--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/spec/drafts/ED-webid-20111212/diff-20111123.html Mon Dec 12 13:29:28 2011 -0500
@@ -0,0 +1,10786 @@
+<!DOCTYPE html PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN' 'http://www.w3.org/TR/html4/loose.dtd'>
+<html lang="en" dir="ltr" about="" property="dcterms:language" content="en" prefix="dcterms: http://purl.org/dc/terms/ bibo: http://purl.org/ontology/bibo/ foaf: http://xmlns.com/foaf/0.1/ xsd: http://www.w3.org/2001/XMLSchema#">
+<head>
+ <title>WebID 1.0</title>
+ <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
+ <!--
+ === NOTA BENE ===
+ For the three scripts below, if your spec resides on dev.w3 you can check them
+ out in the same tree and use relative links so that they'll work offline,
+ -->
+<style type="text/css">
+code { font-family: monospace; }
+
+span.hilite { color: red; /* font-weight: bold */ }
+
+li p { margin-top: 0.3em;
+ margin-bottom: 0.3em; }
+
+div.explanation { background-color: #ADD8E6;
+ width: 80%;
+ margin: 12px; padding: 8px; }
+div.explanation li { margin-top: 8px; }
+div.explanation dd { margin: 4px; }
+
+.adef {
+ font-family: monospace;
+ font-weight: bold;
+ color: #ff4500 !important;
+}
+
+.aref {
+ font-family: monospace;
+ font-weight: bold;
+ color: #ff4500 !important;
+}
+
+span.entity { color: red; }
+
+span.element { color: green; }
+</style>
+
+
+<!-- <script src='/ReSpec.js/js/respec.js' class='remove'></script> -->
+
+ <style type="text/css">
+/*****************************************************************
+ * ReSpec CSS
+ * Robin Berjon (robin at berjon dot com)
+ * v0.05 - 2009-07-31
+ *****************************************************************/
+
+
+/* --- INLINES --- */
+em.rfc2119 {
+ text-transform: lowercase;
+ font-variant: small-caps;
+ font-style: normal;
+ color: #900;
+}
+
+h1 acronym, h2 acronym, h3 acronym, h4 acronym, h5 acronym, h6 acronym, a acronym,
+h1 abbr, h2 abbr, h3 abbr, h4 abbr, h5 abbr, h6 abbr, a abbr {
+ border: none;
+}
+
+dfn {
+ font-weight: bold;
+}
+
+a.internalDFN {
+ color: inherit;
+ border-bottom: 1px solid #99c;
+ text-decoration: none;
+}
+
+a.externalDFN {
+ color: inherit;
+ border-bottom: 1px dotted #ccc;
+ text-decoration: none;
+}
+
+a.bibref {
+ text-decoration: none;
+}
+
+code {
+ color: #ff4500;
+}
+
+
+/* --- WEB IDL --- */
+pre.idl {
+ border-top: 1px solid #90b8de;
+ border-bottom: 1px solid #90b8de;
+ padding: 1em;
+ line-height: 120%;
+}
+
+pre.idl::before {
+ content: "WebIDL";
+ display: block;
+ width: 150px;
+ background: #90b8de;
+ color: #fff;
+ font-family: initial;
+ padding: 3px;
+ font-weight: bold;
+ margin: -1em 0 1em -1em;
+}
+
+.idlType {
+ color: #ff4500;
+ font-weight: bold;
+ text-decoration: none;
+}
+
+/*.idlModule*/
+/*.idlModuleID*/
+/*.idlInterface*/
+.idlInterfaceID, .idlDictionaryID {
+ font-weight: bold;
+ color: #005a9c;
+}
+
+.idlSuperclass {
+ font-style: italic;
+ color: #005a9c;
+}
+
+/*.idlAttribute*/
+.idlAttrType, .idlFieldType, .idlMemberType {
+ color: #005a9c;
+}
+.idlAttrName, .idlFieldName, .idlMemberName {
+ color: #ff4500;
+}
+.idlAttrName a, .idlFieldName a, .idlMemberName a {
+ color: #ff4500;
+ border-bottom: 1px dotted #ff4500;
+ text-decoration: none;
+}
+
+/*.idlMethod*/
+.idlMethType {
+ color: #005a9c;
+}
+.idlMethName {
+ color: #ff4500;
+}
+.idlMethName a {
+ color: #ff4500;
+ border-bottom: 1px dotted #ff4500;
+ text-decoration: none;
+}
+
+/*.idlParam*/
+.idlParamType {
+ color: #005a9c;
+}
+.idlParamName {
+ font-style: italic;
+}
+
+.extAttr {
+ color: #666;
+}
+
+/*.idlConst*/
+.idlConstType {
+ color: #005a9c;
+}
+.idlConstName {
+ color: #ff4500;
+}
+.idlConstName a {
+ color: #ff4500;
+ border-bottom: 1px dotted #ff4500;
+ text-decoration: none;
+}
+
+/*.idlException*/
+.idlExceptionID {
+ font-weight: bold;
+ color: #c00;
+}
+
+.idlTypedefID, .idlTypedefType {
+ color: #005a9c;
+}
+
+.idlRaises, .idlRaises a.idlType, .idlRaises a.idlType code, .excName a, .excName a code {
+ color: #c00;
+ font-weight: normal;
+}
+
+.excName a {
+ font-family: monospace;
+}
+
+.idlRaises a.idlType, .excName a.idlType {
+ border-bottom: 1px dotted #c00;
+}
+
+.excGetSetTrue, .excGetSetFalse, .prmNullTrue, .prmNullFalse, .prmOptTrue, .prmOptFalse {
+ width: 45px;
+ text-align: center;
+}
+.excGetSetTrue, .prmNullTrue, .prmOptTrue { color: #0c0; }
+.excGetSetFalse, .prmNullFalse, .prmOptFalse { color: #c00; }
+
+.idlImplements a {
+ font-weight: bold;
+}
+
+dl.attributes, dl.methods, dl.constants, dl.fields, dl.dictionary-members {
+ margin-left: 2em;
+}
+
+.attributes dt, .methods dt, .constants dt, .fields dt, .dictionary-members dt {
+ font-weight: normal;
+}
+
+.attributes dt code, .methods dt code, .constants dt code, .fields dt code, .dictionary-members dt code {
+ font-weight: bold;
+ color: #000;
+ font-family: monospace;
+}
+
+.attributes dt code, .fields dt code, .dictionary-members dt code {
+ background: #ffffd2;
+}
+
+.attributes dt .idlAttrType code, .fields dt .idlFieldType code, .dictionary-members dt .idlMemberType code {
+ color: #005a9c;
+ background: transparent;
+ font-family: inherit;
+ font-weight: normal;
+ font-style: italic;
+}
+
+.methods dt code {
+ background: #d9e6f8;
+}
+
+.constants dt code {
+ background: #ddffd2;
+}
+
+.attributes dd, .methods dd, .constants dd, .fields dd, .dictionary-members dd {
+ margin-bottom: 1em;
+}
+
+table.parameters, table.exceptions {
+ border-spacing: 0;
+ border-collapse: collapse;
+ margin: 0.5em 0;
+ width: 100%;
+}
+table.parameters { border-bottom: 1px solid #90b8de; }
+table.exceptions { border-bottom: 1px solid #deb890; }
+
+.parameters th, .exceptions th {
+ color: #fff;
+ padding: 3px 5px;
+ text-align: left;
+ font-family: initial;
+ font-weight: normal;
+ text-shadow: #666 1px 1px 0;
+}
+.parameters th { background: #90b8de; }
+.exceptions th { background: #deb890; }
+
+.parameters td, .exceptions td {
+ padding: 3px 10px;
+ border-top: 1px solid #ddd;
+ vertical-align: top;
+}
+
+.parameters tr:first-child td, .exceptions tr:first-child td {
+ border-top: none;
+}
+
+.parameters td.prmName, .exceptions td.excName, .exceptions td.excCodeName {
+ width: 100px;
+}
+
+.parameters td.prmType {
+ width: 120px;
+}
+
+table.exceptions table {
+ border-spacing: 0;
+ border-collapse: collapse;
+ width: 100%;
+}
+
+/* --- TOC --- */
+.toc a {
+ text-decoration: none;
+}
+
+a .secno {
+ color: #000;
+}
+
+/* --- TABLE --- */
+table.simple {
+ border-spacing: 0;
+ border-collapse: collapse;
+ border-bottom: 3px solid #005a9c;
+}
+
+.simple th {
+ background: #005a9c;
+ color: #fff;
+ padding: 3px 5px;
+ text-align: left;
+}
+
+.simple th[scope="row"] {
+ background: inherit;
+ color: inherit;
+ border-top: 1px solid #ddd;
+}
+
+.simple td {
+ padding: 3px 10px;
+ border-top: 1px solid #ddd;
+}
+
+.simple tr:nth-child(even) {
+ background: #f0f6ff;
+}
+
+/* --- DL --- */
+.section dd > p:first-child {
+ margin-top: 0;
+}
+
+.section dd > p:last-child {
+ margin-bottom: 0;
+}
+
+.section dd {
+ margin-bottom: 1em;
+}
+
+.section dl.attrs dd, .section dl.eldef dd {
+ margin-bottom: 0;
+}
+
+/* --- EXAMPLES --- */
+pre.example {
+ border-top: 1px solid #ff4500;
+ border-bottom: 1px solid #ff4500;
+ padding: 1em;
+ margin-top: 1em;
+}
+
+pre.example::before {
+ content: "Example";
+ display: block;
+ width: 150px;
+ background: #ff4500;
+ color: #fff;
+ font-family: initial;
+ padding: 3px;
+ font-weight: bold;
+ margin: -1em 0 1em -1em;
+}
+
+/* --- EDITORIAL NOTES --- */
+.issue {
+ padding: 1em;
+ margin: 1em 0em 0em;
+ border: 1px solid #f00;
+ background: #ffc;
+}
+
+.issue::before {
+ content: "Issue";
+ display: block;
+ width: 150px;
+ margin: -1.5em 0 0.5em 0;
+ font-weight: bold;
+ border: 1px solid #f00;
+ background: #fff;
+ padding: 3px 1em;
+}
+
+.note {
+ margin: 1em 0em 0em;
+ padding: 1em;
+ border: 2px solid #cff6d9;
+ background: #e2fff0;
+}
+
+.note::before {
+ content: "Note";
+ display: block;
+ width: 150px;
+ margin: -1.5em 0 0.5em 0;
+ font-weight: bold;
+ border: 1px solid #cff6d9;
+ background: #fff;
+ padding: 3px 1em;
+}
+
+/* --- Best Practices --- */
+div.practice {
+ border: solid #bebebe 1px;
+ margin: 2em 1em 1em 2em;
+}
+
+span.practicelab {
+ margin: 1.5em 0.5em 1em 1em;
+ font-weight: bold;
+ font-style: italic;
+}
+
+span.practicelab { background: #dfffff; }
+
+span.practicelab {
+ position: relative;
+ padding: 0 0.5em;
+ top: -1.5em;
+}
+
+p.practicedesc {
+ margin: 1.5em 0.5em 1em 1em;
+}
+
+@media screen {
+ p.practicedesc {
+ position: relative;
+ top: -2em;
+ padding: 0;
+ margin: 1.5em 0.5em -1em 1em;
+ }
+}
+
+/* --- SYNTAX HIGHLIGHTING --- */
+pre.sh_sourceCode {
+ background-color: white;
+ color: black;
+ font-style: normal;
+ font-weight: normal;
+}
+
+pre.sh_sourceCode .sh_keyword { color: #005a9c; font-weight: bold; } /* language keywords */
+pre.sh_sourceCode .sh_type { color: #666; } /* basic types */
+pre.sh_sourceCode .sh_usertype { color: teal; } /* user defined types */
+pre.sh_sourceCode .sh_string { color: red; font-family: monospace; } /* strings and chars */
+pre.sh_sourceCode .sh_regexp { color: orange; font-family: monospace; } /* regular expressions */
+pre.sh_sourceCode .sh_specialchar { color: #ffc0cb; font-family: monospace; } /* e.g., \n, \t, \\ */
+pre.sh_sourceCode .sh_comment { color: #A52A2A; font-style: italic; } /* comments */
+pre.sh_sourceCode .sh_number { color: purple; } /* literal numbers */
+pre.sh_sourceCode .sh_preproc { color: #00008B; font-weight: bold; } /* e.g., #include, import */
+pre.sh_sourceCode .sh_symbol { color: blue; } /* e.g., *, + */
+pre.sh_sourceCode .sh_function { color: black; font-weight: bold; } /* function calls and declarations */
+pre.sh_sourceCode .sh_cbracket { color: red; } /* block brackets (e.g., {, }) */
+pre.sh_sourceCode .sh_todo { font-weight: bold; background-color: #00FFFF; } /* TODO and FIXME */
+
+/* Predefined variables and functions (for instance glsl) */
+pre.sh_sourceCode .sh_predef_var { color: #00008B; }
+pre.sh_sourceCode .sh_predef_func { color: #00008B; font-weight: bold; }
+
+/* for OOP */
+pre.sh_sourceCode .sh_classname { color: teal; }
+
+/* line numbers (not yet implemented) */
+pre.sh_sourceCode .sh_linenum { display: none; }
+
+/* Internet related */
+pre.sh_sourceCode .sh_url { color: blue; text-decoration: underline; font-family: monospace; }
+
+/* for ChangeLog and Log files */
+pre.sh_sourceCode .sh_date { color: blue; font-weight: bold; }
+pre.sh_sourceCode .sh_time, pre.sh_sourceCode .sh_file { color: #00008B; font-weight: bold; }
+pre.sh_sourceCode .sh_ip, pre.sh_sourceCode .sh_name { color: #006400; }
+
+/* for Prolog, Perl... */
+pre.sh_sourceCode .sh_variable { color: #006400; }
+
+/* for LaTeX */
+pre.sh_sourceCode .sh_italics { color: #006400; font-style: italic; }
+pre.sh_sourceCode .sh_bold { color: #006400; font-weight: bold; }
+pre.sh_sourceCode .sh_underline { color: #006400; text-decoration: underline; }
+pre.sh_sourceCode .sh_fixed { color: green; font-family: monospace; }
+pre.sh_sourceCode .sh_argument { color: #006400; }
+pre.sh_sourceCode .sh_optionalargument { color: purple; }
+pre.sh_sourceCode .sh_math { color: orange; }
+pre.sh_sourceCode .sh_bibtex { color: blue; }
+
+/* for diffs */
+pre.sh_sourceCode .sh_oldfile { color: orange; }
+pre.sh_sourceCode .sh_newfile { color: #006400; }
+pre.sh_sourceCode .sh_difflines { color: blue; }
+
+/* for css */
+pre.sh_sourceCode .sh_selector { color: purple; }
+pre.sh_sourceCode .sh_property { color: blue; }
+pre.sh_sourceCode .sh_value { color: #006400; font-style: italic; }
+
+/* other */
+pre.sh_sourceCode .sh_section { color: black; font-weight: bold; }
+pre.sh_sourceCode .sh_paren { color: red; }
+pre.sh_sourceCode .sh_attribute { color: #006400; }
+
+
+</style><link charset="utf-8" type="text/css" rel="stylesheet" href="http://www.w3.org/StyleSheets/TR/W3C-ED"><style type='text/css'>
+.diff-old-a {
+ font-size: smaller;
+ color: red;
+}
+
+.diff-new { background-color: yellow; }
+.diff-chg { background-color: lime; }
+.diff-new:before,
+.diff-new:after
+ { content: "\2191" }
+.diff-chg:before, .diff-chg:after
+ { content: "\2195" }
+.diff-old { text-decoration: line-through; background-color: #FBB; }
+.diff-old:before,
+.diff-old:after
+ { content: "\2193" }
+:focus { border: thin red solid}
+</style>
+</head>
+
+<body style="display: inherit;">
+<div class="head">
+<p>
+<a href="http://www.w3.org/">
+<img src="http://www.w3.org/Icons/w3c_home" alt="W3C" height="48" width="72">
+</a>
+</p>
+<h1 property="dcterms:title" class="title" id="title">
+WebID
+1.0
+</h1>
+<h2 property="bibo:subtitle" id="subtitle">
+Web
+Identification
+and
+Discovery
+</h2>
+
+<h2 id="w3c-editor-s-draft-12-december-2011" property="dcterms:issued" datatype="xsd:dateTime" content="2011-12-12T18:22:04+0000">
+<acronym title="World Wide Web Consortium">
+W3C
+</acronym>
+Editor's
+Draft
+<del class="diff-old">29
+November
+</del>
+<ins class="diff-chg">12
+December
+</ins>
+2011
+</h2>
+<dl>
+<dt>
+This
+version:
+</dt>
+<dd>
+<del class="diff-old">http://www.w3.org/2005/Incubator/webid/spec/drafts/ED-webid-2011-11-23
+
+</del>
+<a href="http://www.w3.org/2005/Incubator/webid/spec/drafts/ED-webid-20111212">
+<ins class="diff-chg">http://www.w3.org/2005/Incubator/webid/spec/drafts/ED-webid-20111212
+</ins></a></dd><dt><ins class="diff-chg">
+Latest
+published
+version:
+</ins></dt><dd><a href="http://www.w3.org/TR/webid/"><ins class="diff-chg">
+http://www.w3.org/TR/webid/
+</ins>
+</a>
+</dd>
+<dt>
+Latest
+editor's
+draft:
+</dt>
+<dd>
+<del class="diff-old">http://www.w3.org/2005/Incubator/webid/spec/
+</del>
+<a href="http://www.w3.org/2005/Incubator/webid/spec/drafts/ED-webid-20111212">
+
+<ins class="diff-chg">http://www.w3.org/2005/Incubator/webid/spec/drafts/ED-webid-20111212
+</ins>
+</a>
+</dd>
+<dt>
+Previous
+version:
+</dt>
+<dd>
+<del class="diff-old">http://www.w3.org/2005/Incubator/webid/spec/drafts/ED-webid-2011-10-17
+</del>
+<a rel="dcterms:replaces" href="http://www.w3.org/2005/Incubator/webid/spec/drafts/ED-webid-2011-11-23/">
+<ins class="diff-chg">http://www.w3.org/2005/Incubator/webid/spec/drafts/ED-webid-2011-11-23/
+</ins>
+</a>
+</dd>
+<dt>
+Editors:
+
+</dt>
+<dd rel="bibo:editor">
+<span typeof="foaf:Person">
+<a rel="foaf:homepage" property="foaf:name" content="Henry Story" href="http://bblfish.net/">
+Henry
+Story
+</a>
+<span class="ed_mailto">
+<a rel="foaf:mbox" href="mailto:henry.story@bblfish.net">
+henry.story@bblfish.net
+</a>
+</span>
+</span>
+</dd>
+<dd rel="bibo:editor">
+<span typeof="foaf:Person">
+<span property="foaf:name">
+Stéphane
+Corlosquet
+
+</span>,
+<a rel="foaf:workplaceHomepage" href="http://massgeneral.org/">
+Massachusetts
+General
+Hospital
+</a>
+<span class="ed_mailto">
+<a rel="foaf:mbox" href="mailto:scorlosquet@gmail.com">
+scorlosquet@gmail.com
+</a>
+</span>
+</span>
+</dd>
+<dt>
+Authors:
+</dt>
+<dd rel="dcterms:contributor">
+<span typeof="foaf:Person">
+<span property="foaf:name">
+
+Manu
+Sporny
+</span>,
+<a rel="foaf:workplaceHomepage" href="http://blog.digitalbazaar.com/">
+Digital
+Bazaar,
+Inc.
+</a>
+<span class="ed_mailto">
+<a rel="foaf:mbox" href="mailto:msporny@digitalbazaar.com">
+msporny@digitalbazaar.com
+</a>
+</span>
+</span>
+</dd>
+<dd rel="dcterms:contributor">
+<span typeof="foaf:Person">
+<a rel="foaf:homepage" property="foaf:name" content="Toby Inkster" href="http://tobyinkster.co.uk/">
+Toby
+Inkster
+</a>
+
+</span>
+</dd>
+<dd rel="dcterms:contributor">
+<span typeof="foaf:Person">
+<a rel="foaf:homepage" property="foaf:name" content="Henry Story" href="http://bblfish.net/">
+Henry
+Story
+</a>
+</span>
+</dd>
+<dd rel="dcterms:contributor">
+<span typeof="foaf:Person">
+<a rel="foaf:homepage" property="foaf:name" content="Bruno Harbulot" href="http://blog.distributedmatter.net/">
+Bruno
+Harbulot
+</a>
+</span>
+</dd>
+<dd rel="dcterms:contributor">
+
+<span typeof="foaf:Person">
+<a rel="foaf:homepage" property="foaf:name" content="Reto Bachmann-Gmür" href="http://trialox.org/">
+Reto
+Bachmann-Gmür
+</a>
+</span>
+</dd>
+</dl>
+<p>
+This
+document
+is
+also
+available
+in
+this
+non-normative
+format:
+<a href="http://www.w3.org/2005/Incubator/webid/spec/drafts/ED-webid-20111212/diff-20111123.html">
+Diff
+from
+previous
+Editors
+Draft
+</a>.
+</p>
+<p class="copyright">
+<a rel="license" href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">
+Copyright
+</a>
+
+©
+2010-2011
+<span rel="dcterms:publisher">
+<span typeof="foaf:Organization">
+<a rel="foaf:homepage" property="foaf:name" content="World Wide Web Consotrium" href="http://www.w3.org/">
+<acronym title="World Wide Web Consortium">
+W3C
+</acronym>
+</a>
+<sup>
+®
+</sup>
+</span>
+</span>
+(
+<a href="http://www.csail.mit.edu/">
+<acronym title="Massachusetts Institute of Technology">
+MIT
+
+</acronym>
+</a>,
+<a href="http://www.ercim.eu/">
+<acronym title="European Research Consortium for Informatics and Mathematics">
+ERCIM
+</acronym>
+</a>,
+<a href="http://www.keio.ac.jp/">
+Keio
+</a>
+),
+All
+Rights
+Reserved.
+<acronym title="World Wide Web Consortium">
+W3C
+</acronym>
+<a href="http://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">
+liability
+</a>,
+
+<a href="http://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">
+trademark
+</a>
+and
+<a href="http://www.w3.org/Consortium/Legal/copyright-documents">
+document
+use
+</a>
+rules
+apply.
