W3C home > Mailing lists > Public > public-rww@w3.org > July 2012

Re: Signed Email WebID

From: Nathan <nathan@webr3.org>
Date: Mon, 16 Jul 2012 22:26:52 +0100
Message-ID: <5004871C.1030000@webr3.org>
To: Kingsley Idehen <kidehen@openlinksw.com>
CC: public-rww@w3.org
Kingsley Idehen wrote:
> On 7/16/12 4:42 PM, Nathan wrote:
>> J├╝rgen Jakobitsch wrote:
>>> how can i (as a normal user) create a certificate that is trusted
>>> by a common ca authority with a webID.
>>
>> It's a great question without an easy answer.
>>
>> theoretically it should be a case of configuring openssl using 
>> openssl.conf in the usual round-about god awful way to get a 
>> subjectAltName in there, then submit the generated CSR to get it 
>> signed by a well known CA.
>>
>> I've only self signed so far and not tested the CA bit, however I know 
>> people have been doing it for years with certificate with 
>> subjectAltName values in there, for LDAP - so rather sure it'll work 
>> as expected.
>>
>>> or the other way round : i have a valid (from a ca authority) 
>>> certificate how do i get a webID in there..
>>
>> You can't - requires a new cert.
>>
>>> the problem comes to light, when you sign your emails with a certificate
>>> created with any of the webID generators and most clients will say 
>>> that this signature is not valid.
>>> i only have evolution and thunderbird at hand, but i assume the 
>>> outlook and co. will also complain.
>>>
>>> i'd really like to sign my mails and have absolutely no problem with 
>>> it, but
>>> i'm not gonna do it, when i must assume that 90% of the recipients 
>>> see some sort
>>> of warning, that i'm sending untrusted mails...
>>
>> I share and understand your concerns, WebID is an awesome concept, but 
>> the practicalities of dealing with certs are a *major* put off, mine 
>> expired ages ago and I know that any attempt to re-issue it, with the 
>> same keys no less (as I use them for git/svn/scp etc) is going to be a 
>> complete nightmare. Thus I use an expired cert for git/svn/scp which 
>> still works on linux, but I can't use webid any more until I fix it 
>> and jump through a few hoops to reissue.
>>
>> Shame, as WebID - at an abstract level, doesn't even need 
>> certificates, it just needs a public/private keypair and a way to pass 
>> the webid over.
>>
>> Regardless, if you want to persist, I'm sure you can get this working 
>> with a new CA signed cert :)
>>
>> