[2008-06-17 04:42:31] JOIN #higgins :peace-keeper!n=peace-ke@chello084114169104.2.15.vie.surfer.at JOIN :#higgins [2008-06-17 06:36:34] QUIT peace-keeper [2008-06-17 06:50:07] JOIN #higgins :rcjsuen!n=rcjsuen@bas6-kitchener06-1177622216.dsl.bell.ca JOIN :#higgins [2008-06-17 07:10:44] QUIT nairbreklew [2008-06-17 07:17:36] JOIN #higgins :peace-keeper!n=peace-ke@chello084114169104.2.15.vie.surfer.at JOIN :#higgins [2008-06-17 07:32:29] JOIN #higgins :paul_!n=chatzill@static-68-162-255-8.bos.east.verizon.net JOIN :#higgins [2008-06-17 07:46:55] JOIN #higgins :MikeMc!n=MikeMc@ool-457d0c29.dyn.optonline.net JOIN :#higgins [2008-06-17 07:51:09] hmmm [2008-06-17 07:51:45] I just got this back from an attempt to send mail to the higgins-dev list [2008-06-17 07:51:47] Delivery Failure Report [2008-06-17 07:51:47] Your message: IBase64Extension RIP [2008-06-17 07:51:47] was not delivered to: higgins-dev@eclipse.org [2008-06-17 07:51:47] because: 554 Service unavailable; Client host [32.97.182.145] blocked using proxies.blackholes.wirehub.net [2008-06-17 07:54:44] PART #higgins [2008-06-17 07:55:22] hmm, me too. I tried to register for higgins-dev [2008-06-17 07:56:04] wirehub.net seems not to operate anymore [2008-06-17 07:56:37] and, according to http://lists.mailscanner.info/pipermail/mailscanner/2003-May/013209.html [2008-06-17 07:56:54] it's called blackholes.easynet.nl now [2008-06-17 08:27:35] JOIN #higgins :nairbreklew!n=chatzill@static-68-162-255-8.bos.east.verizon.net JOIN :#higgins [2008-06-17 09:28:44] JOIN #higgins :MikeMc!n=MikeMc@nat/ibm/x-d220e3620fa5282b JOIN :#higgins [2008-06-17 09:45:34] jim i think idas.common needs to be changed to use util.saml instead of saml2idp.saml2 now [2008-06-17 09:45:51] doesn't it need to use the common version? [2008-06-17 09:45:57] yes - sorry [2008-06-17 09:46:01] misunderstood [2008-06-17 09:47:49] JOIN #higgins :tdoman!n=TeeDoh@137.65.132.161 JOIN :#higgins [2008-06-17 10:00:01] mike do i need sts.server.mapper.appliesto, sts.server.mapper.extension and sts.server.mapper.polling ? [2008-06-17 10:00:16] yes you do [2008-06-17 10:00:21] well [2008-06-17 10:00:41] actually if you remove them from your configuration you can get away with not having them -... [2008-06-17 10:01:05] however the appliesto mapper will come in handy soon when its enhanced [2008-06-17 10:01:40] it should allow you as an idp to set up rp profiles so you can avoid needing to know which claims an rp needs [2008-06-17 10:01:48] hmm [2008-06-17 10:01:58] ok i'll just leave it in [2008-06-17 10:04:35] JOIN #higgins :paul____!n=chatzill@static-68-162-255-8.bos.east.verizon.net JOIN :#higgins [2008-06-17 10:13:58] QUIT paul_ [2008-06-17 11:00:53] QUIT Jimse [2008-06-17 11:14:02] JOIN #higgins :Duane!n=dbuss@ORML012.digis.net JOIN :#higgins [2008-06-17 11:20:37] QUIT MikeMc [2008-06-17 11:29:54] JOIN #higgins :Jimse!n=jimse@137.65.229.55 JOIN :#higgins [2008-06-17 12:20:04] JOIN #higgins :Duan1!n=dbuss@ORML012.digis.net JOIN :#higgins [2008-06-17 12:20:15] QUIT Duane [2008-06-17 12:23:33] JOIN #higgins :MikeMc!n=MikeMc@nat/ibm/x-f5fba44288001a0e JOIN :#higgins [2008-06-17 12:24:27] Hey JimSe? [2008-06-17 12:28:15] TomD? [2008-06-17 12:29:04] I would like to know when the idas.common will change to point at the new util.saml stuff [2008-06-17 12:31:55] should i just make the change ? [2008-06-17 12:32:25] its ok with me [2008-06-17 12:32:32] I was wondering same thing [2008-06-17 12:32:48] the way it is now nothing builds [2008-06-17 12:33:09] yeah [2008-06-17 12:33:10] i'll do it [2008-06-17 12:39:40] ok done [2008-06-17 12:39:52] thanks - will update now [2008-06-17 12:41:15] sorry, I was trying to do that [2008-06-17 12:41:24] but my higgins2ant doesn't work [2008-06-17 12:41:34] trying to find the instructions on how to install it [2008-06-17 12:41:42] i installed it yesterday [2008-06-17 12:41:45] for the first time actually [2008-06-17 12:41:50] how did you do it? [2008-06-17 12:41:51] mine either - so much that used to work doesn't we need a better process [2008-06-17 12:42:19] via the remote install/update thing in eclipse [2008-06-17 12:42:32] it worked perfectly for me (i never had or used any of the previous versions) [2008-06-17 12:42:33] what's the URL for the remote site? [2008-06-17 12:42:46] http://download.eclipse.org/technology/higgins/higgins2ant [2008-06-17 12:43:09] sweet, I should have asked here instead of rummaging through my inbox [2008-06-17 12:43:39] i found a very useful higgins2ant wiki page [2008-06-17 12:51:57] <_keturn:#higgins@higginsircbot|QUIT>QUIT _keturn [2008-06-17 12:51:59] wow, that site is super slow [2008-06-17 12:52:18] just barely got the option to install the plugin [2008-06-17 12:52:25] now it's downloading.... snore [2008-06-17 12:52:52] hum the idas.cp.jndi also references saml2idp.saml2 [2008-06-17 12:52:57] i'm going to remove that too [2008-06-17 12:53:14] hmm - took me less than 10 secs to download and install [2008-06-17 12:53:28] probably some eclipse.org server snafu [2008-06-17 12:53:51] oh - maybe its that damn IBM internal mirror finally adding value [2008-06-17 12:55:15] :) [2008-06-17 13:13:13] mike any idea what i'm doing wrong when i get "The specified request failed - XML Signature operation failed" [2008-06-17 13:13:38] JOIN #higgins :MikeMc_!n=MikeMc@nat/ibm/x-af2645cbfe658253 JOIN :#higgins [2008-06-17 13:13:48] mike any idea what i'm doing wrong when i get "The specified request failed - XML Signature operation failed" [2008-06-17 13:14:46] hmmm - can you send me an email with more of the trac elog? [2008-06-17 