+</p>
+<hr>
+</div>
+<div about="#abstract" typeof="bibo:Chapter" datatype="" property="dcterms:abstract" class="introductory section" id="abstract">
+<h2>
+Abstract
+</h2>
+<p>
+A
+global
+distributed
+Social
+Web
+requires
+that
+each
+person
+be
+able
+to
+control
+their
+identity,
+that
+this
+identity
+be
+linkable
+across
+sites
+-
+placing
+each
+person
+in
+a
+Web
+of
+relationships
+-
+and
+that
+it
+be
+possible
+to
+authenticate
+globally
+with
+such
+
+<del class="diff-old">identities
+allowing
+each
+user
+</del>
+<ins class="diff-chg">identities.
+By
+making
+distributed
+authentication
+easy
+one
+can
+allow
+everybody
+</ins>
+to
+protect
+<ins class="diff-new">their
+</ins>
+resources
+and
+enable
+<del class="diff-old">his
+</del>
+<ins class="diff-chg">their
+</ins>
+preferred
+privacy
+settings.
+</p>
+<p>
+This
+specification
+outlines
+a
+simple
+universal
+identification
+mechanism
+that
+is
+distributed,
+openly
+extensible,
+improves
+privacy,
+security
+and
+control
+over
+how
+each
+person
+can
+identify
+themselves
+in
+order
+to
+allow
+fine
+grained
+access
+control
+to
+their
+information
+on
+the
+Web.
+It
+does
+this
+by
+applying
+the
+best
+practices
+of
+Web
+Architecture
+whilst
+building
+on
+well
+established
+widely
+deployed
+protocols
+and
+standards
+<del class="diff-old">such
+as
+RDF
+
+</del>
+<ins class="diff-chg">including
+HTML,
+XHTML,
+URIs,
+HTTP,
+TLS,
+X509
+Certificates,
+</ins>
+and
+<del class="diff-old">TLS.
+</del>
+<ins class="diff-chg">RDF
+Semantics.
+</ins>
+</p>
+<div class="section" about="#how-to-read-this-document" typeof="bibo:Chapter">
+<h3 id="how-to-read-this-document">
+How
+to
+Read
+this
+Document
+</h3>
+<p>
+There
+are
+a
+number
+of
+concepts
+that
+are
+covered
+in
+this
+document
+that
+the
+reader
+may
+want
+to
+be
+aware
+of
+before
+continuing.
+General
+knowledge
+of
+<a href="http://en.wikipedia.org/wiki/Public_key_cryptography">
+public
+key
+cryptography
+
+</a>
+and
+RDF
+[
+<cite>
+<a href="#bib-RDF-PRIMER" rel="biblioentry" class="bibref">
+RDF-PRIMER
+</a>
+</cite>
+]
+is
+necessary
+to
+understand
+how
+to
+implement
+this
+specification.
+WebID
+uses
+a
+number
+of
+specific
+technologies
+like
+HTTP
+over
+TLS
+[
+<cite>
+<a href="#bib-HTTP-TLS" rel="biblioentry" class="bibref">
+HTTP-TLS
+</a>
+</cite>
+],
+X.509
+certificates
+[
+<cite>
+<a href="#bib-X509V3" rel="biblioentry" class="bibref">
+X509V3
+
+</a>
+</cite>
+],
+RDF/XML
+[
+<cite>
+<a href="#bib-RDF-SYNTAX-GRAMMAR" rel="biblioentry" class="bibref">
+RDF-SYNTAX-GRAMMAR
+</a>
+</cite>
+]
+and
+XHTML+RDFa
+[
+<cite>
+<a href="#bib-XHTML-RDFA" rel="biblioentry" class="bibref">
+XHTML-RDFA
+</a>
+</cite>
+].
+</p>
+<p>
+
+A
+general
+<a href="#introduction">
+Introduction
+</a>
+is
+provided
+for
+all
+that
+would
+like
+to
+understand
+why
+this
+specification
+is
+necessary
+to
+simplify
+usage
+of
+the
+Web.
+</p>
+<p>
+The
+terms
+used
+throughout
+this
+specification
+are
+listed
+in
+the
+section
+titled
+<a href="#terminology">
+Terminology
+</a>.
+</p>
+<p>
+Developers
+that
+are
+interested
+in
+implementing
+this
+specification
+will
+be
+most
+interested
+in
+the
+sections
+titled
+<a href="#authentication-sequence">
+Authentication
+Sequence
+</a>
+
+and
+<a href="#authentication-sequence-details">
+Authentication
+Sequence
+Details
+</a>.
+</p>
+</div>
+</div>
+<div about="#sotd" typeof="bibo:Chapter" id="sotd" class="introductory section">
+<h2>
+Status
+of
+This
+Document
+</h2>
+<p>
+<em>
+This
+section
+describes
+the
+status
+of
+this
+document
+at
+the
+time
+of
+its
+publication.
+Other
+documents
+may
+supersede
+this
+document.
+A
+list
+of
+current
+<acronym title="World Wide Web Consortium">
+W3C
+</acronym>
+
+publications
+and
+the
+latest
+revision
+of
+this
+technical
+report
+can
+be
+found
+in
+the
+<a href="http://www.w3.org/TR/">
+<acronym title="World Wide Web Consortium">
+W3C
+</acronym>
+technical
+reports
+index
+</a>
+at
+http://www.w3.org/TR/.
+</em>
+</p>
+This
+document
+is
+produced
+from
+work
+by
+the
+<a href="http://www.w3.org/2005/Incubator/webid/">
+<acronym title="World Wide Web Consortium">
+W3C
+</acronym>
+WebID
+Incubator
+Group
+</a>.
+This
+is
+an
+internal
+draft
+document
+and
+may
+not
+even
+end
+up
+being
+officially
+published.
+It
+may
+also
+be
+updated,
+replaced
+or
+obsoleted
+by
+other
+documents
+at
+any
+time.
+It
+is
+inappropriate
+to
+cite
+this
+document
+as
+other
+than
+work
+in
+progress.
+The
+source
+code
+for
+this
+document
+is
+available
+at
+the
+following
+URI:
+
+<a href="https://dvcs.w3.org/hg/WebID">
+https://dvcs.w3.org/hg/WebID
+</a>
+<p>
+This
+document
+was
+published
+by
+the
+<a href="http://www.w3.org/2005/Incubator/webid/">
+WebID
+XG
+</a>
+as
+an
+Editor's
+Draft.
+If
+you
+wish
+to
+make
+comments
+regarding
+this
+document,
+please
+send
+them
+to
+<a href="mailto:public-xg-webid@w3.org">
+public-xg-webid@w3.org
+</a>
+(
+<a href="mailto:public-xg-webid-request@w3.org?subject=subscribe">
+subscribe
+</a>,
+<a href="http://lists.w3.org/Archives/Public/public-xg-webid/">
+
+archives
+</a>
+).
+All
+feedback
+is
+welcome.
+</p>
+<p>
+Publication
+as
+<del class="diff-old">a
+</del>
+<ins class="diff-chg">an
+</ins>
+Editor's
+Draft
+does
+not
+imply
+endorsement
+by
+the
+<acronym title="World Wide Web Consortium">
+W3C
+</acronym>
+Membership.
+This
+is
+a
+draft
+document
+and
+may
+be
+updated,
+replaced
+or
+obsoleted
+by
+other
+documents
+at
+any
+time.
+It
+is
+inappropriate
+to
+cite
+this
+document
+as
+other
+than
+work
+in
+progress.
+</p>
+<p>
+
+This
+document
+was
+produced
+by
+a
+group
+operating
+under
+the
+<a href="http://www.w3.org/Consortium/Patent-Policy-20040205/">
+5
+February
+2004
+<acronym title="World Wide Web Consortium">
+W3C
+</acronym>
+Patent
+Policy
+</a>.
+<acronym title="World Wide Web Consortium">
+W3C
+</acronym>
+maintains
+a
+<a href="http://www.w3.org/2004/01/pp-impl/46065/status" rel="disclosure">
+public
+list
+of
+any
+patent
+disclosures
+</a>
+made
+in
+connection
+with
+the
+deliverables
+of
+the
+group;
+that
+page
+also
+includes
+instructions
+for
+disclosing
+a
+patent.
+An
+individual
+who
+has
+actual
+knowledge
+of
+a
+patent
+which
+the
+individual
+believes
+contains
+<a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">
+
+Essential
+Claim(s)
+</a>
+must
+disclose
+the
+information
+in
+accordance
+with
+<a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">
+section
+6
+of
+the
+<acronym title="World Wide Web Consortium">
+W3C
+</acronym>
+Patent
+Policy
+</a>.
+</p>
+</div>
+<div class="section" about="#toc" typeof="bibo:Chapter" id="toc">
+<h2 class="introductory">
+Table
+of
+Contents
+</h2>
+<ul class="toc">
+
+<li class="tocline">
+<a class="tocxref" href="#introduction">
+<span class="secno">
+1.
+</span>
+Introduction
+</a>
+<ul class="toc">
+<li class="tocline">
+<a class="tocxref" href="#outline">
+<span class="secno">
+1.1
+</span>
+<del class="diff-old">Motivation
+</del>
+<ins class="diff-chg">Outline
+</ins>
+
+</a>
+</li>
+<li class="tocline">
+<a class="tocxref" href="#terminology">
+<span class="secno">
+<ins class="diff-chg">1.2
+</ins></span><ins class="diff-chg">
+Terminology
+</ins></a>
+</li>
+<li class="tocline">
+<a class="tocxref" href="#namespaces">
+<span class="secno">
+<del class="diff-old">2.
+</del>
+<ins class="diff-chg">1.3
+</ins>
+
+</span>
+<del class="diff-old">Preconditions
+</del>
+<ins class="diff-chg">Namespaces
+</ins>
+</a>
+</li>
+</ul>
+</li>
+<li class="tocline">
+<a class="tocxref" href="#preconditions">
+<span class="secno">
+<del class="diff-old">2.1
+</del>
+<ins class="diff-chg">2.
+</ins>
+</span>
+
+<del class="diff-old">Terminology
+</del>
+<ins class="diff-chg">Preconditions
+</ins>
+</a>
+<ul class="toc">
+<li class="tocline">
+<a class="tocxref" href="#the-certificate">
+<span class="secno">
+<del class="diff-old">2.2
+</del>
+<ins class="diff-chg">2.1
+</ins>
+</span>
+<del class="diff-old">Namespaces
+</del>
+<ins class="diff-chg">The
+certificate
+
+</ins>
+</a>
+<ul class="toc">
+<li class="tocline">
+<a class="tocxref" href="#creating-a-certificate">
+<span class="secno">
+<del class="diff-old">2.3
+</del>
+<ins class="diff-chg">2.1.1
+</ins>
+</span>
+Creating
+<del class="diff-old">the
+certificate
+</del>
+<ins class="diff-chg">a
+Certificate
+</ins>
+</a>
+
+</li>
+</ul>
+</li>
+<li class="tocline">
+<a class="tocxref" href="#publishing-the-webid-profile-document">
+<span class="secno">
+<del class="diff-old">2.4
+</del>
+<ins class="diff-chg">2.2
+</ins>
+</span>
+Publishing
+the
+WebID
+Profile
+Document
+</a>
+<ul class="toc">
+<li class="tocline">
+<a class="tocxref" href="#turtle">
+<span class="secno">
+
+<del class="diff-old">2.4.1
+</del>
+<ins class="diff-chg">2.2.1
+</ins>
+</span>
+Turtle
+</a>
+</li>
+<li class="tocline">
+<a class="tocxref" href="#rdfa-html-notation">
+<span class="secno">
+<del class="diff-old">2.4.2
+</del>
+<ins class="diff-chg">2.2.2
+</ins>
+</span>
+RDFa
+HTML
+notation
+
+</a>
+</li>
+<li class="tocline">
+<a class="tocxref" href="#in-rdf-xml">
+<span class="secno">
+<del class="diff-old">2.4.3
+</del>
+<ins class="diff-chg">2.2.3
+</ins>
+</span>
+In
+RDF/XML
+</a>
+</li>
+<li class="tocline">
+<a class="tocxref" href="#in-portable-contacts-format-using-grddl">
+<span class="secno">
+<del class="diff-old">2.4.4
+
+</del>
+<ins class="diff-chg">2.2.4
+</ins>
+</span>
+In
+Portable
+Contacts
+format
+using
+GRDDL
+</a>
+</li>
+</ul>
+</li>
+<li class="tocline">
+<a class="tocxref" href="#disabling-a-webid-certificate">
+<span class="secno">
+<ins class="diff-new">2.3
+</ins></span><ins class="diff-new">
+Disabling
+a
+WebID
+Certificate
+</ins></a></li>
+</ul>
+
+</li>
+<li class="tocline">
+<a class="tocxref" href="#the-webid-protocol">
+<span class="secno">
+3.
+</span>
+The
+WebID
+Protocol
+</a>
+<ul class="toc">
+<li class="tocline">
+<a class="tocxref" href="#authentication-sequence">
+<span class="secno">
+3.1
+</span>
+Authentication
+Sequence
+</a>
+</li>
+
+<li class="tocline">
+<a class="tocxref" href="#authentication-sequence-details">
+<span class="secno">
+3.2
+</span>
+Authentication
+Sequence
+Details
+</a>
+<ul class="toc">
+<li class="tocline">
+<a class="tocxref" href="#initiating-a-tls-connection">
+<span class="secno">
+3.2.1
+</span>
+Initiating
+a
+TLS
+Connection
+</a>
+</li>
+<li class="tocline">
+
+<a class="tocxref" href="#connecting-at-the-application-layer">
+<span class="secno">
+3.2.2
+</span>
+Connecting
+at
+the
+Application
+Layer
+</a>
+</li>
+<li class="tocline">
+<a class="tocxref" href="#requesting-the-client-certificate">
+<span class="secno">
+3.2.3
+</span>
+Requesting
+the
+Client
+Certificate
+</a>
+</li>
+<li class="tocline">
+<a class="tocxref" href="#verifying-the-webids">
+
+<span class="secno">
+3.2.4
+</span>
+<del class="diff-old">Verifiying
+</del>
+<ins class="diff-chg">Verifying
+</ins>
+the
+WebIDs
+</a>
+<ul class="toc">
+<li class="tocline">
+<a class="tocxref" href="#processing-the-webid-profile">
+<span class="secno">
+3.2.4.1
+</span>
+Processing
+the
+WebID
+Profile
+</a>
+
+</li>
+<li class="tocline">
+<a class="tocxref" href="#verifying-the-webid-claim">
+<span class="secno">
+3.2.4.2
+</span>
+Verifying
+the
+WebID
+Claim
+</a>
+</li>
+<li class="tocline">
+<a class="tocxref" href="#authorization">
+<span class="secno">
+<del class="diff-old">3.2.5
+</del>
+<ins class="diff-chg">3.2.4.3
+</ins>
+</span>
+
+Authorization
+</a>
+</li>
+</ul>
+</li>
+<li class="tocline">
+<a class="tocxref" href="#the-webid-profile">
+<span class="secno">
+<del class="diff-old">3.3
+</del>
+<ins class="diff-chg">3.2.5
+</ins>
+</span>
+The
+WebID
+Profile
+</a>
+<ul class="toc">
+<li class="tocline">
+
+<a class="tocxref" href="#personal-information">
+<span class="secno">
+<del class="diff-old">3.3.1
+</del>
+<ins class="diff-chg">3.2.5.1
+</ins>
+</span>
+Personal
+Information
+</a>
+</li>
+<li class="tocline">
+<a class="tocxref" href="#cryptographic-details">
+<span class="secno">
+<del class="diff-old">3.3.2
+</del>
+<ins class="diff-chg">3.2.5.2
+</ins>
+
+</span>
+Cryptographic
+Details
+</a>
+</li>
+</ul>
+</li>
+</ul>
+</li>
+</ul>
+</li>
+<li class="tocline">
+<a class="tocxref" href="#history">
+<span class="secno">
+A.
+</span>
+Change
+History
+</a>
+
+</li>
+<li class="tocline">
+<a class="tocxref" href="#acknowledgements">
+<span class="secno">
+B.
+</span>
+Acknowledgments
+</a>
+</li>
+<li class="tocline">
+<a class="tocxref" href="#references">
+<span class="secno">
+C.
+</span>
+References
+</a>
+<ul class="toc">
+
+<li class="tocline">
+<a class="tocxref" href="#normative-references">
+<span class="secno">
+C.1
+</span>
+Normative
+references
+</a>
+</li>
+<li class="tocline">
+<a class="tocxref" href="#informative-references">
+<span class="secno">
+C.2
+</span>
+Informative
+references
+</a>
+</li>
+</ul>
+
+</li>
+</ul>
+</div>
+<div about="#introduction" typeof="bibo:Chapter" id="introduction" class="informative section">
+<h2>
+<span class="secno">
+1.
+</span>
+Introduction
+</h2>
+<p>
+<em>
+This
+section
+is
+non-normative.
+</em>
+</p>
+<p>
+The
+WebID
+
+<del class="diff-old">specification
+is
+designed
+to
+help
+alleviate
+the
+difficultly
+that
+remembering
+different
+logins,
+passwords
+</del>
+<ins class="diff-chg">protocol
+enables
+secure,
+efficient
+</ins>
+and
+<del class="diff-old">settings
+for
+websites
+has
+created.
+</del>
+<ins class="diff-chg">maximally
+user
+friendly
+authentication
+on
+the
+Web.
+</ins>
+It
+<del class="diff-old">is
+also
+designed
+to
+provide
+a
+universal
+and
+extensible
+mechanism
+</del>
+<ins class="diff-chg">enables
+people
+</ins>
+to
+<del class="diff-old">express
+public
+and
+private
+information
+about
+yourself.
+This
+section
+outlines
+the
+motivation
+behind
+the
+specification
+and
+</del>
+
+<ins class="diff-chg">authenticate
+onto
+any
+site
+by
+simply
+clicking
+on
+one
+of
+</ins>
+the
+<del class="diff-old">relationship
+</del>
+<ins class="diff-chg">certificates
+proposed
+</ins>
+to
+<del class="diff-old">other
+similar
+specifications
+that
+are
+</del>
+<ins class="diff-chg">them
+by
+their
+browser.
+These
+certificates
+can
+be
+created
+by
+any
+Web
+Site
+for
+their
+users
+</ins>
+in
+<del class="diff-old">active
+use
+today.
+1.1
+Motivation
+This
+section
+is
+non-normative.
+It
+</del>
+<ins class="diff-chg">one
+click.
+The
+identifier,
+known
+as
+the
+</ins><a href="#dfn-webid" title="WebID" class="tref internalDFN"><ins class="diff-chg">
+
+WebID
+</ins></a>,
+is
+a
+<del class="diff-old">fundamental
+design
+criteria
+of
+the
+Web
+to
+enable
+individuals
+and
+organizations
+to
+control
+how
+they
+interact
+with
+</del>
+<ins class="diff-chg">URI
+whose
+sense
+can
+be
+found
+in
+</ins>
+the
+<del class="diff-old">rest
+</del>
+<ins class="diff-chg">associated
+</ins><a href="#dfn-profile_page" title="Profile_Page" class="tref internalDFN"><ins class="diff-chg">
+Profile
+Page
+</ins></a>,<ins class="diff-chg">
+a
+type
+</ins>
+of
+
+<del class="diff-old">society.
+This
+includes
+how
+one
+expresses
+their
+identity,
+public
+information
+and
+personal
+details
+to
+social
+networks,
+Web
+sites
+and
+services.
+</del>
+<ins class="diff-chg">web
+page
+that
+any
+Social
+Network
+user
+is
+familiar
+with.
+</ins>
+</p>
+<p>
+<del class="diff-old">Semantic
+</del>
+<ins class="diff-chg">These
+WebIDs
+can
+be
+used
+to
+build
+a
+</ins>
+Web
+<ins class="diff-new">of
+trust
+using
+</ins>
+vocabularies
+such
+as
+<del class="diff-old">Friend-of-a-Friend
+(FOAF)
+permit
+distributed
+hyperlinked
+social
+networks
+to
+exist.
+This
+vocabulary,
+along
+with
+other
+vocabularies,
+allow
+one
+to
+add
+information
+and
+services
+protection
+to
+distributed
+social
+networks.
+One
+major
+criticism
+of
+open
+networks
+is
+that
+they
+seem
+to
+have
+no
+way
+of
+protecting
+the
+personal
+information
+distributed
+on
+the
+web
+or
+limiting
+access
+to
+resources.
+Few
+</del>
+<a href="http://xmlns.com/foaf/0.1/">
+
+<ins class="diff-chg">foaf
+</ins></a><ins class="diff-chg">
+by
+allowing
+</ins>
+people
+<del class="diff-old">are
+willing
+</del>
+to
+<del class="diff-old">make
+all
+</del>
+<ins class="diff-chg">link
+together
+</ins>
+their
+<del class="diff-old">personal
+information
+public,
+many
+would
+like
+large
+pieces
+to
+be
+protected,
+making
+it
+available
+only
+to
+</del>
+<ins class="diff-chg">profiles
+in
+</ins>
+
+a
+<del class="diff-old">selected
+group
+</del>
+<ins class="diff-chg">public
+or
+protected
+manner.
+Such
+a
+web
+</ins>
+of
+<del class="diff-old">agents.
+Giving
+access
+to
+information
+is
+very
+similar
+to
+giving
+access
+to
+services.
+There
+are
+many
+occasions
+when
+people
+would
+like
+services
+to
+only
+</del>
+<ins class="diff-chg">trust
+can
+then
+</ins>
+be
+<del class="diff-old">accessible
+to
+members
+of
+</del>
+<ins class="diff-chg">used
+by
+</ins>
+a
+<del class="diff-old">group,
+such
+as
+
+</del>
+<a href="#dfn-service" title="Service" class="tref internalDFN">
+<ins class="diff-chg">Service
+</ins></a><ins class="diff-chg">
+to
+make
+authorization
+decisions,
+by
+</ins>
+allowing
+<del class="diff-old">only
+friends,
+family
+members,
+colleagues
+</del>
+<ins class="diff-chg">access
+</ins>
+to
+<del class="diff-old">post
+an
+article,
+photo
+or
+comment
+</del>
+<ins class="diff-chg">resource
+depending
+</ins>
+on
+
+<ins class="diff-new">the
+properties
+of
+an
+agent,
+such
+that
+the
+he
+is
+known
+by
+some
+relevant
+people,
+works
+at
+</ins>
+a
+<del class="diff-old">blog.
+How
+does
+one
+do
+this
+in
+a
+flexible
+way,
+without
+requiring
+</del>
+<ins class="diff-chg">given
+company,
+is
+</ins>
+a
+<del class="diff-old">central
+point
+</del>
+<ins class="diff-chg">family
+member,
+is
+part
+</ins>
+of
+<del class="diff-old">access
+control?
+</del>
+<ins class="diff-chg">some
+group,
+...
+</ins>
+
+</p>
+<p>
+<del class="diff-old">Using
+a
+process
+made
+popular
+by
+OpenID,
+we
+show
+</del>
+<ins class="diff-chg">The
+WebID
+protocol
+specifies
+</ins>
+how
+<del class="diff-old">one
+</del>
+<ins class="diff-chg">a
+</ins><a href="#dfn-service" title="Service" class="tref internalDFN"><ins class="diff-chg">
+Service
+</ins></a>
+can
+<del class="diff-old">tie
+</del>
+<ins class="diff-chg">authenticate
+
+</ins>
+a
+<del class="diff-old">User
+Agent
+</del>
+<ins class="diff-chg">user
+after
+requesting
+his
+</ins><a href="#dfn-certificate" title="Certificate" class="tref internalDFN"><ins class="diff-chg">
+Certificate
+</ins></a><ins class="diff-chg">
+without
+needing
+</ins>
+to
+<ins class="diff-new">rely
+on
+this
+being
+signed
+by
+</ins>
+a
+<del class="diff-old">URI
+</del>
+<ins class="diff-chg">well
+known
+Certificate
+Authority.
+This
+is
+done
+
+</ins>
+by
+<del class="diff-old">proving
+that
+one
+has
+write
+access
+to
+</del>
+<ins class="diff-chg">dereferencing
+</ins>
+the
+<del class="diff-old">URI.
+</del>
+<a href="#dfn-webid_profile" title="WebID_Profile" class="tref internalDFN">
+WebID
+<del class="diff-old">is
+an
+authentication
+protocol
+which
+uses
+X.509
+certificates
+</del>
+<ins class="diff-chg">Profile
+</ins></a>,<ins class="diff-chg">
+and
+checking
+if
+it
+describes
+the
+user
+as
+being
+in
+control
+of
+the
+the
+private
+key
+related
+
+</ins>
+to
+<del class="diff-old">associate
+a
+User
+Agent
+(Browser)
+</del>
+<ins class="diff-chg">the
+</ins><a href="#dfn-public_key" title="Public_Key" class="tref internalDFN"><ins class="diff-chg">
+Public
+Key
+</ins></a><ins class="diff-chg">
+published
+in
+the
+</ins><a href="#dfn-certificate" title="Certificate" class="tref internalDFN"><ins class="diff-chg">
+Certificate
+</ins></a><ins class="diff-chg">
+she
+used
+</ins>
+to
+<del class="diff-old">a
+Person
+identified
+via
+a
+URI.
+A
+</del>
+
+<ins class="diff-chg">authenticate.
+</ins></p><p>
+WebID
+<del class="diff-old">profile
+</del>
+<ins class="diff-chg">authentication
+</ins>
+can
+also
+be
+used
+for
+<del class="diff-old">OpenID,
+WebID
+provides
+a
+few
+additional
+features
+</del>
+<ins class="diff-chg">automatic
+authentication
+by
+robots,
+</ins>
+such
+as
+<del class="diff-old">trust
+management
+via
+digital
+signatures,
+and
+free-form
+extensibility
+via
+RDF.
+By
+using
+the
+existing
+SSL
+certificate
+exchange
+mechanism,
+WebID
+integrates
+smoothly
+with
+existing
+Web
+browsers,
+including
+browsers
+</del>
+<ins class="diff-chg">web
+crawlers
+of
+linked
+data
+repositories,
+which
+could
+be
+agents
+working
+</ins>
+
+on
+<del class="diff-old">mobile
+devices.
+WebID
+also
+permits
+automated
+session
+login
+</del>
+<ins class="diff-chg">behalf
+of
+users
+to
+help
+them
+</ins>
+in
+<del class="diff-old">addition
+</del>
+<ins class="diff-chg">their
+daily
+tasks.
+The
+WebID
+protocol
+is
+not
+limited
+</ins>
+to
+<del class="diff-old">interactive
+session
+login.
+Additionally,
+all
+data
+</del>
+<ins class="diff-chg">authentication
+on
+the
+World
+Wide
+Web,
+but
+can
+work
+with
+any
+TLS
+based
+protocol.
+</ins></p><div class="section" about="#outline" typeof="bibo:Chapter" id="outline"><h3><span class="secno"><ins class="diff-chg">
+1.1
+</ins></span><ins class="diff-chg">
+
+Outline
+</ins></h3><p><ins class="diff-chg">
+This
+specification
+</ins>
+is
+<del class="diff-old">encrypted
+</del>
+<ins class="diff-chg">divided
+in
+the
+following
+sections.
+</ins></p><p><a href="#introduction"><ins class="diff-chg">
+This
+section
+</ins></a><ins class="diff-chg">
+gives
+a
+high
+level
+overview
+of
+the
+WebID
+Protocol,
+</ins>
+and
+<del class="diff-old">guaranteed
+to
+only
+be
+received
+by
+</del>
+<ins class="diff-chg">presents
+
+</ins>
+the
+<del class="diff-old">person
+or
+organization
+</del>
+<ins class="diff-chg">organisation
+of
+the
+specification
+and
+the
+conventions
+used
+throughout
+the
+document.
+</ins></p><p><a href="#preconditions"><ins class="diff-chg">
+Section
+2
+</ins></a><ins class="diff-chg">
+lists
+the
+preconditions
+</ins>
+that
+<del class="diff-old">was
+intended
+</del>
+<ins class="diff-chg">need
+</ins>
+to
+<del class="diff-old">receive
+it.
+
+</del>
+<ins class="diff-chg">be
+in
+place
+for
+any
+authentication
+sequence
+to
+be
+successful:
+which
+include
+the
+creation
+of
+a
+</ins><a href="#dfn-webid_profile" title="WebID_Profile" class="tref internalDFN"><ins class="diff-chg">
+WebID
+Profile
+</ins></a><ins class="diff-chg">
+and
+the
+creation
+of
+a
+</ins><a href="#dfn-webid_certificate" title="WebID_Certificate" class="tref internalDFN"><ins class="diff-chg">
+WebID
+Certificate
+</ins></a>
+</p>
+<p>
+<del class="diff-old">2.
+Preconditions
+</del>
+<a href="#the-webid-protocol">
+<ins class="diff-chg">Section
+3
+</ins></a><ins class="diff-chg">
+on
+the
+WebID
+Protocol
+describes
+in
+detail
+how
+a
+server
+can
+authenticate
+a
+user.
+
+</ins></p></div><div class="section" about="#terminology" typeof="bibo:Chapter" id="terminology">
+<h3>
+<span class="secno">
+<del class="diff-old">2.1
+</del>
+<ins class="diff-chg">1.2
+</ins>
+</span>
+Terminology
+</h3>
+<dl>
+<dt>
+<dfn id="dfn-alice" title="Alice">
+Alice
+</dfn>
+</dt>
+<dd>
+
+Alice
+is
+an
+agent
+who
+owns
+a
+Server
+which
+runs
+a
+Service
+which
+Bob
+wishes
+to
+Access
+</dd>
+<dt>
+<dfn id="dfn-bob" title="Bob">
+Bob
+</dfn>
+</dt>
+<dd>
+Bob
+is
+an
+agent
+who
+uses
+a
+<a href="#dfn-client" title="Client" class="tref internalDFN">
+Client
+</a>
+to
+connect
+to
+<a href="#dfn-alice" title="Alice" class="tref internalDFN">
+Alice
+</a>
+'s
+Service,
+and
+who
+
+<del class="diff-old">controls
+</del>
+<ins class="diff-chg">is
+responsible
+for
+</ins>
+the
+private
+key
+the
+<del class="diff-old">client
+</del>
+<a href="#dfn-client" title="Client" class="tref internalDFN">
+<ins class="diff-chg">Client
+</ins></a>
+uses
+to
+<del class="diff-old">access
+</del>
+<ins class="diff-chg">authenticate
+to
+</ins><a href="#dfn-service" title="Service" class="tref internalDFN"><ins class="diff-chg">
+Service
+</ins></a><ins class="diff-chg">
+
+s.
+If
+he
+notices
+</ins>
+the
+<del class="diff-old">resource.
+</del>
+<ins class="diff-chg">private
+key
+was
+compromised
+he
+needs
+to
+take
+action
+to
+disable
+the
+public
+key.
+</ins>
+</dd>
+<dt>
+<dfn id="dfn-subject" title="Subject">
+Subject
+</dfn>
+</dt>
+<dd>
+The
+Subject
+is
+the
+Agent
+that
+is
+identified
+by
+the
+<a href="#dfn-webid" title="WebID" class="tref internalDFN">
+WebID
+
+</a>.
+When
+used
+<del class="diff-old">correctly
+</del>
+<ins class="diff-chg">legally
+</ins>
+it
+is
+the
+Subject
+who
+wishes
+to
+authenticate
+to
+a
+<a href="#dfn-service" title="Service" class="tref internalDFN">
+Service
+</a>.
+<del class="diff-old">When
+speaking
+of
+a
+particular
+agent,
+and
+in
+order
+to
+improve
+lisibility
+in
+this
+spec,
+we
+</del>
+<ins class="diff-chg">We
+</ins>
+will
+name
+him
+<a href="#dfn-bob" title="Bob" class="tref internalDFN">
+Bob
+<del class="diff-old">.
+
+</del>
+</a>
+<ins class="diff-chg">throughout
+this
+document
+to
+improve
+readability.
+</ins>
+The
+Subject
+is
+distinct
+from
+the
+<a href="#dfn-client" title="Client" class="tref internalDFN">
+Client
+</a>
+which
+is
+used
+to
+connect
+to
+the
+<a href="#dfn-server" title="Server" class="tref internalDFN">
+Server
+</a>.
+</dd>
+<dt>
+<dfn id="dfn-client" title="Client">
+Client
+</dfn>
+
+</dt>
+<dd>
+The
+Client
+initiates
+a
+request
+to
+a
+Service
+listening
+on
+a
+specific
+port
+using
+a
+given
+protocol
+on
+a
+given
+Server.
+<ins class="diff-new">It
+can
+request
+authentication
+credentials
+from
+a
+</ins><a href="#dfn-key_chain" title="Key_Chain" class="tref internalDFN"><ins class="diff-new">
+Key
+Chain
+</ins></a><ins class="diff-new">
+to
+send
+to
+a
+server
+</ins>
+</dd>
+<dt>
+<dfn id="dfn-key_chain" title="Key_Chain">
+<ins class="diff-chg">Key
+Chain
+</ins></dfn><ins class="diff-chg">
+agent
+</ins></dt><dd><ins class="diff-chg">
+A
+Key
+Chain
+agent
+can
+return
+certificates
+to
+authorized
+
+</ins><a title="Clients" class="tref"><ins class="diff-chg">
+Clients
+</ins></a><ins class="diff-chg">
+and
+can
+sign
+cryptographic
+tokens
+with
+the
+corresponding
+key.
+This
+protocol
+does
+not
+specify
+where
+that
+agent
+is:
+it
+could
+be
+that
+the
+</ins><a href="#dfn-client" title="Client" class="tref internalDFN"><ins class="diff-chg">
+Client
+</ins></a><ins class="diff-chg">
+contains
+his
+own
+Key
+Chain
+or
+it
+could
+be
+that
+the
+Key
+Chain
+is
+a
+separate
+process
+on
+the
+Operating
+System.
+</ins></dd><dt><dfn id="dfn-server" title="Server">
+Server
+</dfn>
+</dt>
+<dd>
+A
+Server
+is
+a
+machine
+contactable
+at
+a
+domain
+name
+or
+<del class="diff-old">ip
+</del>
+<ins class="diff-chg">IP
+
+</ins>
+address
+that
+hosts
+a
+number
+of
+globally
+accessible
+Services.
+</dd>
+<dt>
+<dfn id="dfn-service" title="Service">
+Service
+</dfn>
+</dt>
+<dd>
+A
+Service
+is
+a
+an
+agent
+listening
+for
+requests
+at
+a
+given
+<del class="diff-old">ip
+</del>
+<ins class="diff-chg">IP
+</ins>
+address
+on
+a
+given
+Server
+</dd>
+<dt>
+
+<dfn id="dfn-tls_service" title="TLS_Service">
+<ins class="diff-chg">TLS
+Service
+</ins></dfn></dt><dd><ins class="diff-chg">
+A
+TLS
+Service
+is
+a
+transport
+level
+service
+listening
+on
+the
+</ins><a href="#dfn-service" title="Service" class="tref internalDFN"><ins class="diff-chg">
+Service
+</ins></a><ins class="diff-chg">
+port.
+It
+secures
+the
+transport
+layer
+before
+passing
+messages
+to
+the
+Application
+layer
+</ins><a href="#dfn-service" title="Service" class="tref internalDFN"><ins class="diff-chg">
+Service
+</ins></a><ins class="diff-chg">
+itself.
+The
+TLS
+protocol
+[
+</ins><cite><a href="#bib-RFC5246" rel="biblioentry" class="bibref"><ins class="diff-chg">
+RFC5246
+</ins></a></cite><ins class="diff-chg">
+]
+is
+applied
+to
+incoming
+connections:
+it
+identifies
+the
+server
+to
+the
+client,
+securing
+the
+channel
+and
+is
+able
+to
+request
+authentication
+credentials
+from
+the
+</ins><a href="#dfn-client" title="Client" class="tref internalDFN"><ins class="diff-chg">
+
+Client
+</ins></a><ins class="diff-chg">
+if
+needed.
+Server
+Credentials
+and
+Client
+credentials
+traditionally
+take
+the
+form
+of
+X509
+Certificates
+containing
+a
+public
+key.
+The
+TLS
+protocol
+enables
+the
+TLS
+Service
+to
+verify
+that
+the
+</ins><a href="#dfn-client" title="Client" class="tref internalDFN"><ins class="diff-chg">
+Client
+</ins></a><ins class="diff-chg">
+controls
+the
+private
+key
+of
+the
+</ins><a href="#dfn-public_key" title="Public_Key" class="tref internalDFN"><ins class="diff-chg">
+Public
+Key
+</ins></a><ins class="diff-chg">
+published
+in
+the
+certificate.
+Trust
+decisions
+on
+other
+attributes
+of
+the
+</ins><a href="#dfn-subject" title="Subject" class="tref internalDFN"><ins class="diff-chg">
+Subject
+</ins></a><ins class="diff-chg">
+published
+in
+the
+Certificate
+-
+such
+as
+his
+name
+-
+are
+traditionally
+based
+on
+the
+trust
+in
+the
+Agent
+that
+signed
+the
+Certificate
+-
+known
+as
+a
+</ins><a href="#dfn-certificate_authority" title="Certificate_Authority" class="tref internalDFN"><ins class="diff-chg">
+Certificate
+Authority
+
+</ins></a>.</dd><dt><dfn id="dfn-certificate" title="Certificate"><ins class="diff-chg">
+Certificate
+</ins></dfn></dt><dt></dt><dd><ins class="diff-chg">
+A
+Certificate
+is
+a
+document
+that
+affirms
+statements
+about
+a
+</ins><a href="#dfn-subject" title="Subject" class="tref internalDFN"><ins class="diff-chg">
+Subject
+</ins></a><ins class="diff-chg">
+such
+as
+its
+</ins><a href="#dfn-public_key" title="public_key" class="tref internalDFN"><ins class="diff-chg">
+public
+key
+</ins></a><ins class="diff-chg">
+and
+its
+name,
+and
+that
+is
+signed
+by
+a
+</ins><a href="#dfn-certificate_authority" title="Certificate_Authority" class="tref internalDFN"><ins class="diff-chg">
+Certificate
+Authority
+</ins></a><ins class="diff-chg">
+using
+the
+private
+key
+that
+corresponds
+to
+the
+public
+key
+published
+in
+its
+certificate.
+The
+Certificate
+Authority's
+own
+Certificate
+is
+self
+signed.
+Certificates
+used
+by
+TLS
+are
+traditionally
+X509
+[
+
+</ins><cite><a href="#bib-X509V3" rel="biblioentry" class="bibref"><ins class="diff-chg">
+X509V3
+</ins></a></cite><ins class="diff-chg">
+]
+Certificates.
+</ins></dd><dt><dfn id="dfn-certificate_authority" title="Certificate_Authority"><ins class="diff-chg">
+Certificate
+Authority
+</ins></dfn><ins class="diff-chg">
+(
+</ins><dfn id="dfn-ca" title="CA"><ins class="diff-chg">
+CA
+</ins></dfn><ins class="diff-chg">
+)
+</ins></dt><dd><ins class="diff-chg">
+A
+Certificate
+Authority
+is
+a
+Subject
+that
+signs
+</ins><a title="Certificates" class="tref"><ins class="diff-chg">
+Certificates
+</ins></a>.<ins class="diff-chg">
+
+It
+is
+an
+Authority
+for
+what
+is
+written
+in
+the
+Certificate
+for
+any
+Agent
+that
+trusts
+it
+to
+be
+truthful
+in
+what
+it
+signs.
+Such
+agents
+use
+the
+knowledge
+of
+the
+CA's
+public
+key
+to
+verify
+the
+statements
+made
+by
+that
+CA
+in
+any
+of
+the
+Certificates
+it
+signed.
+</ins><a href="#dfn-service" title="Service" class="tref internalDFN"><ins class="diff-chg">
+Service
+</ins></a><ins class="diff-chg">
+s
+usually
+identify
+themselves
+with
+Certificates
+signed
+by
+well
+known
+and
+widely
+deployed
+CAs
+available
+in
+all
+agents.
+</ins></dd><dt><dfn id="dfn-tls-light_service" title="TLS-Light_Service"><ins class="diff-chg">
+TLS-Light
+Service
+</ins></dfn></dt><dd><ins class="diff-chg">
+A
+TLS-Light
+Service
+is
+a
+standard
+TLS
+Service,
+except
+that
+it
+does
+not
+do
+CA
+Based
+Client
+Certificate
+Authentication.
+If
+on
+requesting
+a
+Certificate
+from
+a
+Client
+it
+receives
+one,
+it
+simply
+verifies
+that
+the
+</ins><a href="#dfn-client" title="Client" class="tref internalDFN"><ins class="diff-chg">
+Client
+</ins></a><ins class="diff-chg">
+knows
+the
+private
+key
+of
+the
+public
+key
+published
+in
+the
+Certificate
+it
+received.
+Verification
+of
+attributes
+in
+the
+certificate
+is
+left
+to
+other
+services
+such
+as
+the
+</ins><a href="#dfn-webid_verifier" title="WebID_Verifier" class="tref internalDFN"><ins class="diff-chg">
+WebID
+Verifier
+</ins></a>.</dd><dt><dfn id="dfn-guard" title="Guard">
+
+Guard
+</dfn>
+</dt>
+<dt>
+</dt>
+<dd>
+A
+guard
+is
+an
+agent,
+usually
+on
+the
+<a href="#dfn-server" title="Server" class="tref internalDFN">
+Server
+</a>
+that
+can
+look
+at
+a
+request
+from
+the
+<a href="#dfn-client" title="Client" class="tref internalDFN">
+Client
+</a>
+and
+decide
+if
+it
+needs
+Authentication
+by
+looking
+at
+the
+Access
+control
+Rules.
+If
+it
+needs
+Authentication
+it
+can
+request
+it,
+and
+it
+can
+use
+the
+<del class="diff-old">WebId
+</del>
+
+<a href="#dfn-webid_verifier" title="WebID_Verifier" class="tref internalDFN">
+<ins class="diff-chg">WebID
+</ins>
+Verifier
+</a>
+to
+complete
+identity
+checks.
+Finally
+it
+can
+grant
+or
+deny
+access.
+</dd>
+<dt>
+<dfn id="dfn-verification_agent" title="Verification_Agent">
+Verification
+Agent
+</dfn>
+or
+<del class="diff-old">WebId
+</del>
+<dfn id="dfn-webid_verifier" title="WebID_Verifier">
+<ins class="diff-chg">WebID
+</ins>
+
+Verifier
+</dfn>
+</dt>
+<dd>
+<del class="diff-old">Performs
+authentication
+on
+provided
+</del>
+<ins class="diff-chg">A
+</ins>
+WebID
+<del class="diff-old">credentials.
+</del>
+<ins class="diff-chg">Verifier
+takes
+a
+</ins><a href="#dfn-webid_certificate" title="WebID_Certificate" class="tref internalDFN"><ins class="diff-chg">
+WebID
+Certificate
+</ins></a><ins class="diff-chg">
+and
+verifies
+that
+the
+</ins><a href="#dfn-subject" title="Subject" class="tref internalDFN"><ins class="diff-chg">
+
+Subject
+</ins></a><ins class="diff-chg">
+of
+the
+Certificate
+is
+indeed
+identified
+by
+the
+</ins><code><ins class="diff-chg">
+Subject
+Alternative
+Name
+</ins></code><a href="#dfn-webid" title="WebID" class="tref internalDFN"><ins class="diff-chg">
+WebID
+</ins></a><ins class="diff-chg">
+published
+there.
+This
+is
+usually
+done,
+because
+the
+</ins><a title="TLS_Service_Light" class="tref"><ins class="diff-chg">
+TLS
+Service
+Light
+</ins></a><ins class="diff-chg">
+did
+not
+verify
+the
+SAN
+using
+a
+</ins><a href="#dfn-certificate_authority" title="Certificate_Authority" class="tref internalDFN"><ins class="diff-chg">
+Certificate
+Authority
+</ins></a><ins class="diff-chg">
+signature.
+But
+it
+can
+also
+be
+done
+to
+verify
+that
+the
+
+</ins><a href="#dfn-certificate" title="Certificate" class="tref internalDFN"><ins class="diff-chg">
+Certificate
+</ins></a><ins class="diff-chg">
+is
+still
+valid.
+</ins>
+</dd>
+<dt>
+<dfn id="dfn-webid_certificate" title="WebID_Certificate">
+WebID
+Certificate
+</dfn>
+</dt>
+<dd>
+An
+X.509
+[
+<cite>
+<a href="#bib-X509V3" rel="biblioentry" class="bibref">
+X509V3
+</a>
+
+</cite>
+]
+<a href="#dfn-certificate" title="Certificate" class="tref internalDFN">
+Certificate
+</a>
+that
+will
+identify
+an
+Agent
+using
+a
+<del class="diff-old">WebID.
+</del>
+<a href="#dfn-webid" title="WebID" class="tref internalDFN">
+<ins class="diff-chg">WebID
+</ins></a>.
