Create Getting-Started-with-Akka-http-signature.md

[fstoqnov]

No description provided.

[bblfish]

should be "run sbt there"

[bblfish]

All of this section is about using Akka-http-signature as a client with an existing server. One implementation of the Http-signature protocol is rww-play (though it too could be using the akka-http-signature library as a client, and will in a future release)

[bblfish]

When talking of the HTTP verb GET it is always good to capitalise it and put it inside code quotes like so: GET

[bblfish]

I don't think that publishLocal of rww-play is that useful. It is not a library that is shared with other code. It makes sense for akka-http-signatures as that is a library that is shared.

[bblfish]

look up asymmetric key cryptography on wikipedia, and summarise it in a sentence or two with a link to the article.

[bblfish]

In the original introduction to scripting with ammonite I showed the @ sign in order to help the new user see the difference betwen a command in ammonite and a response from the shell. But it is not very helpful to show those when the response is not important, as it makes copying and pasting the code into a shell difficult.

[bblfish]

It is not "BigInt" notation, it is "decimal notation". BigInt is the object that allows one in Java to have indefinitely long numbers.

[bblfish]

It is not really worth showing this notation as it was already shown above in a way.

[bblfish]

yes, so we have decimal and hexadecimal format/notation (not sure which)

[bblfish]

save is not such a good name. You could open an issue on the akka repo, and suggest a better name. I'll think about it.

[bblfish]

but it is certainly worth noting that this is mime type based hexadecimal notation used in the PEM format readable by OpenSSL.

[bblfish]

the point of this exercise was not to make a new reference to the key, but to show that one can convert the key to a PEM formatted string and then convert it back to the same == object by reading that string. Ie. one can use the same public key another day.

[bblfish]

The whole section needs to explain what is being explained in this wiki page which is: using the library from a client perspective to authenticate using http-signature spec to a server in order to access a protected resource.

This requires:

1. making a public-private key pair
2. storing the private key locally for future re-use
3. publishing the public key on some web server (we will publish it on the local rww-play server)
4. changing the acl of a resource to restrict access to the person owning that key
5. then accessing that resource with that key using http-signature

This will then help people understand the structure of the wiki

[bblfish]

the general title of this section should be "saving the public key to rdf"

The current implementation of rww-play recognises public keys deployed using the cert ontology.

[bblfish]

It would be worth putting all of the above in a script.

[bblfish]

The document needs to be structured nicely so that a reader can understand why he is reading this, follow easily, and be directed to further documentation.

Also quite a few bugs need to be fixed.

[bblfish]

note this pgb function takes two functions,

1. the first one that constructs a rsa public key from a modulus and expoent, the first one a byte array I think, (which is built from a the hexdecimal literal
2. the second one constructs a pair that is then used to produce the rdf using the cert exponent and cert modulus properties shown above.

[bblfish]

it is worth no longer using Jena but Rdf as I do in the scripts on the ammonite page in the second part of the doc. This allows one to switch between Jena and Sesame easily.

[bblfish]

rename therefore to keyPG

[bblfish]

Here you need to state that the pointer is an automatically generated and not very beautiful blank node.
As we wish to publish this key to the server in its own resource we want the name of the key not to be a blank node but a #uri and moreover a readable one. So we'd rather have the node be something like <#key> rather than 5880.026289.0-02638.0-6288.0-06411.0-23110.021178.029228.0 .

This should be a simple operation part of banana-rdf, but is not, so I opened an issue for that issue 325: renaming a pointed graph. I also have written out some initial code there that you can add to the explanation showing the result.

Then you can move onto serialising the PG and moving it to the server.

[bblfish]

"The user can choose to view, ...." yes, but let's stay focused here. We are focused on trying to publish this key on a server. So the user can publish this graph on the web in one of the well known RDF formats.

[bblfish]

always put commands in backtick quotes so the reader knows these are terms from the computing space so cp or mv

[bblfish]

no, it's not the akka-http-signature lib, it is rww-play that uses symbolic links to indicate the default representation for a document. I gave you a pointer to how this is done on other servers, and which explains the content-negotiation that occurs in http. You can do a quick explanation of that here. The point of such a paragraph would be to explain how this setup is complex and different for each type of server. We will in the next section then show how LDP gives us a way to do the same thing without knowing how the server is set up.

[bblfish]

No, you don't need to edit the .acl.ttl files on rww-play. You can also use HTTP PATCH or other methods there to do the same. We start with editing the file system, in order to make clear what in this case the requests we are going to make are going to change. Also we want to first test that we can do Access control at all.

[bblfish]

you need to explain in english that what we are doing there is commenting out the line that gives access to everyone. This is currently explained in the web access control draft spec which I have not read carefully mind you, but we should point to it.

[bblfish]

ah ok. I just think the => notation above is not that clear. I would show the larger piece of code around that part, as otherwise the one line does not make sense: You are missing the subject of the triples.