13:14:52] trace log [2008-06-17 13:15:59] hmm i don't really have a trace, this message is from ISTSResponse.getFault().getDetail() after invoke() [2008-06-17 13:16:20] there is no console output? [2008-06-17 13:16:53] the STS is failing for some reason - need to see why [2008-06-17 13:17:44] QUIT MikeMc_ [2008-06-17 13:17:54] JOIN #higgins :MikeMc_!n=MikeMc@nat/ibm/x-27a3db7873db0bb9 JOIN :#higgins [2008-06-17 13:18:37] hmm [2008-06-17 13:18:47] "Not an RSA key: DSA" [2008-06-17 13:19:07] I'd love to know how that happened [2008-06-17 13:19:19] http://pastebin.com/m3310522d [2008-06-17 13:20:15] so I suspect that somehow you configured your IssuerKey to be a DSA Key [2008-06-17 13:20:32] which in theory might work if you tell it to use DSA to sign with [2008-06-17 13:20:46] i use ISTSRequest.setSelfSigningKeyPair before doing the invoke() [2008-06-17 13:21:04] is there anything i can do wrong there [2008-06-17 13:21:30] I don't think that is "normal" way - you should configure a signing key and use that [2008-06-17 13:22:03] setSelfSigningKeyPair is used when using personal cards [2008-06-17 13:22:12] you are running a [2008-06-17 13:22:16] "managed" idp [2008-06-17 13:22:19] hmm [2008-06-17 13:22:35] so how do i tell the sts what key to use to sign the assertion [2008-06-17 13:22:51] in your config file ... [2008-06-17 13:23:06] ah [2008-06-17 13:23:42] [2008-06-17 13:23:43] [2008-06-17 13:23:43] [2008-06-17 13:23:43] STSKeyStore [2008-06-17 13:23:43] [2008-06-17 13:23:43] leaf [2008-06-17 13:23:45] [2008-06-17 13:23:47] changeit [2008-06-17 13:23:49] [2008-06-17 13:24:15] damn i don't have it in a keystore [2008-06-17 13:24:56] how do you have it? [2008-06-17 13:25:07] i have the private key in a .der, and the certificate in a .pem [2008-06-17 13:25:51] I had that too and someone showed me how to convert - I need to remember who [2008-06-17 13:26:19] yes i think i now how.. need to do some funny openssl and keytool commands [2008-06-17 13:26:21] know [2008-06-17 13:26:45] any way of passing the sts a PrivateKey and a PublicKey programmatically instead of putting it into the config file ? [2008-06-17 13:27:04] yes - you can just set the same map entries [2008-06-17 13:28:49] as long as there is a map with the right stuff in it when configure gets called the sts cares not how things got there [2008-06-17 13:29:23] i could put it into mapInvocationSettings for example ? [2008-06-17 13:29:34] let me check [2008-06-17 13:29:42] QUIT MikeMc [2008-06-17 13:29:47] or mapComponentSettings ? [2008-06-17 13:29:50] both is null right now [2008-06-17 13:29:51] in theory that should work but I suspect not really - [2008-06-17 13:31:53] the code currently does: [2008-06-17 13:31:54] certificateIssuer = (X509Certificate)mapGlobalSettings.get [2008-06-17 13:31:54] ("IssuerCertificate"); [2008-06-17 13:31:54] privateKeyIssuer = (PrivateKey)mapGlobalSettings.get [2008-06-17 13:31:54] ("IssuerPrivateKey"); [2008-06-17 13:32:22] so just need to put into global settings map and can wait to right before invoke [2008-06-17 13:32:32] so you can : [2008-06-17 13:33:10] mapGlobalSettings.put [2008-06-17 13:33:10] ("IssuerCertificate", yourCert); [2008-06-17 13:33:10] mapGlobalSettings.put [2008-06-17 13:33:10] ("IssuerPrivateKey", yourKey); [2008-06-17 13:33:14] yeah [2008-06-17 13:33:15] sounds good [2008-06-17 13:33:17] i'll try that [2008-06-17 13:34:20] is your key/cert an RSA key? [2008-06-17 13:34:26] or is it DSA? [2008-06-17 13:34:45] can you send me your cert? [2008-06-17 13:34:59] it's dsa i think [2008-06-17 13:35:10] ok -then some other changes are needed too [2008-06-17 13:35:31] here's the cert: http://pastebin.com/m70162d3 [2008-06-17 13:36:24] actually both the cert and the private key are in the SVN [2008-06-17 13:36:59] which project? test/server/saml2? [2008-06-17 13:38:26] saml2idp.server [2008-06-17 13:38:42] in /WebContent/conf [2008-06-17 13:38:53] take a look at XMLSecurityApacheExtension - at the top a whole bunch of algorithm defaults are set - you can over-ride them via the config or same why you set the keys [2008-06-17 13:40:34] in which sts project is that ? [2008-06-17 13:40:57] ah got it [2008-06-17 13:41:26] so you need to change the SignatureAlgorithm [2008-06-17 13:41:56] I think that is all [2008-06-17 13:42:17] hmm now i'm getting this [2008-06-17 13:42:18] http://pastebin.com/m2f5934a8 [2008-06-17 13:43:23] I've just made some local changes - what is on line 396 in your file? [2008-06-17 13:43:46] final Fault fault = new Fault [2008-06-17 13:43:54] (constants.getWSTrustNamespace(), [2008-06-17 13:43:54] "wst", [2008-06-17 13:43:54] constants.getRequestFailedFaultCode(), [2008-06-17 13:43:54] "The specified request failed", [2008-06-17 13:43:54] "Self Signing KeyPair not set."); [2008-06-17 13:43:56] so you have the Issuer set to "self" [2008-06-17 13:44:19] you should use a different name for a real idp [2008-06-17 13:44:49] can i just make up some URI for that ? [2008-06-17 13:45:15] yes - make sure the uri you use matches what is in the config where self used to be [2008-06-17 13:45:23] yes [2008-06-17 13:47:26] hmm "The specified request failed - No Configuration Found." [2008-06-17 13:47:41] you did not change all the self in the config [2008-06-17 13:48:00] ah yes my fault [2008-06-17 13:49:02] what's ALF ? [2008-06-17 13:49:45] remove it from your config - I've removed it from mine - its a project that was using our stuff and needed a special handler but we don't need that anymore [2008-06-17 13:50:13] ok [2008-06-17 13:50:32] so i don't need the jar for