+The
+Certificate
+need
+not
+be
+signed
+by
+a
+well
+known
+Certificate
+Authority.
+Indeed
+it
+can
+be
+signed
+by
+the
+server
+which
+hosts
+the
+certificate,
+or
+it
+can
+even
+be
+self
+signed.
+The
+Certificate
+<em title="must" class="rfc2119">
+must
+</em>
+contain
+a
+<code>
+Subject
+Alternative
+Name
+
+</code>
+extension
+with
+at
+least
+one
+URI
+entry
+identifying
+the
+<a href="#dfn-subject" title="Subject" class="tref internalDFN">
+Subject
+</a>.
+This
+URI
+<em title="should" class="rfc2119">
+should
+</em>
+be
+one
+of
+the
+URIs
+with
+a
+dereferenceable
+secure
+scheme,
+such
+as
+https://
+.
+Dereferencing
+this
+URI
+should
+return
+a
+representation
+containing
+RDF
+data.
+For
+example,
+a
+certificate
+identifying
+the
+WebID
+URI
+<code>
+https://bob.example/profile#me
+</code>
+would
+contain
+the
+following:
+<del class="diff-old">X509v3 extensions:
+ ...
+ X509v3 Subject Alternative Name:
+</del>
+<pre class="example">X509v3 extensions:
+<ins class="diff-chg"> ...
+ X509v3 Subject Alternative Name:
+
+</ins>
+URI:https://bob.example/profile#me
+</pre>
+And
+it
+would
+have
+a
+<a href="#dfn-webid_profile" title="WebID_Profile" class="tref internalDFN">
+WebID
+Profile
+</a>
+at
+<code>
+https://bob.example/profile
+</code>
+Such
+a
+URI
+is
+known
+as
+a
+<a href="#dfn-webid" title="WebID" class="tref internalDFN">
+WebID
+</a>.
+</dd>
+<dt>
+
+<dfn id="dfn-webid" title="WebID">
+WebID
+</dfn>
+</dt>
+<dd>
+A
+URI
+that
+refers
+to
+an
+Agent
+-
+Person,
+Robot,
+Group
+or
+other
+thing
+that
+can
+have
+Intentions.
+The
+WebID
+should
+be
+a
+URI
+which
+when
+dereferenced
+returns
+a
+representation
+whose
+description
+uniquely
+identifies
+the
+Agent
+as
+the
+controller
+of
+a
+public
+key.
+In
+our
+example
+the
+WebID
+refers
+to
+Bob.
+A
+WebID
+is
+usually
+a
+URL
+with
+a
+#tag,
+as
+the
+meaning
+of
+such
+a
+URL
+is
+defined
+in
+the
+document.
+</dd>
+<dt>
+<dfn id="dfn-public_key" title="Public_Key">
+Public
+Key
+</dfn>
+</dt>
+<dd>
+A
+cryptographic
+key
+that
+can
+be
+published
+and
+can
+be
+used
+to
+verify
+the
+possession
+of
+a
+private
+key.
+A
+public
+key
+is
+always
+included
+in
+a
+<a href="#dfn-webid_certificate" title="WebID_Certificate" class="tref internalDFN">
+WebID
+Certificate
+</a>.
+
+</dd>
+<dt>
+<dfn id="dfn-webid_profile" title="WebID_Profile">
+WebID
+Profile
+</dfn>
+or
+<dfn id="dfn-profile_page" title="Profile_Page">
+Profile
+Page
+</dfn>
+</dt>
+<dd>
+A
+structured
+document
+asserting
+the
+relationship
+between
+the
+Subject
+(identified
+by
+his
+WebID)
+and
+his
+<a href="#dfn-public_key" title="Public_Key" class="tref internalDFN">
+Public
+Key
+</a>
+s
+using
+relationships
+as
+defined
+by
+the
+Resource
+Description
+Framework
+[
+<cite>
+
+<a href="#bib-RDF-CONCEPTS" rel="biblioentry" class="bibref">
+RDF-CONCEPTS
+</a>
+</cite>
+]
+and
+published
+at
+the
+URL
+location
+of
+the
+Subject's
+WebID.
+Dereferencing
+the
+<a href="#dfn-webid" title="WebID" class="tref internalDFN">
+WebID
+</a>
+should
+return
+the
+Profile
+Document
+in
+one
+of
+a
+number
+of
+formats.
+The
+Server
+<em title="must" class="rfc2119">
+must
+</em>
+publish
+the
+document
+in
+at
+least
+the
+XHTML+RDFa
+1.1
+[
+<cite>
+<a href="#bib-XHTML-RDFA" rel="biblioentry" class="bibref">
+XHTML-RDFA
+</a>
+
+</cite>
+]
+serialization
+format
+or
+in
+RDF/XML
+[
+<cite>
+<a href="#bib-RDF-SYNTAX-GRAMMAR" rel="biblioentry" class="bibref">
+RDF-SYNTAX-GRAMMAR
+</a>
+</cite>
+].
+The
+document
+may
+be
+published
+in
+a
+number
+of
+other
+RDF
+serialization
+formats,
+such
+as
+N3
+[
+<cite>
+<a href="#bib-N3" rel="biblioentry" class="bibref">
+N3
+</a>
+</cite>
+]
+or
+Turtle
+[
+<cite>
+<a href="#bib-TURTLE" rel="biblioentry" class="bibref">
+TURTLE
+
+</a>
+</cite>
+].
+Any
+serialisation
+<em title="must" class="rfc2119">
+must
+</em>
+be
+transformable
+automatically
+and
+in
+a
+standard
+manner
+to
+an
+RDF
+Graph,
+using
+technologies
+such
+as
+GRDDL
+[
+<cite>
+<a href="#bib-GRDDL-PRIMER" rel="biblioentry" class="bibref">
+GRDDL-PRIMER
+</a>
+</cite>
+].
+<p class="issue">
+Most
+profiles
+are
+currently
+written
+out
+in
+either
+of
+those
+formats.
+Whether
+or
+not
+XHTML+RDFa
+1.1,
+both
+either
+serialization
+of
+RDF
+should
+be
+required
+serialization
+formats
+in
+the
+specification
+is
+currently
+under
+heavy
+debate
+and
+is
+open
+to
+change.
+</p>
+</dd>
+
+</dl>
+</div>
+<div about="#namespaces" typeof="bibo:Chapter" id="namespaces" class="normative section">
+<h3>
+<span class="secno">
+<del class="diff-old">2.2
+</del>
+<ins class="diff-chg">1.3
+</ins>
+</span>
+Namespaces
+</h3>
+<p>
+Examples
+assume
+the
+following
+namespace
+prefix
+bindings
+unless
+otherwise
+stated:
+</p>
+<table style="text-align: left; border-color: rgb(0, 0, 0); border-collapse: collapse;" border="1" cellpadding="5">
+<thead>
+
+<tr>
+<th>
+Prefix
+</th>
+<th>
+IRI
+</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>
+cert
+</code>
+</td>
+<td>
+
+http://www.w3.org/ns/auth/cert#
+</td>
+</tr>
+<tr>
+<td>
+<code>
+xsd
+</code>
+</td>
+<td>
+http://www.w3.org/2001/XMLSchema#
+</td>
+</tr>
+<tr>
+<td>
+<code>
+foaf
+
+</code>
+</td>
+<td>
+http://xmlns.com/foaf/0.1/
+</td>
+</tr>
+<tr>
+<td>
+<code>
+ex
+</code>
+</td>
+<td>
+https://bob.example/profile#
+</td>
+</tr>
+</tbody>
+
+</table>
+<p>
+The
+ex:
+namespace
+is
+a
+URI
+that
+refers
+to
+Bob's
+profile,
+where
+Bob
+is
+an
+imaginary
+<del class="diff-old">charcter
+</del>
+<ins class="diff-chg">character
+</ins>
+well
+known
+in
+security
+circles.
+</p>
+</div>
+</div>
+<div class="section" about="#preconditions" typeof="bibo:Chapter" id="preconditions">
+<h2>
+<span class="secno">
+<ins class="diff-chg">2.
+</ins></span><ins class="diff-chg">
+Preconditions
+
+</ins></h2><div about="#the-certificate" typeof="bibo:Chapter" id="the-certificate" class="normative section">
+<h3>
+<span class="secno">
+<del class="diff-old">2.3
+</del>
+<ins class="diff-chg">2.1
+</ins>
+</span>
+<del class="diff-old">Creating
+the
+</del>
+<ins class="diff-chg">The
+</ins>
+certificate
+</h3>
+<p>
+The
+<del class="diff-old">user
+agent
+will
+create
+
+</del>
+<a href="#dfn-key_chain" title="Key_Chain" class="tref internalDFN">
+<ins class="diff-chg">Key
+Chain
+</ins></a><ins class="diff-chg">
+must
+have
+</ins>
+a
+<del class="diff-old">Identification
+</del>
+<a href="#dfn-certificate" title="Certificate" class="tref internalDFN">
+Certificate
+</a>
+with
+a
+<code>
+Subject
+Alternative
+Name
+</code>
+URI
+entry.
+This
+URI
+must
+be
+one
+that
+dereferences
+to
+a
+document
+the
+user
+controls
+so
+that
+he
+can
+publish
+the
+public
+key
+
+<del class="diff-old">of
+the
+Identification
+</del>
+<ins class="diff-chg">for
+that
+</ins><a href="#dfn-certificate" title="Certificate" class="tref internalDFN">
+Certificate
+</a>
+at
+this
+URI.
+</p>
+<p>
+For
+example,
+if
+a
+user
+Bob
+controls
+<code>
+https://bob.example/profile
+</code>,
+then
+his
+WebID
+can
+be
+<code>
+https://bob.example/profile#me
+</code>
+</p>
+
+<p>
+When
+creating
+a
+certificate
+it
+is
+very
+important
+to
+<del class="diff-old">put
+an
+nice
+</del>
+<ins class="diff-chg">choose
+a
+user
+friendly
+</ins>
+Common
+Name
+(CN)
+for
+the
+user,
+that
+will
+allow
+him
+to
+distinguish
+between
+different
+certificates
+he
+may
+have,
+such
+as
+a
+personal
+or
+a
+business
+<del class="diff-old">certificate.
+</del>
+<ins class="diff-chg">certificate,
+when
+selecting
+one
+from
+his
+browser.
+</ins>
+In
+the
+example
+below
+the
+CN
+is
+<code>
+Bob
+(personal)
+</code>.
+This
+name
+can
+then
+also
+be
+<del class="diff-old">used
+</del>
+
+<ins class="diff-chg">displayed
+</ins>
+by
+any
+server
+authenticating
+the
+user
+<del class="diff-old">to
+immediately
+find
+</del>
+<ins class="diff-chg">as
+</ins>
+a
+<del class="diff-old">way
+to
+address
+the
+user.
+</del>
+<ins class="diff-chg">human
+friendly
+label.
+</ins>
+The
+<a href="#dfn-webid" title="WebID" class="tref internalDFN">
+WebID
+</a>
+<ins class="diff-new">URL
+itself
+
+</ins>
+should
+not
+usually
+be
+used
+as
+a
+visible
+identifier
+for
+human
+users,
+rather
+it
+should
+be
+thought
+of
+as
+a
+hyperlink
+in
+an
+<code>
+<a
+href="https://...">
+</code>
+<del class="diff-old">code,
+especially
+if
+</del>
+<ins class="diff-chg">anchor.
+That
+is
+</ins>
+the
+<del class="diff-old">resulting
+resource
+has
+an
+html
+representation.
+</del>
+<ins class="diff-chg">CN
+should
+be
+a
+label
+and
+the
+</ins><a href="#dfn-webid" title="WebID" class="tref internalDFN"><ins class="diff-chg">
+WebID
+</ins></a><ins class="diff-chg">
+
+a
+pointer.
+</ins>
+</p>
+<p>
+As
+an
+example
+to
+use
+throughout
+this
+specification
+here
+is
+the
+following
+certificate
+as
+an
+output
+of
+the
+openssl
+program.
+</p>
+<del class="diff-old">Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 5f:df:d6:be:2c:73:c1:fb:aa:2a:2d:23:a6:91:3b:5c
+ Signature Algorithm: sha1WithRSAEncryption
+ O=FOAF+SSL, OU=The Community of Self Signers, CN=Not a Certification Authority
+ Validity
+ Not Before: Jun 8 14:16:14 2010 GMT
+ Not After : Jun 8 16:16:14 2010 GMT
+ O=FOAF+SSL, OU=The Community Of Self Signers, CN=Bob (Personal)
+ Subject Public Key Info:
+ rsaEncryption
+ (2048 bit)
+
+ 00:cb:24:ed:85:d6:4d:79:4b:69:c7:01:c1:86:ac:
+ c0:59:50:1e:85:60:00:f6:61:c9:32:04:d8:38:0e:
+ 07:19:1c:5c:8b:36:8d:2a:c3:2a:42:8a:cb:97:03:
+ 98:66:43:68:dc:2a:86:73:20:22:0f:75:5e:99:ca:
+ 2e:ec:da:e6:2e:8d:15:fb:58:e1:b7:6a:e5:9c:b7:
+ ac:e8:83:83:94:d5:9e:72:50:b4:49:17:6e:51:a4:
+ 94:95:1a:1c:36:6c:62:17:d8:76:8d:68:2d:de:78:
+ dd:4d:55:e6:13:f8:83:9c:f2:75:d4:c8:40:37:43:
+ e7:86:26:01:f3:c4:9a:63:66:e1:2b:b8:f4:98:26:
+ 2c:3c:77:de:19:bc:e4:0b:32:f8:9a:e6:2c:37:80:
+ f5:b6:27:5b:e3:37:e2:b3:15:3a:e2:ba:72:a9:97:
+ 5a:e7:1a:b7:24:64:94:97:06:6b:66:0f:cf:77:4b:
+ 75:43:d9:80:95:2d:2e:85:86:20:0e:da:41:58:b0:
+ 14:e7:54:65:d9:1e:cf:93:ef:c7:ac:17:0c:11:fc:
+ 72:46:fc:6d:ed:79:c3:77:80:00:0a:c4:e0:79:f6:
+ 71:fd:4f:20:7a:d7:70:80:9e:0e:2d:7b:0e:f5:49:
+ 3b:ef:e7:35:44:d8:e1:be:3d:dd:b5:24:55:c6:13:
+ 91:a1
+ 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:FALSE
+ X509v3 Key Usage: critical
+ Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
+ Netscape Cert Type:
+ SSL Client, S/MIME
+ X509v3 Subject Key Identifier:
+ 08:8E:A5:5B:AE:5D:C3:8B:00:B7:30:62:65:2A:5A:F5:D2:E9:00:FA
+ critical
+ https://bob.example/profile#me
+ Signature Algorithm: sha1WithRSAEncryption
+ cf:8c:f8:7b:b2:af:63:f0:0e:dc:64:22:e5:8a:ba:03:1e:f1:
+ ee:6f:2c:f5:f5:10:ad:4c:54:fc:49:2b:e1:0d:cd:be:3d:7c:
+ 78:66:c8:ae:42:9d:75:9f:2c:29:71:91:5c:29:5b:96:ea:e1:
+ e4:ef:0e:5c:f7:07:a0:1e:9c:bf:50:ca:21:e6:6c:c3:df:64:
+ 29:6b:d3:8a:bd:49:e8:72:39:dd:07:07:94:ac:d5:ec:85:b1:
+ a0:5c:c0:08:d3:28:2a:e6:be:ad:88:5e:2a:40:64:59:e7:f2:
+ 45:0c:b9:48:c0:fd:ac:bc:fb:1b:c9:e0:1c:01:18:5e:44:bb:
+</del>
+<pre class="example">Certificate:
+<ins class="diff-chg"> Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 5f:df:d6:be:2c:73:c1:fb:aa:2a:2d:23:a6:91:3b:5c
+ Signature Algorithm: sha1WithRSAEncryption
+</ins> <span style="color: red">Issuer:</span> O=FOAF+SSL, OU=The Community of Self Signers, CN=Not a Certification Authority
+<ins class="diff-chg">
+ Validity
+ Not Before: Jun 8 14:16:14 2010 GMT
+ Not After : Jun 8 16:16:14 2010 GMT
+
+</ins> <span style="color: red">Subject:</span> O=FOAF+SSL, OU=The Community Of Self Signers, CN=Bob (Personal)
+<ins class="diff-chg">
+ Subject Public Key Info:
+</ins><span style="color: red"> Public Key Algorithm:</span> rsaEncryption
+ <span style="color: red">Public-Key:</span> (2048 bit)
+ <span style="color: red">Modulus:</span>
+<ins class="diff-chg">
+
+ 00:cb:24:ed:85:d6:4d:79:4b:69:c7:01:c1:86:ac:
+ c0:59:50:1e:85:60:00:f6:61:c9:32:04:d8:38:0e:
+ 07:19:1c:5c:8b:36:8d:2a:c3:2a:42:8a:cb:97:03:
+ 98:66:43:68:dc:2a:86:73:20:22:0f:75:5e:99:ca:
+ 2e:ec:da:e6:2e:8d:15:fb:58:e1:b7:6a:e5:9c:b7:
+ ac:e8:83:83:94:d5:9e:72:50:b4:49:17:6e:51:a4:
+ 94:95:1a:1c:36:6c:62:17:d8:76:8d:68:2d:de:78:
+ dd:4d:55:e6:13:f8:83:9c:f2:75:d4:c8:40:37:43:
+ e7:86:26:01:f3:c4:9a:63:66:e1:2b:b8:f4:98:26:
+ 2c:3c:77:de:19:bc:e4:0b:32:f8:9a:e6:2c:37:80:
+ f5:b6:27:5b:e3:37:e2:b3:15:3a:e2:ba:72:a9:97:
+ 5a:e7:1a:b7:24:64:94:97:06:6b:66:0f:cf:77:4b:
+ 75:43:d9:80:95:2d:2e:85:86:20:0e:da:41:58:b0:
+ 14:e7:54:65:d9:1e:cf:93:ef:c7:ac:17:0c:11:fc:
+ 72:46:fc:6d:ed:79:c3:77:80:00:0a:c4:e0:79:f6:
+ 71:fd:4f:20:7a:d7:70:80:9e:0e:2d:7b:0e:f5:49:
+ 3b:ef:e7:35:44:d8:e1:be:3d:dd:b5:24:55:c6:13:
+ 91:a1
+</ins> <span style="color: red">Exponent:</span> 65537 (0x10001)
+<ins class="diff-chg">
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:FALSE
+ X509v3 Key Usage: critical
+ Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
+ Netscape Cert Type:
+ SSL Client, S/MIME
+ X509v3 Subject Key Identifier:
+ 08:8E:A5:5B:AE:5D:C3:8B:00:B7:30:62:65:2A:5A:F5:D2:E9:00:FA
+</ins> <span style="color: red">X509v3 Subject Alternative Name:</span> critical
+ <span style="color: red">URI:</span>https://bob.example/profile#me
+<ins class="diff-chg">
+ Signature Algorithm: sha1WithRSAEncryption
+ cf:8c:f8:7b:b2:af:63:f0:0e:dc:64:22:e5:8a:ba:03:1e:f1:
+ ee:6f:2c:f5:f5:10:ad:4c:54:fc:49:2b:e1:0d:cd:be:3d:7c:
+ 78:66:c8:ae:42:9d:75:9f:2c:29:71:91:5c:29:5b:96:ea:e1:
+ e4:ef:0e:5c:f7:07:a0:1e:9c:bf:50:ca:21:e6:6c:c3:df:64:
+ 29:6b:d3:8a:bd:49:e8:72:39:dd:07:07:94:ac:d5:ec:85:b1:
+ a0:5c:c0:08:d3:28:2a:e6:be:ad:88:5e:2a:40:64:59:e7:f2:
+ 45:0c:b9:48:c0:fd:ac:bc:fb:1b:c9:e0:1c:01:18:5e:44:bb:
+
+</ins>
+d8:b8
+</pre>
+<p class="issue">
+Should
+we
+formally
+require
+the
+Issuer
+to
+be
+O=FOAF+SSL,
+OU=The
+Community
+of
+Self
+Signers,
+CN=Not
+a
+Certification
+Authority.
+This
+was
+discussed
+on
+the
+list
+as
+allowing
+servers
+to
+distinguish
+certificates
+that
+are
+<del class="diff-old">foaf+Ssl
+</del>
+<ins class="diff-chg">foaf+SSL
+</ins>
+enabled
+from
+others.
+Will
+probably
+need
+some
+very
+deep
+TLS
+thinking
+to
+get
+this
+right.
+</p>
+<p class="issue">
+The
+above
+certificate
+is
+no
+longer
+valid,
+as
+I
+took
+an
+valid
+certificate
+and
+change
+the
+time
+and
+WebID.
+As
+a
+result
+the
+<del class="diff-old">Signatiure
+</del>
+<ins class="diff-chg">signature
+</ins>
+
+is
+now
+false.
+A
+completely
+valid
+certificate
+should
+be
+generated
+to
+avoid
+nit-pickers
+picking
+<del class="diff-old">nits
+</del>
+<ins class="diff-chg">nits.
+</ins></p><div about="#creating-a-certificate" typeof="bibo:Chapter" id="creating-a-certificate" class="normative section"><h4><span class="secno"><ins class="diff-chg">
+2.1.1
+</ins></span><ins class="diff-chg">
+Creating
+a
+Certificate
+</ins></h4><p><ins class="diff-chg">
+Many
+tools
+exist
+to
+create
+a
+Certificate.
+Some
+keychains
+allow
+a
+user
+to
+create
+the
+Certificate
+directly
+with
+a
+friendly
+User
+Interface.
+But
+using
+a
+keychain
+on
+the
+client
+still
+requires
+the
+public
+key
+to
+be
+published
+on
+the
+server
+as
+detailed
+in
+the
+next
+section.
+It
+is
+possible
+to
+combine
+the
+creation
+of
+the
+key
+with
+its
+publication
+in
+one
+step
+in
+such
+a
+way
+as
+to
+allow
+the
+server
+to
+make
+the
+decision
+of
+what
+the
+WebID
+should
+be,
+by
+using
+the
+</ins><a href="http://www.w3.org/TR/html5/the-button-element.html#the-keygen-element"><ins class="diff-chg">
+HTML
+5
+keygen
+</ins></a><ins class="diff-chg">
+element.