[bblfish]

here you need both the @ and to set val = since you are looking to see the results of running the command.

[bblfish]

way too much white space in this whole code snippet. Please put 3 white spaces for indentation.

[bblfish]

There are two ways to use symmetric key encryption. One of them to encrypt messages, which you describe here shortly. The other to sign messages. We are using the second one in HTTP-Signature to sign the headers of HTTP messages. So you chose the wrong one.

Please replace with the usage that is relevant to the example here.

[bblfish]

The return value no longer matches the one set above (hexaPublic)

[bblfish]

to an RDF format.

[bblfish]

"In order ..."
We will use the banana binder library to show how this process can be done automatically and elegantly.

[bblfish]

If it is just a graph why call it keyPG, which is the extension we use for pointed graph.
Also missing val

pressed wrong button too soon.

[bblfish]

It would be better to remove the above paragraph and instead in the section after the PG is created use the code I mentioned in my comment previously to change the node from a blank node to a named node.

see the comment before your previous commit

That has the advantage of removing one error prone manual operation, and make it easier to actually understand what we want to do at the semantic level, rather than doing it at the syntactic one, which would furthermore require explanation of how to do this correctly in each of the formats.

Try to integrate the code that I proposed in the issue I referenced there (the "rename" function).

[bblfish]

1. rww-play is not a library but a web server. It should be turned into a few light weight libs but that is a job still to do.
2. the effects of content negotiation are preserved because one can link to files such as <card#me> and not be forced to link to <card.rdf#me> or <card.ttl#me> which would tie the name of the object described by #me in the pointed graph of the document to a particular serialisation format. Read the https://www.w3.org/TR/swbp-vocab-pub/ and see if you can use the above and explain this in a paragraph. The point of having the symbolic link is so that someone using an editor such as vi, emacs, or pico with a mode that could follow links, would be able to follow them on the file system too...

The mechanism is quite simple on the whole, but would be very complex if a client had to know in advance how each server does it - since they all do it differently.

[bblfish]

It would be better to state with what people know about - editing config files on the server - and then move to the fact that this can be now done using PATCH or PUT as shown in the curl examples. So this paragraph aptly changed should come further down. Note that the doc on usage of curl also starts by explaining how the server stores its files first, then moves on to explain how one can use the web to change them.

[bblfish]

That was wrong in the acl, so I removed it and replaced it with something that gives access to whatever agent can present the key.

Do a pull on rww-play to see the difference.

[bblfish]

Here you can show the output from curl to proove it.

[bblfish]

Two lines above are wrong. This is basic public key crypto stuff. Please reread your course notes and Wikipedia articles on this carefully

[bblfish]

only the intended clients (one that have access to said key) can ever receive the information within the message.

actually that is either true and an odd way of putting it, or false.
It is true because public key being public anyone can have access to it.
(It is true in in an HTTP message with a signature is sent over TLS, but that is due to TLS encryption of the channel )

So the question to you is: what headers have to be signed for there to be a garantee that the message was not altered?

[bblfish]

This looks wrong to me. Have you tested this?

[fstoqnov]

Yes, I move the file later on

[bblfish]

I think you can't pass a string to RSAKeys.save it either takes a public or private key.

[bblfish]

"Comment out the following" is much too vague.

You comment out the commented line (In Turtle, comments are whatever follows a # sign), and you comment out the line that follows it acl:agentClass which gives everyone permission. Ie: you want to restrict persmission to yourself.

[bblfish]

Try first to connect to https://localhost:8443/2013/card since that is the document whose acl we have changed, to see that it has. This may actually require restarting the server - it should not, but that's a bug.

[fstoqnov]

I did run It for card but the input was for the pubKey as that is the file weare dealing with (the output should be the same I assume)

[bblfish]

Please also remove all the unnecessary extra white spaces above. It is important for readability to keep as much on one page so the reader can avoid scrolling.

[bblfish]

This won't work. The types are wrong.

[bblfish]

"access to the , " ???
"access is restricted only to them" <- this means you give permission to everyone since "them" refers to the last thing you referred to in the sentence. People will guess what is meant, but documentation is not meant to be unecessarily require guessing.

[bblfish]

I think I mentioned that the first thing to start with is trying to access the file itself that we have access controlled.

$ curl -i -k https://localhost:8443/2013/card

[bblfish]

that is not the error code we are looking for. We were expecting an Authentacation Required error code. You are currently only getting a problem because you have probably forgot to set up the symbolic link. Instead of doing all of this, I would just add the rdf to the existing key file. That will make things a bit simpler.

[bblfish]

You never need to explain that the introduction is an introduction.

[bblfish]

All of the above is too pedestrian. You need to explain what HTTP Signature is for. Why do we need rww-play at all? Why do we need authentication that is more than password based?