sts.server.token.alf either [2008-06-17 13:50:39] no [2008-06-17 13:53:24] http://pastebin.com/m27b67536 [2008-06-17 13:53:54] for (int i = 0; i < listExtensionMappers.size(); ++i) [2008-06-17 13:54:03] hmm did i delete something from my config that i shouldn't have deleted [2008-06-17 13:54:31] I think so - can you send it to me? [2008-06-17 13:55:09] wait i'm trying something [2008-06-17 13:55:18] QUIT paul____ [2008-06-17 13:57:44] to switch to DSA, i should put an "SignatureAlgorithm" entry into the mapGlobalSettings ? [2008-06-17 13:59:40] no - into the component settings for the XMLSecurityExtension [2008-06-17 14:04:53] weeeeeeeee [2008-06-17 14:04:55] i got something [2008-06-17 14:05:14] ok - did you get an assertion or a response? [2008-06-17 14:05:26] i got a SAML:1.0:assertion [2008-06-17 14:05:33] guess i forgot to adjust the config [2008-06-17 14:05:44] no [2008-06-17 14:05:58] in the call to the factory there is a param for token type [2008-06-17 14:06:13] you pass in a uri that ends with :assertion [2008-06-17 14:06:18] change that to :protocol [2008-06-17 14:06:22] no, i pass "urn:oasis:names:tc:SAML:2.0:protocol" [2008-06-17 14:06:27] hmmm [2008-06-17 14:06:38] and you get an assertion? [2008-06-17 14:06:45] yes [2008-06-17 14:06:55] in the getRequestSecurityTokenResponseCollection(), is there more than one item? [2008-06-17 14:06:59] i just get the first [2008-06-17 14:07:04] just the first [2008-06-17 14:07:07] hmm [2008-06-17 14:07:32] i still have "urn:oasis:names:tc:SAML:1.0:assertion" in a few places in the config [2008-06-17 14:07:32] can you send me the log/console info? [2008-06-17 14:07:44] for example in AppliesToMapping / TokenType [2008-06-17 14:07:44] that should not matter [2008-06-17 14:07:57] you should be able to ask for either an assertion or a response [2008-06-17 14:08:26] so for some reason you are going down a path I am handling wrong [2008-06-17 14:09:07] if you send me the log/console info I might be able to figure it out [2008-06-17 14:09:54] this is what i get: http://pastebin.com/d23a0a7cb [2008-06-17 14:10:02] i'll paste the log too [2008-06-17 14:12:40] hmm [2008-06-17 14:12:54] when i want to paste the log, pastebin says it's spam [2008-06-17 14:12:58] :) [2008-06-17 14:13:12] i see this: [2008-06-17 14:13:13] 20265 [http-7080-Processor24] ERROR org.eclipse.higgins.sts.server.token.saml.TokenGeneratorHandler - Unsupported claim [2008-06-17 14:14:59] what claims are you asking for? [2008-06-17 14:17:14] none [2008-06-17 14:17:30] i pass null to "claims" in createRequest() [2008-06-17 14:17:50] hmmm - so you want no Attributes [2008-06-17 14:17:59] yes.. for now.. [2008-06-17 14:18:19] give me a few min to look at that path [2008-06-17 14:18:32] distracted by ITA FRA game ;-) [2008-06-17 14:19:01] me too :) [2008-06-17 14:19:13] pretty exciting so far [2008-06-17 14:19:32] if your italian ;-) [2008-06-17 14:20:11] my config contains "urn:oasis:names:tc:SAML:1.0:assertion" three times, and doesnt contain "urn:oasis:names:tc:SAML:2.0:protocol" at all [2008-06-17 14:20:16] you sure that's not a problem? [2008-06-17 14:20:29] that is a problem ;-) - [2008-06-17 14:21:41] JOIN #higgins :MikeMc!n=MikeMc@nat/ibm/x-866d9e799147b41b JOIN :#higgins [2008-06-17 14:22:11] can you look at the LocalManagedConfiguration.xml in my axis1x.service project? [2008-06-17 14:22:16] look for protocol [2008-06-17 14:22:46] ok [2008-06-17 14:22:47] got it [2008-06-17 14:23:42] hmm which of these extensionmap entries should i copy [2008-06-17 14:24:09] all of them - except change the issuer to yours [2008-06-17 14:24:26] yeah [2008-06-17 14:26:54] many entries don't have Issuer [2008-06-17 14:27:01] guess that's fine [2008-06-17 14:31:22] hmmm The specified request failed - No Extension for Configuration. [2008-06-17 14:34:47] ERROR org.eclipse.higgins.sts.server.trust.SecurityTokenService - No TokenExtension Configured for this Request. [2008-06-17 14:35:06] but i copied it all and changed the issuer.. [2008-06-17 14:38:30] JOIN #higgins :paul____!n=chatzill@static-68-162-255-8.bos.east.verizon.net JOIN :#higgins [2008-06-17 14:38:57] guess i have to replace SAMLSelfIssue with SAMLIssue [2008-06-17 14:39:13] QUIT MikeMc_ [2008-06-17 14:39:28] weeeeeee [2008-06-17 14:39:31] i got something [2008-06-17 14:41:21] i got a urn:oasis:names:tc:SAML:2.0:assertion [2008-06-17 14:41:36] inside a samlp:Response [2008-06-17 14:41:43] mike, sorry for butting in , but could you check in your version of the config with the sts.server.token.alf sutuff removed? [2008-06-17 14:42:05] i think mike is watching ITA vs FRA [2008-06-17 14:42:30] JOIN #higgins :MikeMc_!n=MikeMc@nat/ibm/x-d13710cde0d1162f JOIN :#higgins [2008-06-17 14:42:32] so am I :) [2008-06-17 14:42:35] half time [2008-06-17 14:42:39] damn irc keeps dropping me [2008-06-17 14:42:45] i got a urn:oasis:names:tc:SAML:2.0:assertion !! [2008-06-17 14:42:47] wee [2008-06-17 14:42:59] just an assertion? not a response? [2008-06-17 14:43:08] yes a samlp:Response ! [2008-06-17 14:43:12] oh ok [2008-06-17 14:43:16] but it's inside a can i strip that ? [2008-06-17 14:43:22] yes [2008-06-17 14:43:33] you need to strip that [2008-06-17 14:43:50] can i do that with config, or do i have to do it manually [2008-06-17 14:44:09] you need to do it manually [2008-06-17 14:45:13] the client samples should show you how [2008-06-17 14:45:24] funny my test RP understands it even with the wst:RequestedSecurityToken wrapped around [2008-06-17 14:45:47] i wouldn't have expected that [2008-06-17 14:46:10] mike, sorry for butting in , but could