+This
+element
+can
+be
+placed
+in
+an
+HTML5
+form,
+where
+on
+submitting
+the
+form,
+the
+browser
+asks
+the
+</ins><a href="#dfn-key_chain" title="Key_Chain" class="tref internalDFN"><ins class="diff-chg">
+Key
+Chain
+</ins></a><ins class="diff-chg">
+
+to
+create
+a
+public
+and
+private
+key
+pair,
+and
+on
+receiving
+the
+public
+part
+of
+that
+keypair
+the
+Client
+can
+sends
+a
+keyrequest
+as
+part
+of
+the
+form
+to
+the
+</ins><a href="#dfn-service" title="Service" class="tref internalDFN"><ins class="diff-chg">
+Service
+</ins></a>.<ins class="diff-chg">
+The
+</ins><a href="#dfn-service" title="Service" class="tref internalDFN"><ins class="diff-chg">
+Service
+</ins></a><ins class="diff-chg">
+can
+then
+create
+a
+</ins><a href="#dfn-webid_certificate" title="WebID_Certificate" class="tref internalDFN"><ins class="diff-chg">
+WebID
+Certificate
+</ins></a><ins class="diff-chg">
+and
+return
+it
+to
+the
+</ins><a href="#dfn-client" title="Client" class="tref internalDFN"><ins class="diff-chg">
+Client
+</ins></a><ins class="diff-chg">
+
+to
+pass
+onto
+the
+</ins><a title="KeyChain" class="tref"><ins class="diff-chg">
+KeyChain
+</ins></a>.<ins class="diff-chg">
+In
+that
+way
+the
+Server
+is
+in
+the
+position
+to
+best
+make
+the
+decisions
+of
+what
+the
+</ins><a href="#dfn-certificate" title="Certificate" class="tref internalDFN"><ins class="diff-chg">
+Certificate
+</ins></a><ins class="diff-chg">
+should
+say
+and
+what
+the
+WebID
+should
+be
+without
+the
+private
+key
+ever
+leaving
+the
+secure
+</ins><a href="#dfn-key_chain" title="Key_Chain" class="tref internalDFN"><ins class="diff-chg">
+Key
+Chain
+</ins></a>.<ins class="diff-chg">
+The
+user
+experience
+for
+this
+Certificate
+creation
+is
+a
+one
+click
+operation.
+</ins>
+</p>
+
+</div>
+</div>
+<div about="#publishing-the-webid-profile-document" typeof="bibo:Chapter" id="publishing-the-webid-profile-document" class="normative section">
+<h3>
+<span class="secno">
+<del class="diff-old">2.4
+</del>
+<ins class="diff-chg">2.2
+</ins>
+</span>
+Publishing
+the
+WebID
+Profile
+Document
+</h3>
+<p>
+The
+<a href="#dfn-webid_profile" title="WebID_Profile" class="tref internalDFN">
+WebID
+Profile
+</a>
+
+document
+<em title="must" class="rfc2119">
+must
+</em>
+expose
+the
+relation
+between
+the
+<a title="WebID_URI" class="tref">
+WebID
+URI
+</a>
+and
+the
+<a title="Identification_Agent" class="tref">
+Identification
+Agent
+</a>
+'s
+<a href="#dfn-public_key" title="public_key" class="tref internalDFN">
+public
+key
+</a>
+s
+using
+the
+
+<code>
+cert
+</code>
+<del class="diff-old">ontologies,
+</del>
+<ins class="diff-chg">ontology
+</ins>
+as
+well
+as
+the
+standard
+<code>
+xsd
+</code>
+datatypes.
+The
+set
+of
+relations
+to
+be
+published
+at
+the
+<a href="#dfn-webid_profile" title="WebID_Profile" class="tref internalDFN">
+WebID
+Profile
+</a>
+document
+can
+be
+presented
+in
+a
+graphical
+notation
+as
+follows.
+</p>
+
+<img alt="Web ID graph" src="img/WebIdGraph.jpg" width="90%">
+<p>
+The
+document
+can
+publish
+many
+more
+relations
+than
+are
+of
+interest
+to
+the
+WebID
+protocol,
+as
+shown
+in
+the
+above
+graph
+by
+the
+grayed
+out
+relations.
+For
+example
+Bob
+can
+publish
+a
+depiction
+or
+logo,
+so
+that
+sites
+he
+authenticates
+to
+can
+personalise
+the
+user
+experience.
+He
+can
+post
+links
+to
+people
+he
+knows,
+where
+those
+are
+have
+WebIDs
+published
+on
+other
+sites,
+in
+order
+to
+create
+a
+distributed
+Social
+Web.
+He
+can
+also
+publish
+relations
+to
+protected
+documents,
+where
+he
+keeps
+more
+information
+for
+people
+who
+authenticate,
+such
+as
+his
+friend
+Alois
+or
+his
+friends
+friends
+who
+may
+not
+yet
+know
+him
+personally,
+such
+as
+Alice.
+</p>
+<p>
+The
+protocol
+does
+not
+depend
+on
+any
+particular
+serialisation
+of
+the
+graph,
+provided
+that
+agents
+are
+able
+to
+parse
+that
+serialisation
+and
+obtain
+the
+graph
+automatically.
+Technologies
+such
+as
+GRDDL
+[
+<cite>
+<a href="#bib-GRDDL-PRIMER" rel="biblioentry" class="bibref">
+GRDDL-PRIMER
+</a>
+</cite>
+]
+for
+example
+permit
+any
+XML
+format
+to
+be
+transformed
+automatically
+to
+a
+graph
+of
+relations.
+Yet
+for
+reasons
+of
+<del class="diff-old">interoperabity
+</del>
+<ins class="diff-chg">interoperability
+</ins>
+is
+has
+been
+decided
+that
+the
+document
+
+<em title="must" class="rfc2119">
+must
+</em>
+be
+published
+at
+least
+in
+one
+of
+RDFa
+[XHTML-RDFA]
+or
+RDF/XML
+[RDF-SYNTAX-GRAMMAR].
+HTTP
+Content
+Negotiation
+[SWBP-VOCAB-PUB]
+can
+be
+employed
+to
+aid
+in
+publication
+and
+discovery
+of
+multiple
+distinct
+serialisations
+of
+the
+same
+graph
+at
+the
+same
+URL.
+</p>
+<p>
+Irrespective
+of
+whether
+content
+negotiation
+can
+or
+not
+be
+employed,
+if
+an
+HTML
+representation
+of
+the
+WebID
+profile
+is
+published,
+it
+is
+suggested
+that
+the
+provider
+uses
+the
+HTML
+<code>
+<link>
+</code>
+element
+to
+allow
+discovery
+of
+the
+various
+alternate
+representations
+of
+the
+graph
+which
+may
+be
+available:
+</p>
+<del class="diff-old"><html>
+<head>
+
+<link rel="alternate" type="application/rdf+xml" href="profile.rdf"/>
+<link rel="alternate" type="text/turtle" href="profile.ttl"/>
+...
+</del>
+<pre class="example"><html>
+<ins class="diff-chg"><head>
+<link rel="alternate" type="application/rdf+xml" href="profile.rdf"/>
+<link rel="alternate" type="text/turtle" href="profile.ttl"/>
+...
+</ins>
+</head>
+
+...
+</pre>
+<p>
+It
+is
+particularly
+useful
+to
+have
+one
+of
+the
+representations
+be
+in
+HTML
+or
+XHTML
+even
+if
+it
+is
+not
+marked
+up
+in
+RDFa
+as
+this
+allows
+people
+using
+a
+web
+browser
+to
+understand
+what
+the
+information
+at
+that
+URI
+represents.
+</p>
+<div about="#turtle" typeof="bibo:Chapter" id="turtle" class="normative section">
+<h4>
+<span class="secno">
+<del class="diff-old">2.4.1
+</del>
+<ins class="diff-chg">2.2.1
+</ins>
+</span>
+Turtle
+</h4>
+<p>
+A
+widely
+used
+format
+for
+writing
+RDF
+graphs
+by
+hand
+is
+the
+Turtle
+notation.
+It
+is
+easy
+to
+learn
+to
+use,
+is
+very
+handy
+for
+
+<del class="diff-old">commmunicating
+</del>
+<ins class="diff-chg">communicating
+</ins>
+over
+e-mail
+and
+on
+mailing
+lists,
+and
+can
+then
+be
+transformed
+into
+RDF/XML
+automatically.
+It
+is
+also
+very
+similar
+to
+the
+SPARQL
+query
+language.
+</p>
+<del class="diff-old">@prefix : <http://www.w3.org/ns/auth/cert#> .
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
+@prefix foaf: <http://xmlns.com/foaf/0.1/> .
+@prefix bob: <https://bob.example/profile#> .
+@prefix rdfs: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
+bob:me a foaf:Person;
+ foaf:name "Bob";
+ foaf:knows <https://example.edu/p/Alois#MSc>;
+ :key [ a :RSAPublicKey;
+ rdfs:label "made on 23 November 2011 on my laptop";
+ :modulus "cb24ed85d64d794b69c701c186acc059501e856000f661c93204d8380e07191c5c8b368d2ac32a428acb970398664368dc2a867320220f755e99ca2eecdae62e8d15fb58e1b76ae59cb7ace8838394d59e7250b449176e51a494951a1c366c6217d8768d682dde78dd4d55e613f8839cf275d4c8403743e7862601f3c49a6366e12bb8f498262c3c77de19bce40b32f89ae62c3780f5b6275be337e2b3153ae2ba72a9975ae71ab724649497066b660fcf774b7543d980952d2e8586200eda4158b014e75465d91ecf93efc7ac170c11fc7246fc6ded79c37780000ac4e079f671fd4f207ad770809e0e2d7b0ef5493befe73544d8e1be3dddb52455c61391a1"^^xsd:hexBinary;
+ :exponent 65537 ;
+
+</del>
+<pre class="example" style="word-wrap: break-word; white-space: pre-wrap;">@prefix : <http://www.w3.org/ns/auth/cert#> .
+<ins class="diff-chg">@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
+@prefix foaf: <http://xmlns.com/foaf/0.1/> .
+@prefix bob: <https://bob.example/profile#> .
+@prefix rdfs: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
+
+bob:me a foaf:Person;
+ foaf:name "Bob";
+ foaf:knows <https://example.edu/p/Alois#MSc>;
+ foaf:weblog <http://bob.example/blog>;
+ :key [ a :RSAPublicKey;
+ rdfs:label "made on 23 November 2011 on my laptop";
+ :modulus "cb24ed85d64d794b69c701c186acc059501e856000f661c93204d8380e07191c5c8b368d2ac32a428acb970398664368dc2a867320220f755e99ca2eecdae62e8d15fb58e1b76ae59cb7ace8838394d59e7250b449176e51a494951a1c366c6217d8768d682dde78dd4d55e613f8839cf275d4c8403743e7862601f3c49a6366e12bb8f498262c3c77de19bce40b32f89ae62c3780f5b6275be337e2b3153ae2ba72a9975ae71ab724649497066b660fcf774b7543d980952d2e8586200eda4158b014e75465d91ecf93efc7ac170c11fc7246fc6ded79c37780000ac4e079f671fd4f207ad770809e0e2d7b0ef5493befe73544d8e1be3dddb52455c61391a1"^^xsd:hexBinary;
+ :exponent 65537 ;
+
+</ins>
+]
+.
+</pre>
+</div>
+<div class="section" about="#rdfa-html-notation" typeof="bibo:Chapter" id="rdfa-html-notation">
+<h4>
+<span class="secno">
+<del class="diff-old">2.4.2
+</del>
+<ins class="diff-chg">2.2.2
+</ins>
+</span>
+RDFa
+HTML
+notation
+</h4>
+<p>
+There
+are
+many
+ways
+of
+writing
+out
+the
+above
+graph
+using
+RDFa
+in
+<del class="diff-old">html.
+
+</del>
+<ins class="diff-chg">HTML.
+</ins>
+Here
+is
+just
+one
+example
+of
+what
+a
+WebID
+profile
+could
+look
+like.
+</p>
+<del class="diff-old">//DTD XHTML+RDFa 1.0//EN"
+ "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" version="XHTML+RDFa 1.0" dir="ltr"
+ xmlns:cert="http://www.w3.org/ns/auth/cert#"
+ xmlns:foaf="http://xmlns.com/foaf/0.1/"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema#">
+<head>
+ <title>Welcome to Bob's Home Page</title>
+</head>
+
+<body>
+<!-- WebID HTML snippet. The xmlns declarations above can be moved into the div below if needed-->
+<div about="#me" typeof="foaf:Person">
+ <span property="foaf:name">Bob</span>
+ <h2>My Good Friends</h2>
+ <ul>
+
+ <li rel="foaf:knows" href="https://example.edu/p/Alois#MSc">Alois</li>
+ </ul>
+ <h2>My RSA Public Keys</h2>
+ <div rel="cert:key">
+ <p>I made this key on the 23 November 2011 from my laptop.</p>
+
+ <div typeof="cert:RSAPublicKey">
+ <dl>
+ <dt>Modulus (hexadecimal)</dt>
+ <dd style="word-wrap: break-word; white-space: pre-wrap;"
+ property="cert:modulus" datatype="xsd:hexBinary">cb24ed85d64d794b69c701c186acc059501e856000f661c93204d8380e07191c5c8b368d2ac32a428acb970398664368dc2a867320220f755e99ca2eecdae62e8d15fb58e1b76ae59cb7ace8838394d59e7250b449176e51a494951a1c366c6217d8768d682dde78dd4d55e613f8839cf275d4c8403743e7862601f3c49a6366e12bb8f498262c3c77de19bce40b32f89ae62c3780f5b6275be337e2b3153ae2ba72a9975ae71ab724649497066b660fcf774b7543d980952d2e8586200eda4158b014e75465d91ecf93efc7ac170c11fc7246fc6ded79c37780000ac4e079f671fd4f207ad770809e0e2d7b0ef5493befe73544d8e1be3dddb52455c61391a1</dd>
+ <dt>Exponent (decimal)</dt>
+
+ <dd property="cert:exponent" datatype="xsd:integer">65537</dd>
+ </dl>
+ </div>
+ </div>
+</div>
+<!-- WebID HTML snippet -->
+
+</body>
+</del>
+<pre class="example" style="word-wrap: break-word; white-space: pre-wrap;"><!DOCTYPE html PUBLIC "-//<acronym title="World Wide Web Consortium">W3C</acronym>//DTD XHTML+RDFa 1.0//EN"
+<ins class="diff-chg"> "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" version="XHTML+RDFa 1.0" dir="ltr"
+ xmlns:cert="http://www.w3.org/ns/auth/cert#"
+ xmlns:foaf="http://xmlns.com/foaf/0.1/"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema#">
+<head>
+ <title>Welcome to Bob's Home Page</title>
+
+</head>
+<body>
+<!-- WebID HTML snippet. The xmlns declarations above can be moved into the div below if needed-->
+<div about="#me" typeof="foaf:Person">
+ <span property="foaf:name">Bob</span>
+ <h2>My Good Friends</h2>
+
+ <ul>
+
+ <li rel="foaf:knows" href="https://example.edu/p/Alois#MSc">Alois</li>
+ </ul>
+ <h2>My RSA Public Keys</h2>
+
+ <div rel="cert:key">
+ <p>I made this key on the 23 November 2011 from my laptop.</p>
+ <div typeof="cert:RSAPublicKey">
+ <dl>
+
+ <dt>Modulus (hexadecimal)</dt>
+
+ <dd style="word-wrap: break-word; white-space: pre-wrap;"
+ property="cert:modulus" datatype="xsd:hexBinary">cb24ed85d64d794b69c701c186acc059501e856000f661c93204d8380e07191c5c8b368d2ac32a428acb970398664368dc2a867320220f755e99ca2eecdae62e8d15fb58e1b76ae59cb7ace8838394d59e7250b449176e51a494951a1c366c6217d8768d682dde78dd4d55e613f8839cf275d4c8403743e7862601f3c49a6366e12bb8f498262c3c77de19bce40b32f89ae62c3780f5b6275be337e2b3153ae2ba72a9975ae71ab724649497066b660fcf774b7543d980952d2e8586200eda4158b014e75465d91ecf93efc7ac170c11fc7246fc6ded79c37780000ac4e079f671fd4f207ad770809e0e2d7b0ef5493befe73544d8e1be3dddb52455c61391a1</dd>
+ <dt>Exponent (decimal)</dt>
+ <dd property="cert:exponent" datatype="xsd:integer">65537</dd>
+ </dl>
+
+ </div>
+ </div>
+
+</div>
+<!-- WebID HTML snippet -->
+</body>
+</ins>
+</html>
+</pre>
+
+<p>
+The
+<code>
+style="word-wrap:
+break-word;
+white-space:
+pre-wrap;"
+</code>
+attributes
+allow
+the
+number
+to
+be
+displayed
+on
+more
+than
+one
+line
+so
+that
+it
+will
+wrapped
+across
+lines
+and
+not
+just
+continue
+off
+to
+the
+right
+of
+the
+screen.
+</p>
+<p class="issue">
+In
+order
+to
+make
+the
+above
+modulus
+easy
+to
+read
+for
+humans
+who
+may
+wish
+to
+compare
+it
+with
+the
+modulus
+in
+their
+browser,
+one
+can
+add
+some
+javascript.
+Add
+some
+javascript
+here
+that
+adds
+a
+:
+between
+every
+two
+characters,
+and
+that
+splits
+the
+line
+up
+in
+chunks.
+</p>
+<p>
+If
+a
+WebID
+provider
+would
+rather
+prefer
+not
+to
+mark
+up
+his
+data
+in
+RDFa,
+but
+just
+provide
+a
+human
+readable
+format
+for
+users
+and
+have
+the
+RDF
+graph
+appear
+in
+a
+machine
+readable
+format
+such
+as
+RDF/XML
+then
+he
+<em title="may" class="rfc2119">
+may
+</em>
+publish
+the
+link
+from
+the
+HTML
+to
+a
+machine
+readable
+format
+(it
+this
+is
+available
+at
+a
+dedicated
+URI)
+as
+follows:
+</p>
+
+<p class="example">
+<del class="diff-old"><html>
+<head>
+<link rel="alternate" type="application/rdf+xml" href="profile.rdf"/>
+</head>
+<body> ... </body>
+</html>
+</del>
+
+</p><pre><html>
+<ins class="diff-chg"><head>
+<link rel="alternate" type="application/rdf+xml" href="profile.rdf"/>
+</head>
+<body> ... </body>
+</html>
+</ins>
+</pre>
+
+<p>
+</p>
+</div>
+<div class="section" about="#in-rdf-xml" typeof="bibo:Chapter" id="in-rdf-xml">
+<h4>
+<span class="secno">
+<del class="diff-old">2.4.3
+</del>
+<ins class="diff-chg">2.2.3
+</ins>
+</span>
+In
+RDF/XML
+</h4>
+<p>
+RDF/XML
+is
+easy
+to
+generate
+automatically
+from
+structured
+data,
+be
+it
+in
+object
+notation
+or
+in
+relational
+databases.
+Parsers
+for
+it
+are
+also
+widely
+available.
+</p>
+<del class="diff-old"><?xml version="1.0"?>
+
+<rdf:RDF
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+ xmlns:cert="http://www.w3.org/ns/auth/cert#"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema#"
+ xmlns:foaf="http://xmlns.com/foaf/0.1/">
+ <foaf:Person rdf:about="https://bob.example/profile#me">
+ <foaf:name>Bob</foaf:name>
+ <cert:key>
+ <cert:RSAPublicKey>
+ <rdfs:label>made on 23 November 2011 on my laptop<rdfs:label>
+
+ <cert:modulus rdf:datatype="xsd:hexBinary">
+cb24ed85d64d794b69c701c186acc059501e856000f661c93204d8380e07191c5c8b368d2ac32a428acb970398664368dc2a867320220f755e99ca2eecdae62e8d15fb58e1b76ae59cb7ace8838394d59e7250b449176e51a494951a1c366c6217d8768d682dde78dd4d55e613f8839cf275d4c8403743e7862601f3c49a6366e12bb8f498262c3c77de19bce40b32f89ae62c3780f5b6275be337e2b3153ae2ba72a9975ae71ab724649497066b660fcf774b7543d980952d2e8586200eda4158b014e75465d91ecf93efc7ac170c11fc7246fc6ded79c37780000ac4e079f671fd4f207ad770809e0e2d7b0ef5493befe73544d8e1be3dddb52455c61391a1
+ </cert:modulus>
+ <cert:exponent rdf:datatype="xsd:integer">65537</cert:exponent>
+ </cert:RSAPublicKey>
+ </cert:key>
+
+ </foaf:Person>
+</del>
+<pre class="example" style="word-wrap: break-word; white-space: pre-wrap;"><?xml version="1.0"?>
+<ins class="diff-chg"><rdf:RDF
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+ xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#"
+ xmlns:cert="http://www.w3.org/ns/auth/cert#"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema#"
+ xmlns:foaf="http://xmlns.com/foaf/0.1/">
+ <foaf:Person rdf:about="https://bob.example/profile#me">
+ <foaf:name>Bob</foaf:name>
+ <foaf:weblog rdf:resource="http://bob.example/blog"/>
+
+ <cert:key>
+ <cert:RSAPublicKey>
+ <rdfs:label>made on 23 November 2011 on my laptop</rdfs:label>
+ <cert:modulus rdf:datatype="http://www.w3.org/ns/auth/cert#hexBinary">
+cb24ed85d64d794b69c701c186acc059501e856000f661c93204d8380e07191c5c8b368d2ac32a428acb970398664368dc2a867320220f755e99ca2eecdae62e8d15fb58e1b76ae59cb7ace8838394d59e7250b449176e51a494951a1c366c6217d8768d682dde78dd4d55e613f8839cf275d4c8403743e7862601f3c49a6366e12bb8f498262c3c77de19bce40b32f89ae62c3780f5b6275be337e2b3153ae2ba72a9975ae71ab724649497066b660fcf774b7543d980952d2e8586200eda4158b014e75465d91ecf93efc7ac170c11fc7246fc6ded79c37780000ac4e079f671fd4f207ad770809e0e2d7b0ef5493befe73544d8e1be3dddb52455c61391a1
+ </cert:modulus>
+
+ <cert:exponent rdf:datatype="http://www.w3.org/ns/auth/cert#integer">65537</cert:exponent>
+ </cert:RSAPublicKey>
+ </cert:key>
+ </foaf:Person>
+
+</ins>
+</rdf:RDF>
+
+</pre>
+<p class="issue">
+TODO:
+the
+dsa
+ontology
+</p>
+<p class="todo">
+<ins class="diff-new">What
+should
+the
+time
+to
+live
+be
+on
+a
+WebID
+document?
