</cite></a> 10 February 2004. W3C Recommendation. URL: <a href="http://www.w3.org/TR/2004/REC-rdf-primer-20040210/">http://www.w3.org/TR/2004/REC-rdf-primer-20040210/</a> 
</dd></dl></div></div></body></html>