you check in your version of the config with the sts.server.token.alf sutuff removed? [2008-06-17 14:46:20] QUIT MikeMc [2008-06-17 14:47:52] its done already [2008-06-17 14:47:58] markus: [2008-06-17 14:47:59] RSTR = (org.eclipse.higgins.sts.api.IRequestSecurityTokenResponse)listRSTR.get(0); [2008-06-17 14:47:59] elemRequestedSecurityToken = RSTR.getRequestedSecurityToken(); [2008-06-17 14:47:59] omRequestedSecurityToken = (org.apache.axiom.om.OMElement)elemRequestedSecurityToken.getAs [2008-06-17 14:47:59] (org.apache.axiom.om.OMElement.class); [2008-06-17 14:47:59] qnameSAMLResponse = new javax.xml.namespace.QName [2008-06-17 14:48:01] (constants.getSAML20ProtocolNamespace().toString(), [2008-06-17 14:48:03] "Response"); [2008-06-17 14:48:05] omReturnedSAMLResponse = omRequestedSecurityToken.getFirstChildWithName [2008-06-17 14:48:07] (qnameSAMLResponse); [2008-06-17 14:48:47] nice thanks [2008-06-17 14:55:46] is anything wrong with simply toString()ing an OMElement ? [2008-06-17 14:56:04] I don't think you will get what you expect [2008-06-17 14:56:46] do you have a better way in one of your examples ? [2008-06-17 14:57:13] with toString() i get a perfect samlp:Response, my test RP is entirely happy with it [2008-06-17 14:57:20] but if there's a "right" way to do it.. [2008-06-17 14:57:31] ok - if it give you right thing then use it [2008-06-17 14:58:19] anyway, this is all great [2008-06-17 14:59:00] ok - I am hoping we can start to move more stuff into common use [2008-06-17 15:00:21] <_keturn:#higgins@higginsircbot|JOIN>JOIN #higgins :_keturn!n=acapnoti@c-71-236-228-127.hsd1.or.comcast.net JOIN :#higgins [2008-06-17 15:00:45] i still need my util classes to 1. parse the authnrequest, and 2. build a saml response if i don't have a password for the user [2008-06-17 15:01:07] but the "core" functionality is taken care of by the sts now, which is great [2008-06-17 15:01:13] actually that is something we should discuss - what goes into such a response? [2008-06-17 15:03:37] hmm the usual elements.. [2008-06-17 15:03:45] subject, nameid, issuer, conditions [2008-06-17 15:03:46] what subject? [2008-06-17 15:04:18] the subject is just a string which i got from somewhere [2008-06-17 15:04:26] it's not in any higgins context [2008-06-17 15:05:10] so its easy enough to make this happen with STS just trying to figure out the details [2008-06-17 15:06:31] currently - the identity handler authns the user and fills in the digitalIdentity - but another handler could just fill in the didgital identity some other way [2008-06-17 15:06:53] maybe i could just pass null as the password or something like that [2008-06-17 15:07:29] no - it would still try to lookup the user via idas that way - need a new type of identity handler [2008-06-17 15:07:42] actually the self handler does something like that already [2008-06-17 15:07:57] JOIN #higgins :Jeesmon!n=jjacob@static-68-162-255-8.bos.east.verizon.net JOIN :#higgins [2008-06-17 15:08:07] takes the claim values from the request and puts them into the DI [2008-06-17 15:08:07] 2:0 [2008-06-17 15:09:29] on my web feed its still 1-0 [2008-06-17 15:09:50] woah that must be a few minutes old [2008-06-17 15:10:11] just got it [2008-06-17 15:10:27] well i'm also on a web feed [2008-06-17 15:10:55] ouch - henry own goal [2008-06-17 15:11:25] haha now i can spoil all your surprising moments by saying everything before you see it [2008-06-17 15:11:37] it should be - they gave it to the italian - but keeper had shot covered til henry changed it [2008-06-17 15:12:13] or worse you can make up stuff [2008-06-17 15:12:49] NED - ROU is 1:0 btw, so ITA's got a chance :) [2008-06-17 15:13:09] yeah - didn't think NED would lay down [2008-06-17 15:14:21] the worst part is that now that you are relaying important events I know that none of these chances turn into anything [2008-06-17 15:14:30] they're doing all right. at least they're not wearing those baby-blue socks again... [2008-06-17 15:16:14] game time is 70:50 here [2008-06-17 15:16:24] now 71:00 [2008-06-17 15:16:40] 68:21 [2008-06-17 15:22:18] I wish france would score a couple to make this interesting [2008-06-17 15:22:35] well i think it's pretty much over [2008-06-17 15:22:47] yeah - france look pretty beat [2008-06-17 15:23:48] this is just about when Turkey started to comeback from down 2-0 [2008-06-17 15:23:57] ;-) [2008-06-17 15:24:00] true.. [2008-06-17 15:24:06] i was just gonna say that myself :) [2008-06-17 15:24:31] but turkey had 11 til they were up 3-2 [2008-06-17 15:24:41] So Markus (sorry to interrupt the game), I'm looking at http://www.parity.com/spec/udi/udi-syntax.html. Is there an example of a Relative Resource UDI that I could look at to see how it looks different from an absolute one? [2008-06-17 15:24:55] Jim - please stay on topic [2008-06-17 15:25:01] :) [2008-06-17 15:25:42] jim a relative resource UDI can be any string that makes sense for a particular context [2008-06-17 15:25:55] e.g. an LDAP DN [2008-06-17 15:26:29] a "relative resource UDI" is exactly what an entity ID within a context is today [2008-06-17 15:26:59] ok, so if I'm given a string, and I'm only told that it's a Resource UDI, is there a way for me to know that it's relative or not? [2008-06-17 15:28:01] hmm not really [2008-06-17 15:28:21] i think there should be a class ResourceUDI which always represent an absolute resource UDI, and it should have a method getRelative() that returns a string [2008-06-17 15:29:15] what if instead of "always representing an absolute..." it had an isRelative() method? [2008-06-17 