+</ins></p>
+</div>
+<div class="section" about="#in-portable-contacts-format-using-grddl" typeof="bibo:Chapter" id="in-portable-contacts-format-using-grddl">
+<h4>
+<span class="secno">
+<del class="diff-old">2.4.4
+</del>
+<ins class="diff-chg">2.2.4
+</ins>
+</span>
+In
+Portable
+Contacts
+format
+using
+GRDDL
+
+</h4>
+<p class="issue">
+TODO:
+discuss
+other
+formats
+and
+GRDDL,
+XSPARQL
+options
+for
+xml
+formats
+</p>
+<p class="issue">
+summarize
+and
+point
+to
+content
+negotiation
+documents
+</p>
+</div>
+</div>
+<div about="#disabling-a-webid-certificate" typeof="bibo:Chapter" id="disabling-a-webid-certificate" class="normative section">
+<h3>
+<span class="secno">
+<ins class="diff-new">2.3
+</ins></span><ins class="diff-new">
+Disabling
+a
+WebID
+Certificate
+</ins></h3><p><ins class="diff-new">
+A
+
+</ins><a href="#dfn-webid_certificate" title="WebID_Certificate" class="tref internalDFN"><ins class="diff-new">
+WebID
+Certificate
+</ins></a><ins class="diff-new">
+identifies
+the
+</ins><a href="#dfn-subject" title="Subject" class="tref internalDFN"><ins class="diff-new">
+Subject
+</ins></a><ins class="diff-new">
+alone
+and
+no
+one
+else,
+if
+and
+only
+if
+she
+is
+the
+only
+one
+to
+control
+the
+corresponding
+private
+key.
+It
+is
+very
+important
+therefore
+that
+the
+</ins><a href="#dfn-subject" title="Subject" class="tref internalDFN"><ins class="diff-new">
+Subject
+</ins></a><ins class="diff-new">
+take
+care
+of
+keeping
+the
+</ins><a title="private_key" class="tref"><ins class="diff-new">
+private
+key
+</ins></a><ins class="diff-new">
+secure.
+This
+can
+be
+done
+by
+keeping
+it
+in
+the
+</ins><a href="#dfn-key_chain" title="Key_Chain" class="tref internalDFN"><ins class="diff-new">
+
+Key
+Chain
+</ins></a><ins class="diff-new">
+of
+a
+personal
+machine
+in
+an
+account
+that
+is
+password
+protected
+and
+free
+of
+viruses,
+or
+best
+of
+all
+on
+some
+physical
+device
+where
+the
+private
+key
+is
+inaccessible
+to
+be
+read
+by
+any
+software.
+In
+the
+second
+case
+having
+the
+device
+implies
+that
+the
+</ins><a title="private_key" class="tref"><ins class="diff-new">
+private
+key
+</ins></a><ins class="diff-new">
+has
+not
+been
+lost
+or
+copied.
+In
+the
+first
+case
+the
+user
+has
+to
+be
+more
+careful
+for
+signals
+of
+misuse.
+</ins></p><p></p><p><ins class="diff-new">
+In
+either
+situation
+if
+the
+</ins><a href="#dfn-subject" title="Subject" class="tref internalDFN"><ins class="diff-new">
+Subject
+</ins></a><ins class="diff-new">
+is
+suspicious
+that
+his
+private
+key
+has
+been
+taken,
+then
+he
+can
+disable
+future
+authentications
+for
+that
+certificate
+by
+removing
+the
+corresponding
+</ins><a href="#dfn-public_key" title="public_key" class="tref internalDFN"><ins class="diff-new">
+public
+key
+</ins></a><ins class="diff-new">
+from
+his
+
+</ins><a href="#dfn-webid_profile" title="WebID_Profile" class="tref internalDFN"><ins class="diff-new">
+WebID
+Profile
+</ins></a>.<ins class="diff-new">
+If
+the
+profile
+contains
+more
+than
+one
+public
+key
+for
+the
+</ins><a href="#dfn-subject" title="Subject" class="tref internalDFN"><ins class="diff-new">
+Subject
+</ins></a><ins class="diff-new">
+then
+it
+is
+suggested
+that
+each
+public
+key
+contain
+a
+label
+to
+help
+the
+user
+locate
+the
+key.
+In
+the
+examples
+above
+an
+</ins><code><ins class="diff-new">
+rdfs:label
+</ins></code><ins class="diff-new">
+with
+a
+creation
+date
+was
+used
+for
+this
+purpose.
+</ins></p>
+</div>
+</div>
+<div about="#the-webid-protocol" typeof="bibo:Chapter" id="the-webid-protocol" class="normative section">
+
+<h2>
+<span class="secno">
+3.
+</span>
+The
+WebID
+Protocol
+</h2>
+<div about="#authentication-sequence" typeof="bibo:Chapter" id="authentication-sequence" class="normative section">
+<h3>
+<span class="secno">
+3.1
+</span>
+Authentication
+Sequence
+</h3>
+<p>
+In
+order
+to
+give
+the
+full
+context
+of
+a
+<a href="#dfn-client" title="Client" class="tref internalDFN">
+Client
+
+</a>
+interaction
+with
+a
+<a href="#dfn-server" title="Server" class="tref internalDFN">
+Server
+</a>
+we
+will
+illustrate
+the
+protocol
+with
+the
+following
+sequence
+diagram.
+<a href="#dfn-bob" title="Bob" class="tref internalDFN">
+Bob
+</a>
+initiates
+a
+connection
+to
+<a href="#dfn-alice" title="Alice" class="tref internalDFN">
+Alice
+</a>
+'s
+server
+via
+a
+TLS
+enabled
+protocol
+such
+as
+<del class="diff-old">https
+</del>
+<ins class="diff-chg">HTTPS
+
+</ins>
+in
+order
+to
+access
+a
+Protected
+Resource
+or
+a
+Protected
+Service.
+The
+Protected
+Resource
+<em title="must" class="rfc2119">
+<ins class="diff-new">must
+</ins></em><ins class="diff-new">
+be
+served
+over
+a
+</ins><a href="#dfn-tls-light_service" title="TLS-Light_Service" class="tref internalDFN"><ins class="diff-new">
+TLS-Light
+Service
+</ins></a>,<ins class="diff-new">
+that
+will
+not
+do
+full
+</ins><a href="#dfn-ca" title="CA" class="tref internalDFN"><ins class="diff-new">
+CA
+</ins></a><ins class="diff-new">
+authentication
+of
+</ins><a href="#dfn-client" title="Client" class="tref internalDFN"><ins class="diff-new">
+Client
+
+</ins></a><a href="#dfn-certificate" title="Certificate" class="tref internalDFN"><ins class="diff-new">
+Certificate
+</ins></a><ins class="diff-new">
+s
+it
+receives.
+The
+Protected
+Resource
+</ins>
+may
+be
+a
+document
+served
+over
+<del class="diff-old">https,
+</del>
+<ins class="diff-chg">HTTPS,
+</ins>
+but
+it
+could
+also
+be
+a
+SOAP
+service,
+or
+some
+other
+resource.
+This
+resource
+is
+protected
+by
+a
+Guard,
+which
+uses
+a
+<a href="#dfn-webid_verifier" title="WebID_Verifier" class="tref internalDFN">
+WebID
+Verifier
+</a>
+to
+verify
+the
+non
+Certified
+<del class="diff-old">WebIds
+</del>
+
+<ins class="diff-chg">WebIDs
+</ins>
+found
+in
+the
+certificate.
+Once
+the
+verification
+succeeds
+the
+Guard
+checks
+to
+see
+if
+the
+Agent
+identified
+by
+the
+<a href="#dfn-webid" title="WebID" class="tref internalDFN">
+WebID
+</a>
+is
+allowed
+access
+to
+the
+resource,
+by
+using
+trusted
+information
+from
+the
+Web
+and
+access
+control
+rules.
+</p>
+<img src="img/WebIDSequence-friendly.jpg" width="90%">
+<p>
+The
+steps
+in
+detail
+are
+as
+follows:
+</p>
+<ol>
+<li>
+<a href="#dfn-bob" title="Bob" class="tref internalDFN">
+Bob
+</a>
+
+'s
+<a href="#dfn-client" title="Client" class="tref internalDFN">
+Client
+</a>
+<em title="must" class="rfc2119">
+must
+</em>
+open
+a
+TLS
+[
+<cite>
+<a href="#bib-RFC5246" rel="biblioentry" class="bibref">
+RFC5246
+</a>
+</cite>
+]
+connection
+with
+the
+server
+which
+authenticates
+itself
+using
+well
+known
+TLS
+mechanisms.
+This
+<em title="may" class="rfc2119">
+may
+</em>
+
+be
+done
+as
+the
+first
+part
+of
+an
+HTTPS
+connection
+[
+<cite>
+<a href="#bib-HTTP-TLS" rel="biblioentry" class="bibref">
+HTTP-TLS
+</a>
+</cite>
+].
+</li>
+<li>
+Once
+the
+Transport
+Layer
+Security
+[TLS]
+has
+been
+set
+up,
+the
+application
+protocol
+exchange
+can
+start.
+If
+the
+protocol
+is
+HTTP
+then
+the
+client
+can
+request
+an
+HTTP
+GET,
+PUT,
+POST,
+DELETE,
+...
+action
+on
+a
+resource
+as
+detailed
+by
+[
+<cite>
+<a href="#bib-HTTP11" rel="biblioentry" class="bibref">
+HTTP11
+</a>
+</cite>
+].
+The
+<a href="#dfn-guard" title="Guard" class="tref internalDFN">
+
+Guard
+</a>
+can
+then
+intercept
+that
+request
+and
+by
+checking
+some
+access
+control
+rules
+determine
+if
+the
+client
+needs
+authentication.
+We
+will
+consider
+the
+case
+here
+where
+the
+client
+does
+need
+to
+be
+authenticated.
+</li>
+<li>
+The
+Guard
+<em title="must" class="rfc2119">
+must
+</em>
+requests
+the
+client
+to
+authenticate
+itself
+using
+public
+key
+cryptography
+by
+signing
+a
+token
+with
+its
+private
+key
+and
+have
+the
+Client
+send
+its
+Certificate.
+This
+has
+been
+carefully
+defined
+in
+the
+TLS
+protocol
+and
+can
+be
+summarised
+by
+the
+following
+steps:
+<ol>
+<li>
+The
+guard
+requests
+of
+the
+TLS
+agent
+that
+it
+make
+a
+Certificate
+Request
+to
+the
+client.
+The
+TLS
+layer
+does
+this.
+Because
+the
+WebID
+protocol
+does
+not
+rely
+on
+Certificate
+Authorities
+to
+verify
+the
+contents
+of
+the
+<a href="#dfn-certificate" title="Certificate" class="tref internalDFN">
+Certificate
+</a>,
+the
+TLS
+Agent
+can
+ask
+for
+any
+Certificate
+from
+the
+Client.
+More
+details
+in
+<a href="#requesting-the-client-certificate">
+
+Requesting
+the
+Client
+Certificate
+</a>
+</li>
+<li>
+The
+Client
+asks
+Bob
+to
+choose
+a
+certificate
+if
+the
+choice
+has
+not
+been
+automated.
+We
+will
+assume
+that
+Bob
+does
+choose
+a
+<a href="#dfn-webid_certificate" title="WebID_Certificate" class="tref internalDFN">
+WebID
+Certificate
+</a>
+and
+sends
+it
+to
+the
+client.
+</li>
+<li>
+The
+<a title="TLS_Agent" class="tref">
+TLS
+Agent
+</a>
+<em title="must" class="rfc2119">
+must
+
+</em>
+verify
+that
+the
+client
+is
+indeed
+in
+<del class="diff-old">posession
+</del>
+<ins class="diff-chg">possession
+</ins>
+of
+the
+private
+key.
+What
+is
+important
+here
+is
+that
+the
+TLS
+Agent
+need
+not
+know
+the
+Issuer
+of
+the
+Certificate,
+or
+need
+not
+have
+any
+trust
+relation
+with
+the
+Issuer.
+Indeed
+if
+the
+TLS
+Layer
+could
+verify
+the
+signature
+of
+the
+Issuer
+and
+trusted
+the
+statements
+it
+signed,
+then
+step
+4
+and
+5
+would
+not
+be
+needed
+-
+other
+than
+perhaps
+as
+a
+way
+to
+verify
+that
+the
+key
+was
+still
+valid.
+</li>
+<li>
+The
+<a href="#dfn-webid_certificate" title="WebID_Certificate" class="tref internalDFN">
+WebID
+Certificate
+</a>
+is
+then
+passed
+on
+to
+the
+<a href="#dfn-guard" title="Guard" class="tref internalDFN">
+Guard
+</a>
+
+with
+the
+proviso
+that
+the
+WebIDs
+still
+needs
+to
+be
+verified.
+</li>
+</ol>
+</li>
+<li>
+The
+<a href="#dfn-guard" title="Guard" class="tref internalDFN">
+Guard
+</a>
+then
+<em title="must" class="rfc2119">
+must
+</em>
+ask
+the
+<del class="diff-old">Verfication
+</del>
+<a href="#dfn-verification_agent" title="Verification_Agent" class="tref internalDFN">
+
+<ins class="diff-chg">Verification
+</ins>
+Agent
+</a>
+to
+verify
+that
+the
+WebIDs
+do
+identify
+the
+agent
+who
+knows
+the
+given
+public
+key.
+</li>
+<li>
+The
+WebID
+is
+verified
+by
+looking
+up
+the
+definition
+of
+the
+URL
+at
+its
+canonical
+location.
+This
+can
+be
+done
+by
+dereferencing
+it.
+The
+<a href="#dfn-verification_agent" title="Verification_Agent" class="tref internalDFN">
+Verification
+Agent
+</a>
+<em title="must" class="rfc2119">
+must
+</em>
+extract
+the
+<a href="#dfn-public_key" title="public_key" class="tref internalDFN">
+public
+key
+
+</a>
+and
+all
+the
+URI
+entries
+contained
+in
+the
+<code>
+Subject
+Alternative
+Name
+</code>
+extension
+of
+the
+<a href="#dfn-webid_certificate" title="WebID_Certificate" class="tref internalDFN">
+WebID
+Certificate
+</a>.
+A
+<a href="#dfn-webid_certificate" title="WebID_Certificate" class="tref internalDFN">
+WebID
+Certificate
+</a>
+<em title="may" class="rfc2119">
+may
+</em>
+contain
+multiple
+URI
+entries
+which
+are
+considered
+claimed
+<a href="#dfn-webid" title="WebID" class="tref internalDFN">
+
+WebID
+</a>
+s
+at
+this
+point,
+since
+they
+have
+not
+been
+verified.
+The
+<a href="#dfn-verification_agent" title="Verification_Agent" class="tref internalDFN">
+Verification
+Agent
+</a>
+may
+verify
+as
+many
+or
+as
+few
+WebIDs
+it
+has
+time
+for.
+It
+may
+do
+it
+in
+parallel
+and
+asynchronously.
+However
+that
+is
+done,
+a
+claimed
+WebIDs
+can
+only
+be
+considered
+verified
+if
+the
+following
+steps
+have
+been
+accomplished
+successfully:
+</li>
+<ol>
+<li>
+If
+the
+<a href="#dfn-webid_verifier" title="WebID_Verifier" class="tref internalDFN">
+WebID
+Verifier
+</a>
+does
+not
+have
+an
+up
+to
+date
+version
+of
+the
+WebID
+profile
+in
+the
+cache,
+then
+it
+<em title="must" class="rfc2119">
+must
+
+</em>
+dereference
+the
+WebID
+using
+the
+canonical
+method
+for
+dereferencing
+a
+URL
+of
+that
+scheme.
+For
+an
+https://...
+WebID
+this
+would
+be
+done
+using
+the
+[
+<cite>
+<a href="#bib-HTTP-TLS" rel="biblioentry" class="bibref">
+HTTP-TLS
+</a>
+</cite>
+]
+protocol.
+</li>
+<li>
+The
+returned
+representation
+is
+then
+transformed
+into
+an
+RDF
+graph
+as
+specified
+in
+<a href="#processing-the-webid-profile">
+Processing
+the
+WebID
+Profile
+</a>
+</li>
+
+<li>
+That
+graph
+is
+then
+queried
+as
+explained
+in
+<a href="#querying-the-graph">
+Querying
+the
+Graph
+</a>.
+If
+the
+query
+succeeds,
+then
+that
+WebID
+is
+verified.
+</li>
+</ol>
+<li>
+With
+the
+set
+of
+verified
+<del class="diff-old">WebIds
+</del>
+<ins class="diff-chg">WebIDs
+</ins>
+the
+Guard
+can
+then
+check
+its
+access
+control
+rules
+using
+information
+from
+the
+web
+and
+other
+information
+available
+to
+it,
+to
+verify
+if
+the
+referent
+of
+the
+WebID
+is
+indeed
+allowed
+access
+to
+the
+protected
+resource.
+The
+exact
+nature
+of
+those
+Access
+Control
+Rules
+is
+left
+for
+another
+specification.
+Suffice
+it
+to
+say
+that
+it
+can
+be
+something
+as
+simple
+as
+a
+lookup
+in
+a
+table.
+</li>
+<li>
+If
+access
+is
+granted,
+then
+the
+guard
+can
+pass
+on
+the
+request
+to
+the
+protected
+resource,
+which
+can
+then
+interact
+unimpeded
+with
+the
+client.
+
+</li>
+</ol>
+<ol>
+</ol>
+</div>
+<div about="#authentication-sequence-details" typeof="bibo:Chapter" id="authentication-sequence-details" class="normative section">
+<h3>
+<span class="secno">
+3.2
+</span>
+Authentication
+Sequence
+Details
+</h3>
+<p>
+This
+section
+covers
+details
+about
+each
+step
+in
+the
+authentication
+process.
+</p>
+<div about="#initiating-a-tls-connection" typeof="bibo:Chapter" id="initiating-a-tls-connection" class="normative section">
+<h4>
+
+<span class="secno">
+3.2.1
+</span>
+Initiating
+a
+TLS
+Connection
+</h4>
+<p>
+Standard
+SSLv3
+and
+TLSv1
+and
+upwards
+can
+be
+used
+to
+establish
+the
+connection
+between
+the
+Client
+and
+the
+TLS
+Agent
+listening
+on
+the
+Service's
+port.
+</p>
+<p class="note">
+Many
+servers
+allow
+a
+simple
+form
+of
+TLS
+client
+side
+authentication
+to
+be
+setup
+when
+configuring
+a
+<a title="TLS_Agent" class="tref">
+TLS
+Agent
+</a>:
+they
+permit
+the
+agent
+to
+be
+authenticated
+in
+WANT
+or
+NEED
+mode.
+If
+the
+client
+sends
+a
+certificate,
+then
+neither
+of
+these
+have
+an
+impact
+on
+the
+<a title="WebID_Verification" class="tref">
+WebID
+Verification
+</a>
+steps
+(4)
+and
+(5).
+Nevertheless,
+from
+a
+user
+interaction
+perspective
+both
+of
+these
+are
+problematic
+as
+they
+either
+force
+(NEED)
+or
+ask
+the
+user
+to
+authenticate
+himself
+even
+if
+the
+resource
+he
+wishes
+to
+interact
+with
+is
+public
+and
+requires
+no
+authentication.
+People
+don't
+usually
+feel
+comfortable
+authenticating
+to
+a
+web
+site
+on
+the
+basis
+of
+a
+certificate
+alone.
+They
+prefer
+human
+readable
+text,
+and
+detailed
+error
+messages
+which
+the
+HTTP
+layer
+deliver.
+It
+is
+better
+to
+move
+the
+authentication
+to
+the
+application
+layer
+
+<a href="#dfn-guard" title="Guard" class="tref internalDFN">
+Guard
+</a>
+as
+it
+has
+a
+lot
+more
+information
+about
+the
+application
+state.
+Please
+see
+the
+<a href="http://www.w3.org/2005/Incubator/webid/wiki/">
+WebID
+Wiki
+</a>
+for
+implementation
+pointers
+in
+different
+programming
+languages
+and
+platforms
+to
+learn
+about
+how
+this
+can
+be
+done
+and
+to
+share
+your
+experience.
+</p>
+</div>
+<div about="#connecting-at-the-application-layer" typeof="bibo:Chapter" id="connecting-at-the-application-layer" class="normative section">
+<h4>
+<span class="secno">
+3.2.2
+</span>
+Connecting
+at
+the
+Application
+Layer
+</h4>
+
+<p>
+Once
+the
+TLS
+connection
+has
+been
+setup,
+the
+application
+layer
+protocol
+interaction
+can
+start.
+This
+could
+be
+an
+HTTP
+GET
+request
+on
+the
+protected
+resource
+for
+example.
+</p>
+<p>
+If
+the
+protocol
+permits
+it,
+the
+Client
+can
+let
+the
+Application
+layer,
+and
+especially
+the
+<a href="#dfn-guard" title="Guard" class="tref internalDFN">
+Guard
+</a>
+know
+that
+the
+client
+can
+authenticate
+with
+a
+WebID
+Certificate,
+and
+even
+if
+it
+wishes
+to
+do
+so.
+This
+may
+be
+useful
+both
+to
+allow
+the
+Server
+to
+know
+that
+it
+can
+request
+the
+client
+certificate,
+and
+also
+in
+order
+to
+make
+life
+easier
+for
+Robots
+that
+may
+find
+it
+a
+lot
+more
+convenient
+to
+be
+authenticated
+at
+the
+TLS
+layer.
+</p>
+<p class="issue">
+Bergi
+proposed
+a
+header
+for
+HTTP
+which
+could
+do
+this.
+Please
+summarise
+it.
+</p>
+</div>
+<div about="#requesting-the-client-certificate" typeof="bibo:Chapter" id="requesting-the-client-certificate" class="normative section">
+<h4>
+<span class="secno">
+
+3.2.3
+</span>
+Requesting
+the
+Client
+Certificate
+</h4>
+<p>
+TLS
+allows
+the
+server
+to
+request
+a
+Certificate
+from
+the
+Client
+using
+the
+<code>
+CertificateRequest
+</code>
+message
+[section
+7.4.4]
+of
+TLS
+v1.1
+[
+<cite>
+<a href="#bib-RFC5246" rel="biblioentry" class="bibref">
+RFC5246
+</a>
+</cite>
+].
+Since
+WebID
+TLS
+authentication
+does
+not
+rely
+on
+CA's
+signing
+the
+certificate
+to
+verify
+the
+WebID
+Claims
+made
+therein,
+the
+Server
+does
+not
+need
+to
+restrict
+the
+certificate
+it
+receives
+by
+the
+CA's
+they
+were
+signed
+by.
+It
+can
+therefore
+leave
+the
+<code>
+
+certificate_authorities
+</code>
+field
+blank
+in
+the
+request.
+</p>
+<p class="note">
+From
+our
+experience
+leaving
+the
+certificate_authorities
+field
+empty
+leads
+to
+the
+correct
+behavior
+on
+all
+browsers
+and
+all
+TLS
+versions.
+</p>
+<p class="note">
+A
+security
+issue
+with
+TLS
+renegotiation
+was
+discovered
+in
+2009,
+and
+an
+IETF
+fix
+was
+proposed
+in
+[
+<cite>
+<a href="#bib-RFC5746" rel="biblioentry" class="bibref">
+RFC5746
+</a>
+</cite>
+]
+which
+is
+widely
+implemented.
+</p>
+<p>
+
+If
+the
+Client
+does
+not
+send
+a
+certificate,
+because
+either
+it
+does
+not
+have
+one
+or
+it
+does
+not
+wish
+to
+send
+one,
+other
+authentication
+procedures
+can
+be
+pursued
+at
+the
+application
+layer
+with
+protocols
+such
+as
+OpenID,
+OAuth,
+BrowserID,
+etc...
+</p>
+<p>
+As
+far
+as
+possible
+it
+is
+important
+for
+the
+server
+to
+request
+the
+client
+certificate
+in
+<code>
+WANT
+</code>
+mode,
+not
+in
+<code>
+NEED
+</code>
+mode.
+If
+the
+request
+is
+made
+in
+<code>
+NEED
+</code>
+mode
+then
+connections
+will
+be
+broken
+off
+if
+the
+client
+does
+not
+send
+a
+certificate.
+This
+will
+break
+the
+connection
+at
+the
+application
+protocol
+layer,
+and
+so
+will
+lead
+to
+a
+very
+bad
+user
+experience.
+The
+server
+should
+<del class="diff-old">therfore
+
+</del>
+<ins class="diff-chg">therefore
+</ins>
+avoid
+doing
+this
+unless
+it
+can
+be
+confident
+that
+the
+client
+has
+a
+certificate
+-
+which
+it
+may
+be
+because
+the
+client
+advertised
+that
+in
+some
+other
+way
+to
+the
+server.
+</p>
+<p class="issue">
+Is
+there
+some
+normative
+spec
+about
+what
+NEED
+and
+WANT
+refer
+to?
+</p>
+</div>
+<div about="#verifying-the-webids" typeof="bibo:Chapter" id="verifying-the-webids" class="normative section">
+<h4>
+<span class="secno">
+3.2.4
+</span>
+<del class="diff-old">Verifiying
+</del>
+<ins class="diff-chg">Verifying
+
+</ins>
+the
+WebIDs
+</h4>
+<p>
+The
+<a href="#dfn-verification_agent" title="Verification_Agent" class="tref internalDFN">
+Verification
+Agent
+</a>
+is
+given
+a
+list
+of
+WebIDs
+associated
+with
+a
+public
+key.
+It
+needs
+to
+verify
+that
+the
+agent
+identified
+by
+that
+WebID
+is
+indeed
+the
+agent
+that
+controls
+the
+private
+key
+of
+the
+given
+public
+key.
+It
+does
+this
+by
+looking
+up
+the
+definition
+of
+the
+WebID.
+A
+WebID
+is
+a
+URI,
+and
+it's
+meaning
+can
+be
+had
+by
+dereferencing
+it
+using
+the
+protocol
+indicated
+in
+its
+scheme.
+</p>
+<p>
+If
+we
+first
+consider
+WebIDs
+with
+fragment
+identifiers,
+we
+can
+explain
+the
+logic
+of
+this
+as
+follows.
+As
+is
+explained
+in
+the
+RFC
+defining
+URIs
+[
+<cite>
+<a href="#bib-RFC3986" rel="biblioentry" class="bibref">
+RFC3986
+</a>
+</cite>
+
+]
+</p>
+<blockquote>
+The
+fragment
+identifier
+component
+of
+a
+URI
+allows
+indirect
+identification
+of
+a
+secondary
+resource
+by
+reference
+to
+a
+primary
+resource
+and
+additional
+identifying
+information.
+The
+identified
+secondary
+resource
+may
+be
+some
+portion
+or
+subset
+of
+the
+primary
+resource,
+some
+view
+on
+representations
+of
+the
+primary
+resource,
+or
+some
+other
+resource
+defined
+or
+described
+by
+those
+representations.
+[...]
+The
+semantics
+of
+a
+fragment
+identifier
+are
+defined
+by
+the
+set
+of
+representations
+that
+might
+result
+from
+a
+retrieval
+action
+on
+the
+primary
+resource.
+</blockquote>
+<p>
+In
+order
+therefore
+to
+know
+the
+meaning
+of
+WebID
+containing
+a
+fragment
+identifier,
+one
+needs
+to
+dereference
+the
+resource
+referred
+to
+without
+the
+fragment
+identifier.
+This
+resource
+will
+describe
+the
+referent
+of
+the
+WebID
+in
+some
+way.
+If
+it
+says
+that
+the
+referent
+of
+the
+WebID
+is
+the
+agent
+that
+controls
+the
+private
+key
+of
+the
+given
+public
+key,
+then
+this
+is
+a
+definite
+description
+that
+can
+be
+considered
+to
+be
+a
+definition
+of
+the
+WebID:
+it
+gives
+its
+meaning.
+</p>
+<p>
+The
+trust
+that
+can
+be
+had
+in
+that
+statement
+is
+therefore
+the
+trust
+that
+one
+can
+have
+in
+one's
+having
+received
+the
+correct
+representation
+of
+the
+document
+that
+defined
+that
+WebID.
+An
+<del class="diff-old">https
+</del>
+<ins class="diff-chg">HTTPS
+</ins>
+WebID
+will
+therefore
+be
+a
+lot
+more
+trustworthy
+than
+an
+<del class="diff-old">https
+</del>
+
+<ins class="diff-chg">HTTP
+</ins>
+WebID
+by
+a
+factor
+of
+the
+<del class="diff-old">likelyhood
+</del>
+<ins class="diff-chg">likelihood
+</ins>
+of
+man
+in
+the
+middle
+attacks.
+</p>
+<p>
+Once
+that
+is
+proven
+then
+the
+trust
+one
+can
+have
+in
+the
+agent
+at
+the
+end
+of
+the
+TLS
+connection
+being
+the
+referent
+of
+the
+WebID
+is
+related
+to
+the
+trust
+one
+has
+in
+the
+cryptography,
+and
+the
+<del class="diff-old">likelyhood
+</del>
+<ins class="diff-chg">likelihood
+</ins>
+that
+the
+private
+key
+could
+have
+been
+stolen.
+</p>
+
+<p class="issue">
+Add
+explanation
+for
+URI
+with
+redirect.
+</p>
+<div about="#processing-the-webid-profile" typeof="bibo:Chapter" id="processing-the-webid-profile" class="normative section">
+<h5>
+<span class="secno">
+3.2.4.1
+</span>
+Processing
+the
+WebID
+Profile
+</h5>
+<p>
+<del class="diff-old">So
+the
+</del>
+<ins class="diff-chg">The
+</ins>
+Verification
+Agent
+needs
+to
+fetch
+the
+document,
+if
+it
+does
+not
+have
+a
+valid
+one
+in
+cache.
+<ins class="diff-chg">The
+
+</ins><a href="#dfn-verification_agent" title="Verification_Agent" class="tref internalDFN">
+Verification
+Agent
+</a>
+<em title="must" class="rfc2119">
+must
+</em>
+be
+able
+to
+process
+documents
+in
+RDF/XML
+[
+<cite>
+<a href="#bib-RDF-SYNTAX-GRAMMAR" rel="biblioentry" class="bibref">
+RDF-SYNTAX-GRAMMAR
+</a>
+</cite>
+]
+and
+RDFa
+in
+XHTML
+[
+<cite>
+<a href="#bib-XHTML-RDFA" rel="biblioentry" class="bibref">
+XHTML-RDFA
+</a>
+
+</cite>
+].
+The
+result
+of
+this
+processing
+should
+be
+a
+graph
+of
+RDF
+relations
+that
+is
+queryable,
+as
+explained
+in
+the
+next
+section.
+</p>
+<p class="note">
+It
+is
+suggested
+that
+the
+<a href="#dfn-verification_agent" title="Verification_Agent" class="tref internalDFN">
+Verification
+Agent
+</a>
+should
+set
+the
+Accept-Header
+to
+request
+<code>
+application/rdf+xml
+</code>
+with
+a
+higher
+priority
+than
+<code>
+text/html
+</code>
+and
+
+<code>
+application/xhtml+xml
+</code>.
+The
+reason
+is
+that
+it
+is
+quite
+likely
+that
+many
+sites
+will
+produce
+non
+marked
+up
+<del class="diff-old">html
+</del>
+<ins class="diff-chg">HTML
+</ins>
+and
+leave
+the
+graph
+to
+the
+pure
+rdf
+formats.
+</p>
+<p>
+<ins class="diff-new">If
+the
+</ins><a href="#dfn-guard" title="Guard" class="tref internalDFN"><ins class="diff-new">
+Guard
+</ins></a><ins class="diff-new">
+wishes
+to
+have
+the
+most
+up-to-date
+Profile
+document
+for
+an
+HTTPS
+URL,
+it
+can
+use
+the
+HTTP
+cache
+control
+headers
+to
+get
+the
+latest
+versions.
+</ins></p>
+</div>
+
+<div about="#verifying-the-webid-claim" typeof="bibo:Chapter" id="verifying-the-webid-claim" class="normative section">
+<h5>
+<span class="secno">
+3.2.4.2
+</span>
+Verifying
+the
+WebID
+Claim
+</h5>
+<p>
+To
+check
+a
+WebID
+claim
+one
+has
+to
+find
+if
+the
+graph
+returned
+by
+the
+profile
+relates
+the
+<a href="#dfn-webid" title="WebID" class="tref internalDFN">
+WebID
+</a>
+to
+the
+<a href="#dfn-certificate" title="Certificate" class="tref internalDFN">
+Certificate
+</a>
+<a href="#dfn-public_key" title="Public_Key" class="tref internalDFN">
+
+Public
+Key
+</a>
+with
+the
+<code>
+cert:key
+</code>
+relation.
+In
+other
+words
+one
+has
+to
+check
+if
+those
+statements
+are
+present
+in
+the
+graph.
+</p>
+<div about="#verifying-the-webid-claim-with-sparql" typeof="bibo:Chapter" class="normative section">
+<h6 id="verifying-the-webid-claim-with-sparql">
+<ins class="diff-new">Verifying
+the
+WebID
+Claim
+with
+SPARQL
+</ins></h6>
+<p>
+Testing
+for
+patterns
+in
+graphs
+is
+what
+the
+SPARQL
+query
+language
+is
+designed
+to
+do
+[
+<cite>
+<a href="#bib-RDF-SPARQL-QUERY" rel="biblioentry" class="bibref">
+RDF-SPARQL-QUERY
+
+</a>
+</cite>
+].
+We
+will
+first
+look
+at
+how
+to
+use
+this
+as
+it
+is
+also
+the
+simplest
+method,
+and
+then
+what
+some
+other
+programmatic
+options
+may
+be.
+</p>
+<p>
+Below
+is
+the
+SPARQL
+Query
+Template
+which
+should
+be
+used
+for
+an
+RSA
+public
+key.
+It
+contains
+three
+variables
+<code>
+?webid
+</code>,
+<code>
+?mod
+</code>
+and
+<code>
+?exp
+</code>
+that
+need
+to
+be
+replaced
+by
+the
+appropriate
+values:
+
+</p>
+<del class="diff-old">PREFIX : <http://www.w3.org/ns/auth/cert#>
+PREFIX xsd: <http://www.w3.org/2001/XMLSchema#>
+ASK {
+ ?webid :key [
+ :modulus ?mod;
+ :exponent ?exp;
+ ] .
+}
+</del>
+<pre style="word-wrap: break-word; white-space: pre-wrap;">PREFIX : <http://www.w3.org/ns/auth/cert#>
+<ins class="diff-chg">PREFIX xsd: <http://www.w3.org/2001/XMLSchema#>
+ASK {
+ ?webid :key [
+ :modulus ?mod;
+ :exponent ?exp;
+ ] .
+}
+</ins>
+
+</pre>
+<p>
+The
+variables
+to
+be
+replaced
+for
+each
+WebID
+claim
+are:
+</p>
+<table style="text-align: left; border-color: rgb(0, 0, 0); border-collapse: collapse; word=wrap: break-word; white-psace: pre-wrap" border="1" cellpadding="5">
+<thead>
+<tr>
+<th>
+Variable
+</th>
+<th>
+Details
+on
+its
+value.
+</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+
+<td>
+<code>
+?webid
+</code>
+</td>
+<td>
+should
+be
+replaced
+by
+the
+WebID
+Resource.
+In
+the
+SPARQL
+notation
+that
+is
+the
+URL
+string
+would
+be
+placed
+between
+<code>
+<...>
+</code>
+in
+the
+position
+of
+the
+<code>
+?webid
+</code>
+variable.
+</td>
+
+</tr>
+<tr>
+<td>
+<code>
+?mod
+</code>
+</td>
+<td>
+should
+be
+replaced
+by
+the
+modulus
+written
+as
+a
+xsd:hexBinary
+as
+specified
+by
+the
+<a href="http://www.w3.org/ns/auth/cert#modulus">
+cert:modulus
+</a>
+relation.
+All
+leading
+double
+0
+bytes
+(written
+"00"
+in
+hexadecimal)
+should
+be
+removed.
+The
+resulting
+<del class="diff-old">hexadecmial
+</del>
+<ins class="diff-chg">hexadecimal
+</ins>
+
+should
+then
+be
+placed
+in
+the
+space
+of
+the
+XXX
+in
+<code>
+"XXX"^^xsd:hexBinary
+</code>
+</td>
+</tr>
+<tr>
+<td>
+<code>
+?exp
+</code>
+</td>
+<td>
+should
+be
+replaced
+by
+the
+public
+exponent
+written
+as
+an
+xsd:integer
+typed
+literal.
+In
+SPARQL
+as
+in
+Turtle
+notation
+this
+can
+just
+be
+written
+directly
+as
+an
+integer.
+</td>
+</tr>
+</tbody>
+
+</table>
+<p>
+Assuming
+that
+we
+received
+Bob's
+key
+whose
+modulus
+starts
+with
+<code>
+cb24ed85d64d794b6...
+</code>
+and
+whose
+exponent
+is
+<code>
+65537
+</code>
+then
+the
+following
+query
+should
+be
+used:
+</p>
+<del class="diff-old">PREFIX : <http://www.w3.org/ns/auth/cert#>
+PREFIX xsd: <http://www.w3.org/2001/XMLSchema#>
+
+ASK {
+ <https://bob.example/profile#me> :key [
+ :modulus "cb24ed85d64d794b69c701c186acc059501e856000f661c93204d8380e07191c5c8b368d2ac32a428acb970398664368dc2a867320220f755e99ca2eecdae62e8d15fb58e1b76ae59cb7ace8838394d59e7250b449176e51a494951a1c366c6217d8768d682dde78dd4d55e613f8839cf275d4c8403743e7862601f3c49a6366e12bb8f498262c3c77de19bce40b32f89ae62c3780f5b6275be337e2b3153ae2ba72a9975ae71ab724649497066b660fcf774b7543d980952d2e8586200eda4158b014e75465d91ecf93efc7ac170c11fc7246fc6ded79c37780000ac4e079f671fd4f207ad770809e0e2d7b0ef5493befe73544d8e1be3dddb52455c61391a1"^^xsd:hexBinary;
+ :exponent 65537;
+ ] .
+</del>
+<pre class="example" style="word-wrap: break-word; white-space: pre-wrap;">PREFIX : <http://www.w3.org/ns/auth/cert#>
+<ins class="diff-chg">PREFIX xsd: <http://www.w3.org/2001/XMLSchema#>
+ASK {
+ <https://bob.example/profile#me> :key [
+ :modulus "cb24ed85d64d794b69c701c186acc059501e856000f661c93204d8380e07191c5c8b368d2ac32a428acb970398664368dc2a867320220f755e99ca2eecdae62e8d15fb58e1b76ae59cb7ace8838394d59e7250b449176e51a494951a1c366c6217d8768d682dde78dd4d55e613f8839cf275d4c8403743e7862601f3c49a6366e12bb8f498262c3c77de19bce40b32f89ae62c3780f5b6275be337e2b3153ae2ba72a9975ae71ab724649497066b660fcf774b7543d980952d2e8586200eda4158b014e75465d91ecf93efc7ac170c11fc7246fc6ded79c37780000ac4e079f671fd4f207ad770809e0e2d7b0ef5493befe73544d8e1be3dddb52455c61391a1"^^xsd:hexBinary;
+ :exponent 65537;
+ ] .
+</ins>
+}
+
+</pre>
+<p>
+An
+ASK
+query
+simply
+returns
+true
+or
+false.
+If
+it
+returns
+true,
+then
+the
+key
+was
+found
+in
+the
+graph
+with
+the
+proper
+relation
+and
+the
+claim
+<del class="diff-old">has
+been
+</del>
+<ins class="diff-chg">is
+</ins>
+verified.
+</p>
+<del class="diff-old">The
+public
+key
+could
+</del>
+<p>
+<ins class="diff-chg">In
+order
+to
+allow
+the
+class
+of
+queries
+defined
+by
+the
+template
+above
+to
+return
+true
+when
+asked
+of
+graphs
+where
+the
+hexBinary
+or
+the
+exponent
+contains
+whitespace
+characters
+in
+initial
+and
+final
+position,
+the
+query
+engine
+</ins><em title="must" class="rfc2119"><ins class="diff-chg">
+must
+</ins></em><ins class="diff-chg">
+support
+the
+D-entailment
+regime
+for
+
+</ins><code><ins class="diff-chg">
+xsd:hexBinary
+</ins></code><ins class="diff-chg">
+and
+</ins><code><ins class="diff-chg">
+xsd:integer
+</ins></code><ins class="diff-chg">
+as
+specified
+in
+</ins><a href="http://www.w3.org/TR/sparql11-entailment/#DEntRegime"><ins class="diff-chg">
+SPARQL
+1.1
+Entailment
+Regimes
+</ins></a>.</p><p><ins class="diff-chg">
+For
+verifiers
+that
+do
+not
+have
+access
+to
+a
+SPARQL
+query
+engine
+but
+can
+query
+the
+RDF
+data
+programmatically,
+it
+is
+relatively
+easy
+to
+emulate
+the
+above
+SPARQL
+query
+programmatically.
+There
+are
+a
+number
+of
+ways
+of
+doing
+this,
+some
+more
+efficient
+than
+others.
+</ins></p><p></p></div><div about="#verifying-the-webid-claim-without-sparql" typeof="bibo:Chapter" class="normative section"><h6 id="verifying-the-webid-claim-without-sparql"><ins class="diff-chg">
+Verifying
+the
+WebID
+claim
+without
+SPARQL
+</ins></h6><p><ins class="diff-chg">
+If
+the
+RDF
+library
+does
+datatype
+normalisation
+of
+all
+literals
+before
+loading
+them,
+then
+the
+most
+efficient
+way
+to
+execute
+this
+would
+
+</ins>
+be
+<ins class="diff-new">to
+start
+by
+searching
+for
+all
+triples
+whose
+subjects
+have
+relation
+</ins><code><ins class="diff-new">
+cert:modulus
+</ins></code><ins class="diff-new">
+to
+the
+literal
+which
+in
+our
+example
+was
+</ins><code><ins class="diff-new">
+"cb24ed..."^^xsd:hexBinary
+</ins></code>.<ins class="diff-new">
+One
+would
+then
+iterate
+through
+all
+the
+subjects
+of
+the
+relations
+that
+satisfied
+that
+condition,
+which
+would
+most
+likely
+never
+number
+more
+than
+one,
+and
+from
+there
+filter
+out
+all
+those
+that
+were
+the
+object
+of
+the
+</ins><code><ins class="diff-new">
+cert:modulus
+</ins></code><ins class="diff-new">
+relation
+of
+the
+</ins><a href="#dfn-webid" title="WebID" class="tref internalDFN"><ins class="diff-new">
+
+WebID
+</ins></a><ins class="diff-new">
+-
+in
+the
+example
+</ins><code><ins class="diff-new">
+bob:me
+</ins></code>.<ins class="diff-new">
+Finally
+one
+would
+verify
+that
+one
+of
+the
+keys
+that
+had
+satisfied
+those
+relations
+also
+had
+the
+</ins><code><ins class="diff-new">
+cert:exponent
+</ins></code><ins class="diff-new">
+relation
+to
+the
+number
+which
+in
+the
+example
+above
+is
+</ins><code><ins class="diff-new">
+"65537"^^xsd:integer
+</ins></code>.</p><p><ins class="diff-new">
+For
+triples
+stores
+that
+do
+not
+normalise
+literals
+on
+loading
+
+</ins>
+a
+<del class="diff-old">DSA
+key.
+We
+</del>
+<ins class="diff-chg">graph,
+the
+normalization
+will
+</ins>
+need
+to
+<del class="diff-old">add
+an
+ontology
+for
+DSA
+too.
+</del>
+<ins class="diff-chg">be
+done
+after
+the
+query
+results
+and
+before
+matching
+those
+with
+the
+values
+from
+the
+</ins><a href="#dfn-certificate" title="Certificate" class="tref internalDFN"><ins class="diff-chg">
+Certificate
+</ins></a>.<ins class="diff-chg">
+Because
+one
+could
+not
+rely
+on
+the
+modulus
+having
+been
+normalized,
+one
+would
+have
+to
+start
+with
+the
+</ins><a href="#dfn-webid" title="WebID" class="tref internalDFN"><ins class="diff-chg">
+WebID
+
+</ins></a><ins class="diff-chg">
+-
+</ins><code><ins class="diff-chg">
+bob:me
+</ins></code><ins class="diff-chg">
+and
+find
+all
+it's
+</ins><code><ins class="diff-chg">
+cert:key
+</ins></code><ins class="diff-chg">
+relations
+to
+objects
+-
+which
+we
+know
+to
+be
+keys
+-
+and
+then
+iterate
+through
+each
+of
+those
+keys'
+modulus
+and
+exponent,
+and
+verify
+if
+the
+normalised
+version
+of
+the
+value
+of
+those
+relation
+is
+equal
+to
+the
+numbers
+found
+in
+the
+certificate.