15:29:59] hmm yes, but i'm not sure how to reliably telling absolute and relative apart, if you don't know it in advance [2008-06-17 15:30:22] maybe the class's ctor forces you to tell it? I dunno. [2008-06-17 15:30:48] hm yes that would work of course [2008-06-17 15:30:56] the hard thing is that I think we wanted this to act like an XML literal. Meaning there's a getLexical() [2008-06-17 15:31:05] and typically a simple string ctor [2008-06-17 15:31:37] anyway, let me back up... I want to impl some minimal support for relative EntityUDIs in IdAS [2008-06-17 15:32:05] so people can create an attribute with a value which simply points at some IEntity in the same context [2008-06-17 15:32:23] goal [2008-06-17 15:32:38] yeah, I'd say that's me goal ;) [2008-06-17 15:32:43] :) [2008-06-17 15:33:07] guess i need to pay attention [2008-06-17 15:33:14] in the other game! [2008-06-17 15:33:26] is it tied now? [2008-06-17 15:33:33] 2:0 [2008-06-17 15:33:36] i think a relative resource UDI should really just be a string, and instances of a class called ResourceUDI should always be absolute [2008-06-17 15:33:49] oh - Italy so does not deserve to move on [2008-06-17 15:34:19] one good game should not be enough [2008-06-17 15:34:23] so you could tell idasregistry "here's the ResourceUDI - give me the Entity" [2008-06-17 15:34:53] ok, so are you suggesting we should have two attribute value datatypes? One for relative and another for absolute? [2008-06-17 15:35:08] hmmm [2008-06-17 15:35:28] right now, Paul made one datatype http://www.eclipse.org/higgins/ontologies/2008/6/higgins-doc/higgins_entityId.html [2008-06-17 15:35:34] entityId [2008-06-17 15:35:47] and it's range is http://www.eclipse.org/higgins/ontologies/2008/6/higgins-doc/higgins_EntityUDI.html [2008-06-17 15:35:51] "The identifier may be an Entity UDI or a string." [2008-06-17 15:35:52] hmm [2008-06-17 15:36:18] yeah, this whole thing sucks IMO. How is anyone supposed to know what it really is? [2008-06-17 15:37:06] but it's useful to have a single identifier (UDI) that points right at an entity within a context, no? [2008-06-17 15:37:14] yes [2008-06-17 15:38:00] ok, so I guess if there's an attribute with a value which is a pointer to another entity, it will have a "valueType" in IdAS terms. [2008-06-17 15:38:01] the absolute entity UDI contains everything to identifier the context and the entity.. whereas the relative entity UDI only contains everything to identify the entity if you already have the context [2008-06-17 15:38:23] hmm not sure what valueType means [2008-06-17 15:38:30] games over [2008-06-17 15:38:30] the valueType will be EntityUDI if it's a resource UDI [2008-06-17 15:38:58] valueType is the data type for the attribute value [2008-06-17 15:39:06] so, it could be xsd:string [2008-06-17 15:39:12] ah ok [2008-06-17 15:39:17] or higgins:EntityUDI, or whatever [2008-06-17 15:39:56] so, at least we'll know whether it's a simple string or an entity UDI [2008-06-17 15:40:10] yes [2008-06-17 15:40:27] but now I'm wondering if we should not have entityUDI, and instead have relativeEntityUDI and absoluteEntityUDI [2008-06-17 15:41:02] since the string value of an entityUDI can't be examined and a determination made regarding it's "absolutness" [2008-06-17 15:42:56] so you would use them both for relations and correlations ? [2008-06-17 15:43:43] I forget the semantic difference between those two :( [2008-06-17 15:43:53] PART #higgins [2008-06-17 15:44:22] correlation = entities representing the same real world thing [2008-06-17 15:44:28] oh, correlation is like "I'm also that" [2008-06-17 15:44:30] ok [2008-06-17 15:45:13] i guess it would make sense to have both absolute and relative entity UDIs for relations and correlations [2008-06-17 15:45:22] Higgins is now only an info card thing? [2008-06-17 15:45:24] relative, if the other entity is in the same context [2008-06-17 15:45:35] yeah [2008-06-17 15:46:08] I mean, one *could* have absolute references to things in the same context, but they don't need to [2008-06-17 15:46:21] right [2008-06-17 15:46:49] and the idasregistry (or some helper component) would have methods to look up the entities [2008-06-17 15:47:28] just like today there's a method that gives you a complete IContext given a IContextId [2008-06-17 15:47:39] right [2008-06-17 15:47:45] there should be methods that give you an entity for an entity UDI, or even an attribute for an attribute UDI [2008-06-17 15:48:18] so, I'm working on a bug which I guess is the first of such a method [2008-06-17 15:48:38] i can work on these things, but we should decide if that should be in the idasregistry or somewhere else [2008-06-17 15:48:55] the request from paul was to have a switch that would cause a CP to dereference attribute values when they pointed at entities [2008-06-17 15:49:33] well the CP would simply use one of these UDI methods [2008-06-17 15:49:40] hmm [2008-06-17 15:50:25] yeah, as long as the methods are smart enough to not cause a new Context to be instantiated [2008-06-17 15:50:56] I mean, if the UDI is relative, then the dereferenced entity should be associated with the same context that the reference was found in [2008-06-17 15:51:05] yes.. [2008-06-17 15:51:56] if it's relative, you just call getEntity() on the same IContext [2008-06-17 15:51:57] anyway, if I know the UDI is relative, all I have to do (in a CP) is say return thisContext.getEntity(udiVal.toString) [2008-06-17 15:52:01] jinx [2008-06-17 15:52:04] right :) [2008-06-17 15:52:33] great minds think alike [2008-06-17 15:52:37] which was