+If
+one
+such
+key
+is
+found
+then
+the
+answer
+is
+</ins><code><ins class="diff-chg">
+true
+</ins></code>,<ins class="diff-chg">
+otherwise
+the
+answer
+will
+be
+</ins><code><ins class="diff-chg">
+false
+
+</ins></code>.
+</p>
+</div>
+</div>
+<div about="#authorization" typeof="bibo:Chapter" id="authorization" class="normative section">
+<h5>
+<span class="secno">
+<del class="diff-old">3.2.5
+</del>
+<ins class="diff-chg">3.2.4.3
+</ins>
+</span>
+Authorization
+</h5>
+<p>
+The
+Authorization
+step
+may
+be
+as
+simple
+as
+just
+allowing
+everybody
+read
+access.
+The
+authentication
+phase
+may
+then
+just
+have
+been
+useful
+in
+order
+to
+gain
+some
+extra
+information
+from
+the
+<a href="#dfn-webid_profile" title="WebID_Profile" class="tref internalDFN">
+
+WebID
+Profile
+</a>
+in
+order
+to
+personalise
+a
+site.
+</p>
+<p>
+Once
+the
+<a href="#dfn-guard" title="Guard" class="tref internalDFN">
+Guard
+</a>
+has
+a
+WebID
+he
+can
+do
+a
+lookup
+in
+a
+database
+to
+see
+if
+the
+agent
+is
+allowed
+the
+required
+access
+to
+the
+given
+resource.
+Up
+to
+this
+point
+we
+are
+not
+much
+more
+advanced
+that
+with
+a
+user
+name
+and
+password,
+except
+that
+the
+user
+did
+not
+have
+to
+create
+an
+account
+on
+Alice's
+server
+to
+identify
+himself
+and
+that
+the
+server
+has
+some
+claimed
+attributes
+to
+personalise
+the
+site
+for
+the
+requestor.
+But
+the
+interesting
+thing
+about
+such
+a
+WebID
+is
+that
+because
+it
+is
+a
+global
+linkable
+URI,
+one
+can
+build
+webs
+of
+trust
+that
+can
+be
+crawled
+the
+same
+way
+the
+web
+can
+be
+crawled:
+by
+following
+links
+from
+one
+document
+to
+another.
+It
+is
+<del class="diff-old">therfore
+</del>
+<ins class="diff-chg">therefore
+</ins>
+possible
+to
+have
+very
+flexible
+access
+control
+rules
+where
+parts
+of
+the
+space
+of
+the
+user's
+machine
+is
+given
+access
+to
+friend
+and
+those
+friends
+friends
+(FOAF),
+stated
+by
+them
+at
+their
+domains.
+It
+is
+even
+be
+possible
+to
+allow
+remote
+agents
+to
+define
+their
+own
+access
+control
+rules
+for
+parts
+of
+the
+machine's
+namespace.
+There
+are
+too
+many
+possibilities
+to
+list
+them
+all
+here.
+</p>
+</div>
+
+</div>
+<div about="#the-webid-profile" typeof="bibo:Chapter" id="the-webid-profile" class="normative section">
+<h4>
+<span class="secno">
+<del class="diff-old">3.3
+</del>
+<ins class="diff-chg">3.2.5
+</ins>
+</span>
+The
+WebID
+Profile
+</h4>
+<p>
+The
+<a href="#dfn-webid_profile" title="WebID_Profile" class="tref internalDFN">
+WebID
+Profile
+</a>
+is
+a
+structured
+document
+that
+contains
+identification
+credentials
+for
+the
+
+<a title="Identification_Agent" class="tref">
+Identification
+Agent
+</a>
+expressed
+using
+the
+Resource
+Description
+Framework
+[
+<cite>
+<a href="#bib-RDF-CONCEPTS" rel="biblioentry" class="bibref">
+RDF-CONCEPTS
+</a>
+</cite>
+].
+The
+following
+sections
+describe
+how
+to
+express
+certain
+common
+properties
+that
+could
+be
+used
+by
+<a href="#dfn-verification_agent" title="Verification_Agent" class="tref internalDFN">
+Verification
+Agent
+</a>
+s
+and
+other
+entities
+that
+consume
+a
+<a href="#dfn-webid_profile" title="WebID_Profile" class="tref internalDFN">
+WebID
+Profile
+</a>.
+
+</p>
+<div about="#personal-information" typeof="bibo:Chapter" id="personal-information" class="normative section">
+<h5>
+<span class="secno">
+<del class="diff-old">3.3.1
+</del>
+<ins class="diff-chg">3.2.5.1
+</ins>
+</span>
+Personal
+Information
+</h5>
+<p>
+Personal
+details
+are
+the
+most
+common
+requirement
+when
+registering
+an
+account
+with
+a
+website.
+Some
+of
+these
+pieces
+of
+information
+include
+an
+e-mail
+address,
+a
+name
+and
+perhaps
+an
+avatar
+image.
+This
+section
+includes
+properties
+that
+<em title="should" class="rfc2119">
+should
+</em>
+be
+used
+when
+conveying
+key
+pieces
+of
+personal
+information
+but
+are
+
+<em title="not required" class="rfc2119">
+not
+required
+</em>
+to
+be
+present
+in
+a
+<a href="#dfn-webid_profile" title="WebID_Profile" class="tref internalDFN">
+WebID
+Profile
+</a>:
+</p>
+<dl>
+<dt>
+foaf:mbox
+</dt>
+<dd>
+The
+e-mail
+address
+that
+is
+associated
+with
+the
+WebID
+URI.
+</dd>
+<dt>
+foaf:name
+
+</dt>
+<dd>
+The
+name
+that
+is
+most
+commonly
+used
+to
+refer
+to
+the
+individual
+or
+agent.
+</dd>
+<dt>
+foaf:depiction
+</dt>
+<dd>
+An
+image
+representation
+of
+the
+individual
+or
+agent.
+</dd>
+</dl>
+</div>
+<div about="#cryptographic-details" typeof="bibo:Chapter" id="cryptographic-details" class="normative section">
+<h5>
+<span class="secno">
+<del class="diff-old">3.3.2
+</del>
+
+<ins class="diff-chg">3.2.5.2
+</ins>
+</span>
+Cryptographic
+Details
+</h5>
+<p>
+Cryptographic
+details
+are
+important
+when
+<a href="#dfn-verification_agent" title="Verification_Agent" class="tref internalDFN">
+Verification
+Agent
+</a>
+s
+and
+<a title="Identification_Agent" class="tref">
+Identification
+Agent
+</a>
+s
+interact.
+The
+following
+properties
+<em title="should" class="rfc2119">
+should
+
+</em>
+be
+used
+when
+conveying
+cryptographic
+information
+in
+<a href="#dfn-webid_profile" title="WebID_Profile" class="tref internalDFN">
+WebID
+Profile
+</a>
+documents:
+</p>
+<dl>
+<dt>
+cert:RSAPublicKey
+</dt>
+<dd>
+Expresses
+an
+RSA
+public
+key.
+The
+RSAPublicKey
+<em title="must" class="rfc2119">
+must
+</em>
+specify
+the
+cert:modulus
+and
+cert:exponent
+properties.
+
+</dd>
+<dt>
+cert:key
+</dt>
+<dd>
+Used
+to
+associate
+a
+WebID
+URI
+with
+an
+RSAPublicKey.
+A
+WebID
+Profile
+<em title="must" class="rfc2119">
+must
+</em>
+contain
+at
+least
+one
+RSAPublicKey
+that
+is
+associated
+with
+the
+corresponding
+WebID
+URI.
+</dd>
+</dl>
+<p class="note">
+cert:identity
+was
+previously
+used
+to
+associate
+an
+RSAPublicKey
+with
+a
+WebID
+URI.
+cert:identity
+has
+been
+deprecated
+in
+favor
+of
+its
+inverse
+property
+cert:key.
+Implementors
+are
+encouraged
+to
+publish
+WebID
+Profile
+Documents
+using
+cert:key.
+During
+this
+transitional
+period,
+implementations
+consuming
+WebID
+Profile
+Documents
+might
+still
+support
+the
+deprecated
+cert:identity
+as
+well
+as
+the
+stable
+cert:key.
+</p>
+</div>
+</div>
+
+</div>
+</div>
+<div about="#history" typeof="bibo:Chapter" class="appendix informative section" id="history">
+<h2>
+<span class="secno">
+A.
+</span>
+Change
+History
+</h2>
+<p>
+<em>
+This
+section
+is
+non-normative.
+</em>
+</p>
+<p>
+<a href="">
+<ins class="diff-new">2011-12-12
+
+</ins></a><ins class="diff-new">
+Fixed
+several
+errors
+in
+examples
+and
+diagrams,
+clarified
+TLS-Light,
+added
+SSL
+renegotiation,
+key
+chain
+and
+cache
+control,
+updated
+list
+people
+in
+acknowledgments.
+</ins></p><p><a href="http://www.w3.org/2005/Incubator/webid/spec/drafts/ED-webid-2011-11-23/"><ins class="diff-new">
+2011-11-23
+</ins></a><ins class="diff-new">
+Wide
+ranging
+changes:
+Rewrote
+the
+Verification
+algorithm
+now
+enhanced
+with
+a
+detailed
+sequence
+diagram.
+Moved
+to
+new
+ontology
+using
+xsd:hexBinary
+datatypes
+and
+removed
+rsa:
+ontology.
+Rewrote
+vocabulary
+section
+using
+clearer
+names.
+All
+these
+changes
+required
+serious
+rewriting
+everywhere.
+</ins></p><p>
+<a href="https://dvcs.w3.org/hg/WebID/rev/6b60d7335151">
+2011-02-10
+</a>
+Move
+to
+<a href="http://www.w3.org/2005/Incubator/webid/">
+<acronym title="World Wide Web Consortium">
+W3C
+</acronym>
+WebID
+XG
+</a>.
+Updates
+from
+previous
+unofficial
+WebID
+group
+include
+changes
+on
+RDF/XML
+publishing
+in
+HTML,
+clarification
+on
+multiple
+SAN
+URIs
+and
+WebID
+verification
+steps.
+
+</p>
+<p>
+<a href="https://dvcs.w3.org/hg/WebID/rev/dc93b6bbc538">
+2010-08-09
+</a>
+Updates
+from
+WebID
+community:
+moved
+OpenID/OAuth
+sections
+to
+separate
+document,
+switched
+to
+the
+URI
+terminology
+instead
+of
+URL,
+added
+"Creating
+the
+certificate"
+and
+"Publishing
+the
+WebID
+Profile
+document"
+sections
+with
+a
+WebID
+graph
+and
+serializations
+in
+Turtle
+and
+RDFa,
+improved
+SPARQL
+queries
+using
+literal
+notation
+with
+cert
+datatypes,
+updated
+list
+of
+contributors,
+and
+many
+other
+fixes.
+</p>
+<p>
+<a href="https://dvcs.w3.org/hg/WebID/rev/4aef27947dec">
+2010-07-25
+</a>
+Added
+WebID
+Profile
+section.
+</p>
+<p>
+<a href="https://dvcs.w3.org/hg/WebID/rev/805d44635286">
+2010-07-18
+</a>
+
+Updates
+from
+WebID
+community
+related
+to
+RDF/XML
+support,
+authentication
+sequence
+corrections,
+abstract
+and
+introduction
+updates.
+</p>
+<p>
+<a href="https://dvcs.w3.org/hg/WebID/rev/25ba7f596f07">
+2010-07-11
+</a>
+Initial
+version.
+</p>
+</div>
+<div about="#acknowledgements" typeof="bibo:Chapter" class="informative section" id="acknowledgements">
+<h2>
+<span class="secno">
+B.
+</span>
+Acknowledgments
+</h2>
+<p>
+
+<em>
+This
+section
+is
+non-normative.
+</em>
+</p>
+<p>
+The
+following
+people
+have
+been
+instrumental
+in
+providing
+thoughts,
+feedback,
+reviews,
+criticism
+and
+input
+in
+the
+creation
+of
+this
+specification:
+</p>
+<ul>
+<li>
+<ins class="diff-new">Thomas
+Bergwinkl
+</ins></li><li>
+Tim
+Berners-Lee
+</li>
+<li>
+Sarven
+Capadisli
+</li>
+<li>
+
+Melvin
+Carvalho
+</li>
+<li>
+<ins class="diff-new">Martin
+Gaedke
+</ins></li><li>
+Michael
+Hausenblas
+</li>
+<li>
+Kingsley
+Idehen
+</li>
+<li>
+Ian
+Jacobi
+</li>
+<li>
+Nathan
+Rixham
+</li>
+<li>
+
+Seth
+Russell
+</li>
+<li>
+<ins class="diff-new">Andrei
+Sambra
+</ins></li><li>
+Jeff
+Sayre
+</li>
+<li>
+<ins class="diff-new">Dominik
+Tomaszuk
+</ins></li><li>
+Peter
+Williams
+</li>
+</ul>
+</div>
+<div about="#references" typeof="bibo:Chapter" class="appendix section" id="references">
+<h2>
+<span class="secno">
+
+C.
+</span>
+References
+</h2>
+<div class="section" about="#normative-references" typeof="bibo:Chapter" id="normative-references">
+<h3>
+<span class="secno">
+C.1
+</span>
+Normative
+references
+</h3>
+<dl about="" class="bibliography">
+<dt id="bib-GRDDL-PRIMER">
+[GRDDL-PRIMER]
+</dt>
+<dd rel="dcterms:requires">
+Harry
+Halpin;
+Ian
+Davis.
+
+<a href="http://www.w3.org/TR/2007/NOTE-grddl-primer-20070628">
+<cite>
+GRDDL
+Primer.
+</cite>
+</a>
+28
+June
+2007.
+W3C
+Note.
+URL:
+<a href="http://www.w3.org/TR/2007/NOTE-grddl-primer-20070628">
+http://www.w3.org/TR/2007/NOTE-grddl-primer-20070628
+</a>
+</dd>
+<dt id="bib-HTTP-TLS">
+[HTTP-TLS]
+</dt>
+<dd rel="dcterms:requires">
+E.
+Rescorla.
+<a href="http://www.ietf.org/rfc/rfc2818.txt">
+<cite>
+
+HTTP
+Over
+TLS.
+</cite>
+</a>
+May
+2000.
+Internet
+RFC
+2818.
+URL:
+<a href="http://www.ietf.org/rfc/rfc2818.txt">
+http://www.ietf.org/rfc/rfc2818.txt
+</a>
+</dd>
+<dt id="bib-HTTP11">
+[HTTP11]
+</dt>
+<dd rel="dcterms:requires">
+R.
+Fielding;
+et
+al.
+<a href="http://www.ietf.org/rfc/rfc2616.txt">
+<cite>
+Hypertext
+Transfer
+Protocol
+-
+HTTP/1.1.
+</cite>
+
+</a>
+June
+1999.
+Internet
+RFC
+2616.
+URL:
+<a href="http://www.ietf.org/rfc/rfc2616.txt">
+http://www.ietf.org/rfc/rfc2616.txt
+</a>
+</dd>
+<dt id="bib-N3">
+[N3]
+</dt>
+<dd rel="dcterms:requires">
+Tim
+Berners-Lee;
+Dan
+Connolly.
+<a href="http://www.w3.org/TeamSubmission/2008/SUBM-n3-20080114/">
+<cite>
+Notation3
+(N3):
+A
+readable
+RDF
+syntax.
+</cite>
+</a>
+14
+January
+2008.
+W3C
+Team
+Submission.
+URL:
+
+<a href="http://www.w3.org/TeamSubmission/2008/SUBM-n3-20080114/">
+http://www.w3.org/TeamSubmission/2008/SUBM-n3-20080114/
+</a>
+</dd>
+<dt id="bib-RDF-PRIMER">
+[RDF-PRIMER]
+</dt>
+<dd rel="dcterms:requires">
+Frank
+Manola;
+Eric
+Miller.
+<a href="http://www.w3.org/TR/2004/REC-rdf-primer-20040210/">
+<cite>
+RDF
+Primer.
+</cite>
+</a>
+10
+February
+2004.
+W3C
+Recommendation.
+URL:
+<a href="http://www.w3.org/TR/2004/REC-rdf-primer-20040210/">
+http://www.w3.org/TR/2004/REC-rdf-primer-20040210/
+
+</a>
+</dd>
+<dt id="bib-RDF-SPARQL-QUERY">
+[RDF-SPARQL-QUERY]
+</dt>
+<dd rel="dcterms:requires">
+Andy
+Seaborne;
+Eric
+Prud'hommeaux.
+<a href="http://www.w3.org/TR/2008/REC-rdf-sparql-query-20080115">
+<cite>
+SPARQL
+Query
+Language
+for
+RDF.
+</cite>
+</a>
+15
+January
+2008.
+W3C
+Recommendation.
+URL:
+<a href="http://www.w3.org/TR/2008/REC-rdf-sparql-query-20080115">
+http://www.w3.org/TR/2008/REC-rdf-sparql-query-20080115
+</a>
+</dd>
+
+<dt id="bib-RDF-SYNTAX-GRAMMAR">
+[RDF-SYNTAX-GRAMMAR]
+</dt>
+<dd rel="dcterms:requires">
+Dave
+Beckett.
+<a href="http://www.w3.org/TR/2004/REC-rdf-syntax-grammar-20040210">
+<cite>
+RDF/XML
+Syntax
+Specification
+(Revised).
+</cite>
+</a>
+10
+February
+2004.
+W3C
+Recommendation.
+URL:
+<a href="http://www.w3.org/TR/2004/REC-rdf-syntax-grammar-20040210">
+http://www.w3.org/TR/2004/REC-rdf-syntax-grammar-20040210
+</a>
+</dd>
+<dt id="bib-RFC3986">
+[RFC3986]
+
+</dt>
+<dd rel="dcterms:requires">
+T.
+Berners-Lee;
+R.
+Fielding;
+L.
+Masinter.
+<a href="http://www.ietf.org/rfc/rfc3986.txt">
+<cite>
+Uniform
+Resource
+Identifier
+(URI):
+Generic
+Syntax.
+</cite>
+</a>
+January
+2005.
+Internet
+RFC
+3986.
+URL:
+<a href="http://www.ietf.org/rfc/rfc3986.txt">
+http://www.ietf.org/rfc/rfc3986.txt
+</a>
+</dd>
+<dt id="bib-RFC5246">
+[RFC5246]
+</dt>
+<dd rel="dcterms:requires">
+
+T.
+Dierks;
+E.
+Rescorla.
+<a href="http://tools.ietf.org/html/rfc5246">
+<cite>
+The
+Transport
+Layer
+Security
+(TLS)
+Protocol
+Version
+1.2
+</cite>
+</a>
+August
+2008.
+Internet
+RFC
+5246.
+URL:
+<a href="http://tools.ietf.org/html/rfc5246">
+http://tools.ietf.org/html/rfc5246
+</a>
+</dd>
+<dt id="bib-RFC5746">
+[RFC5746]
+</dt>
+<dd rel="dcterms:requires">
+E.
+Rescorla,
+M.
+Ray,
+S.
+Dispensa,
+N.
+Oskov,
+<a href="http://tools.ietf.org/html/rfc5746">
+
+<cite>
+Transport
+Layer
+Security
+(TLS)
+Renegotiation
+Indication
+Extension
+</cite>
+</a>
+February
+2010.
+Internet
+RFC
+5246.
+URL:
+<a href="http://tools.ietf.org/html/rfc5746">
+http://tools.ietf.org/html/rfc5746
+</a>
+</dd>
+<dt id="bib-TURTLE">
+[TURTLE]
+</dt>
+<dd rel="dcterms:requires">
+David
+Beckett,
+Tim
+Berners-Lee.
+<a href="http://www.w3.org/TeamSubmission/turtle/">
+<cite>
+Turtle:
+Terse
+RDF
+Triple
+Language.
+
+</cite>
+</a>
+January
+2008.
+W3C
+Team
+Submission.
+URL:
+<a href="http://www.w3.org/TeamSubmission/turtle/">
+http://www.w3.org/TeamSubmission/turtle/
+</a>
+</dd>
+<dt id="bib-X509V3">
+[X509V3]
+</dt>
+<dd rel="dcterms:requires">
+<cite>
+ITU-T
+Recommendation
+X.509
+version
+3
+(1997).
+"Information
+Technology
+-
+Open
+Systems
+Interconnection
+-
+The
+Directory
+Authentication
+Framework"
+ISO/IEC
+9594-8:1997
+</cite>.
+</dd>
+
+<dt id="bib-XHTML-RDFA">
+[XHTML-RDFA]
+</dt>
+<dd rel="dcterms:requires">
+Shane
+McCarron;
+et.
+al.
+<a href="http://www.w3.org/TR/2011/WD-xhtml-rdfa-20111215">
+<cite>
+XHTML+RDFa
+1.1.
+</cite>
+</a>
+<del class="diff-old">31
+March
+</del>
+<ins class="diff-chg">15
+December
+</ins>
+2011.
+W3C
+Working
+Draft.
+URL:
+<del class="diff-old">http://www.w3.org/TR/2011/WD-xhtml-rdfa-20110331
+</del>
+
+<a href="http://www.w3.org/TR/2011/WD-xhtml-rdfa-20111215">
+<ins class="diff-chg">http://www.w3.org/TR/2011/WD-xhtml-rdfa-20111215
+</ins>
+</a>
+</dd>
+</dl>
+</div>
+<div class="section" about="#informative-references" typeof="bibo:Chapter" id="informative-references">
+<h3>
+<span class="secno">
+C.2
+</span>
+Informative
+references
+</h3>
+<dl about="" class="bibliography">
+<dt id="bib-RDF-CONCEPTS">
+[RDF-CONCEPTS]
+
+</dt>
+<dd rel="dcterms:references">
+Graham
+Klyne;
+Jeremy
+J.
+Carroll.
+<a href="http://www.w3.org/TR/2004/REC-rdf-concepts-20040210">
+<cite>
+Resource
+Description
+Framework
+(RDF):
+Concepts
+and
+Abstract
+Syntax.
+</cite>
+</a>
+10
+February
+2004.
+W3C
+Recommendation.
+URL:
+<a href="http://www.w3.org/TR/2004/REC-rdf-concepts-20040210">
+http://www.w3.org/TR/2004/REC-rdf-concepts-20040210
+</a>
+</dd>
+</dl>
+</div>
+</div>
+</body>
+
+</html>