exactly why I was wondering if I could tell by parsing a UDI whether it was relative [2008-06-17 15:54:04] well in XRI form you could [2008-06-17 15:54:10] and in URI form you could too [2008-06-17 15:54:17] but it's supposed to be a generic concept [2008-06-17 15:55:35] if we say it's possible to tell them apart, then we automatically impose restrictions on the relative UDI, i.e. restrictions on what the CP can use to identify its entities [2008-06-17 15:55:35] so, if you were to build something like a UDI dereferencer, and you were given a string and only told it was a UDI, sould you dereference it to whatever it pointed at? [2008-06-17 15:56:05] ok, I think the answer is no then [2008-06-17 15:56:27] yeah [2008-06-17 15:56:31] which means to me, these things need to be "typed" [2008-06-17 15:56:35] yeah [2008-06-17 15:57:33] ok, so I think I'll suggest to paul that in the model, an entityID should have a range of string, relativeEntityUDI, or absoluteEntityUDI [2008-06-17 15:58:37] why string ? [2008-06-17 15:58:47] well, it's already one of the choices [2008-06-17 15:58:54] don't ask me -- ask Tony [2008-06-17 15:59:04] he's the one who kept insisting [2008-06-17 15:59:10] yeah i know.. [2008-06-17 15:59:34] well i see no problem with that [2008-06-17 15:59:36] Maybe if he knows that a relative entity UDI and a string-form entityID are EXACTLY the same, he'd back off [2008-06-17 15:59:43] are they exactly the same? [2008-06-17 15:59:54] yes i think so [2008-06-17 16:00:08] I'll append that to my note on the dev list [2008-06-17 16:00:14] relative entity UDI identifies the entity within the context and can be any string [2008-06-17 16:01:07] ok -- I *think* that should allow us to do away with the string choice [2008-06-17 16:43:22] Markus, doesn't the relative entity UDI have to be an IRI segment? [2008-06-17 16:46:00] Doesn't the relative UDI have to something that is properly escaped so that it can be concatenated with a ContextUDI and a delimiter to create a valid URI? [2008-06-17 16:46:44] Is the relative part *always* at the end? [2008-06-17 16:47:01] if so, it seems like it could be parsable without any escapement [2008-06-17 16:50:16] My problem is that I can think of strings that, when prepended with "http://example.com/context666#" are not valid URIs [2008-06-17 16:50:33] Like a string with spaces in it for example [2008-06-17 16:51:06] sorry i was on phone [2008-06-17 16:51:10] The syntactic space of a string is larger than the syntactic space of an URI fragment [2008-06-17 16:51:22] oh, I see [2008-06-17 16:51:29] So whereas all relativeEntityIds are strings, the converse isn't true. [2008-06-17 16:51:35] so they are *not* equivalent [2008-06-17 16:51:40] right [2008-06-17 16:51:52] Tony wants to be able to use unconstrained strings [2008-06-17 16:52:06] and they do need escapement when represented as a relativeEntityUDI [2008-06-17 16:52:22] yes [2008-06-17 16:52:25] ugh [2008-06-17 16:53:05] I tried to get Tony to agree that REQUIRING normalization of strings wasn't a significant constraint, but he didn't see it that way [2008-06-17 16:53:16] well the way i think of it an absolute entity UDI consists of a context UDI and an ENCODED relative entity UDI [2008-06-17 16:53:33] i think the relative entity UDI can be any string, it just gets encoded when put into an absolute entity UDI [2008-06-17 16:54:03] Oh I see what you're saying now [2008-06-17 16:54:06] you think a relative entity UDI can contain an un-encoded string? [2008-06-17 16:54:30] works fo rmew [2008-06-17 16:54:39] works fo rmew too [2008-06-17 16:54:40] (for me) [2008-06-17 16:54:45] :) [2008-06-17 16:54:46] grr [2008-06-17 16:54:52] you can have a relative entity UDI http://myentity, and when you put it into an absolute entity UDI it becomes http://mycontext#htt%20%27%27myentity [2008-06-17 16:55:09] I like that [2008-06-17 16:55:10] I think I like this approach [2008-06-17 16:55:10] (don't know the actual percent encodings for ://) [2008-06-17 16:56:24] QUIT rcjsuen [2008-06-17 16:56:51] [2008-06-17 16:57:32] I know... I was just thinking Higgins is bigger than card-based things [2008-06-17 16:57:56] Exposing the Higgins graph outside the context of cards is still useful [2008-06-17 16:58:10] but you can change the topic back, I was just messing around [2008-06-17 16:58:11] Gocha. [2008-06-17 16:58:46] I needed something to do while everyone was talking sports [2008-06-17 16:59:24] Oh, in that case I agree. I've been wondering about something like "Open Source Information Cards and Identity Framework"? [2008-06-17 16:59:32] there's actually a #euro2008 channel on this server [2008-06-17 16:59:42] I like that, Paul [2008-06-17 16:59:55] I thought this was a geek-only server [2008-06-17 17:00:11] So as not to get shot to hell, I'll propose it to the list. Okay, back to geeking... [2008-06-17 17:00:21] when i changed the topic to "information card framework", i took this from http://www.eclipse.org/higgins/ [2008-06-17 17:01:11] yeah, I see [2008-06-17 17:01:24] So Jim, are you going to answer your own email on the dev list and propose what we're talking about here? [2008-06-17 17:01:34] too bad we can't sum up what's said here in 5 or 6 words: http://www.eclipse.org/higgins/about.php [2008-06-17 17:02:01] summing up higgins in 5 or 6 words is impossible [2008-06-17 17:02:14] did we propose to do what I had asked, with the clarification that relative entity udi's are unencoded strings? [2008-06-17 17:02:46] yes I think so [2008-06-17 17:02:49] Higgins: Open Source Identity Stuff [2008-06-17 17:03:29] Higgins: Look Nowhere Else For Identity [2008-06-17 17:03:42] So I need to change HOWL. [2008-06-17 17:03:47] yeah [2008-06-17 17:03:55] should there be a separate project for all these udi things, or should it be in idasregistry [2008-06-17 17:04:27] org.eclipse.higgins.idas.udi ? [2008-06-17 17:05:16] I'm not sure [2008-06-17 17:05:26] for udi classes, and methods like getEntity(entityUDI), get Attribute(attributeUDI), etc [2008-06-17 17:05:43] right now the context ID functionality is in idasregistry [2008-06-17 17:05:55] but i remember you saying it should be somewhere else [2008-06-17 17:06:02] The proposal is that we have higgins:RelativeEntityUDI as a typed value and higgins:AbsoluteEntityUDI as an alternative typed value of higgins#entityId ? [2008-06-17 17:06:13] Tony won't like it [2008-06-17 17:06:14] yeah [2008-06-17 17:06:29] I'm not sure why he'll dislike it [2008-06-17 17:06:32] any ideas? [2008-06-17 17:07:08] He'll say that we should be able to use "+1 (617) 555-1212" DIRECTLY as an entity id [2008-06-17 17:07:29] no problem [2008-06-17 17:07:30] further, he'll say that this should be an absolute entity id (although I'll object to that) [2008-06-17 17:07:31] here's the problem: I have no magic way of looking at an attribute value, seeing that it's an xsd:string type, and knowing it's actually a reference [2008-06-17 17:07:50] you can have absolute entity IDs that are neither XRIs nor URIs [2008-06-17 17:07:53] the concept is extensible [2008-06-17 17:08:12] as long as you can define UDI resolution for your own kind of UDI, no problem [2008-06-17 17:09:09] I guess I just don't see any reason to keep xsd:string as a data type for entityID when it's syntactically and symantically the same as relative entity UDI [2008-06-17 17:09:48] on that logic, one may argue that we don't need relativeEntityUDI -- just use xsd:string [2008-06-17 17:10:08] but I do need it when these things appear in other attributes [2008-06-17 17:10:17] the output of UDI resolution for an absolute entity UDI is defined to be: 1) a context type and 2) a relative entity UDI [2008-06-17 17:10:24] you can define that for phone numbers too [2008-06-17 17:11:15] Sounds good Markus. I think we'll need to document some examples of how we could use a phone number (with spaces, parens and all that junk) [2008-06-17 17:12:39] well i don't really understand what a context provider for phone numbers would do [2008-06-17 17:12:44] where it would get attributes from [2008-06-17 17:13:13] you're using the example of a CP where the entityID's are phone nums? [2008-06-17 17:13:29] I think that's what Tony wants to be able to do [2008-06-17 17:13:44] if +1 (617) 555-1212 points to an entity, then what are its attributes ? [2008-06-17 17:13:52] I think that was a contrived example, but I suppose you couldl build one backed by a reverse-phone directory [2008-06-17 17:13:52] where are they stored [2008-06-17 17:14:04] hmm ok [2008-06-17 17:14:24] would be like this http://www.whitepages.com/reverse-lookup [2008-06-17 17:15:06] Okay, so who is going to write up this proposed change and its implications for HOWL and for the IdAS API (don't know if there are any required changes to the UDI spex)? [2008-06-17 17:15:14] you remember a while ago we talked about how the concept of "context id" can be extended from xri and uri to also allow local configuration entries.. now with udi this is easier, because the resolution output is well defined [2008-06-17 17:15:48] yes [2008-06-17 17:16:13] just implement an interface -> you have a new kind of udi [2008-06-17 17:16:33] I'm happy to try to crank out a revised HOWL tonight if that would be helpful as PART of the solution [2008-06-17 17:17:34] in anticipation of your new HOWL, I'm coding to this data type: http://www.eclipse.org/higgins/ontologies/2008/6/higgins#EntityUDI [2008-06-17 17:17:37] oops [2008-06-17 17:17:42] http://www.eclipse.org/higgins/ontologies/2008/6/higgins#RelativeEntityUDI [2008-06-17 17:25:51] okay [2008-06-17 17:25:54] So Paul, do you think we should allow for attributeUDIs (relative and absolute) to also exist as attr values and also be dereferenced? [2008-06-17 17:26:13] (auto-dereferenced like we want with entity UDI values) [2008-06-17 17:27:38] great question. I'm trying to keep the power down as as low as I can on everything, but it keeps creeping up. [2008-06-17 17:28:13] I think I have the impl done for dereferencing relative entity udi vals in the idas spi code. need to find a friendly cp that I can test it with. [2008-06-17 17:28:51] cool. we used to have a facebook CP ---would be cool to have one's friends pop up as auto-dereferenced Entities [2008-06-17 17:29:09] yeah [2008-06-17 17:29:13] markus knows where the code is (there isn't much of it) [2008-06-17 17:29:25] I think the inmem cp and jndi both use the spi code. [2008-06-17 17:29:36] I might just use one of those to test the deref code with [2008-06-17 17:29:52] would be really nice if someone build an "IdAS Browser" [2008-06-17 17:30:00] i made one [2008-06-17 17:30:03] really? [2008-06-17 17:30:13] yes, but not with the new UDIs [2008-06-17 17:30:18] is it standalone? [2008-06-17 17:30:28] can it work with any CP? [2008-06-17 17:30:28] one based on the old context IDs and node IDs [2008-06-17 17:30:30] yes [2008-06-17 17:30:42] a simple standalone java application [2008-06-17 17:30:50] cool, I wanna see it [2008-06-17 17:31:18] I have to leave now. Will work on the new HOWL [2008-06-17 17:31:21] later [2008-06-17 17:31:35] ok, thanks Paul [2008-06-17 17:31:57] i think org.eclipse.higgins.idas.explorer or something like that in app/ [2008-06-17 17:32:05] ok [2008-06-17 17:32:20] but it's very simple and probably doesnt work with the most recent idas code [2008-06-17 17:32:27] QUIT paul____ [2008-06-17 17:32:28] wait i may have it online somewhere [2008-06-17 17:33:11] https://camelot.parityinc.net/~msabadello/higginsexplorer/HigginsExplorer.jnlp [2008-06-17 17:35:32] how do you configure the context for that? [2008-06-17 17:35:42] when it comes up, it just asks for a nodeID [2008-06-17 17:37:01] hmm [2008-06-17 17:38:18] hold on a second [2008-06-17 17:38:25] it's ok [2008-06-17 17:40:33] I wonder if Paul intends AttributeUDI http://www.eclipse.org/higgins/ontologies/2008/6/higgins-doc/higgins_AttributeUDI.html to follow http://www.parity.com/spec/udi/udi-syntax.html#anchor11 [2008-06-17 17:40:37] I assume he does [2008-06-17 17:41:42] so, can an attribute UDI be relative to the resource that contains it, as well as relative to the context? [2008-06-17 17:42:18] meaning, can it simply point at an attribute on the same resource, and can it point to an attribute on a resource within the same context? [2008-06-17 17:43:45] right now if its relative it can only point to an attribute on the same resource [2008-06-17 17:43:56] ok [2008-06-17 17:44:01] but i see no problem with making it be able to also point to an attribute on a different resource in the same context [2008-06-17 17:44:16] i guess [2008-06-17 17:44:21] haven't really thought about it [2008-06-17 17:44:34] well, I think I'm finding a problem in the different ways that we represent multi-valued attributes :( [2008-06-17 17:44:57] it's pretty simple to allow an attribute value to be a reference to an entity [2008-06-17 17:45:16] but I don't know what it means for an attribute value to refer to another attribute [2008-06-17 17:45:37] it's sort of ok, if the pointed-at attribute is single-valued [2008-06-17 17:46:17] but if I want one value to refer to one value of an attribute on another resource... I don't even know what that would look like [2008-06-17 17:47:10] it almost seems to me that if an attribute is going to refer to another attribute, then it must only have a single value which is an attribute UDI. [2008-06-17 17:47:19] just like you would call IContext.getEntity(relativeEntityUDI), you would call IEntity.getAttribute(relativeAttributeUDI), i.e.right now it's just meant to be relative to the entity [2008-06-17 17:47:27] hmm yes [2008-06-17 17:47:45] then if we're dereferencing, we can pull in *all* the values of the pointed-at attribute [2008-06-17 17:49:24] yes.. [2008-06-17 17:50:13] so do you think there should be relative attribute UDIs that are relative to the context [2008-06-17 17:50:21] or would that make things too complicated [2008-06-17 17:51:03] right now there's only an xri form of absolute attribute UDIs [2008-06-17 17:51:06] I think it would be nice to be able to say: my child's home phone number is the same as my home phone number [2008-06-17 17:51:09] we haven't figured out a URI form yet [2008-06-17 17:51:39] so, all I would need to represent that is a relative entity id + the attribute id [2008-06-17 17:51:54] yes [2008-06-17 17:52:27] in XRI that can work i guess [2008-06-17 17:52:39] absolute attribute UDI: @company/($context)*($ldap)//=(uid=bob,dc=acme,dc=com)/givenName [2008-06-17 17:52:51] relative-to-context attribute UDI: =(uid=bob,dc=acme,dc=com)/givenName [2008-06-17 17:53:02] relative-to-entity attribute UDI: givenName [2008-06-17 17:53:21] yeah [2008-06-17 17:53:37] but not sure about URI form [2008-06-17 17:53:50] can you have two #s in a URI? [2008-06-17 17:53:52] don't think so [2008-06-17 17:54:05] I doubt it [2008-06-17 17:54:08] well, I dunno [2008-06-17 17:54:21] that may be only a restriction if it's a URL [2008-06-17 17:54:32] would have to look :( [2008-06-17 17:54:47] http://www.company.com/contexts/ldap.xrds#uid=bob,dc=acme,dc=com#givenName [2008-06-17 17:55:21] for local configuration entries it would probably be simple [2008-06-17 17:55:42] myLocalContext//uid=bob,dc=acme,dc=com/givenName [2008-06-17 17:55:57] could you use the "?" to delimit between the entityID and attrID? [2008-06-17 17:56:35] hmm yes i thought of that, but to URI geeks this wouldn't seem right i think [2008-06-17 17:56:48] ah [2008-06-17 17:56:55] ? is for parameters, not to identify something [2008-06-17 17:57:01] right [2008-06-17 17:57:09] also, the ? has to come before the # [2008-06-17 18:01:10] well it's getting late here [2008-06-17 18:01:21] good night [2008-06-17 18:04:21] I was just going to ask Markus, when do you sleep, eat, go to the market? [2008-06-17 18:06:24] how can i sleep with the world being so full of problems.. [2008-06-17 18:06:33] haha [2008-06-17 18:06:51] you'll never sleep with that attitude [2008-06-17 18:07:05] e.g. our defeat by germany [2008-06-17 18:07:10] ahhh [2008-06-17 18:08:18] QUIT peace-keeper [2008-06-17 18:13:31] PART #higgins [2008-06-17 18:52:29] JOIN #higgins :rcjsuen!n=rcjsuen@engnaad147.uwaterloo.ca JOIN :#higgins [2008-06-17 19:13:00] QUIT nairbreklew [2008-06-17 19:20:10] QUIT tdoman [2008-06-17 19:31:31] JOIN #higgins :MikeMc!n=MikeMc@ool-457d0c29.dyn.optonline.net JOIN :#higgins [2008-06-17 19:56:01] QUIT rcjsuen [2008-06-17 20:12:08] QUIT Jimse [2008-06-17 20:24:59] JOIN #higgins :rcjsuen!n=rcjsuen@bas6-kitchener06-1177622216.dsl.bell.ca JOIN :#higgins [2008-06-17 20:33:25] JOIN #higgins :nairbreklew!n=chatzill@66-168-115-207.dhcp.oxfr.ma.charter.com JOIN :#higgins [2008-06-17 22:58:34] QUIT rcjsuen [2008-06-17 23:18:16] QUIT nairbreklew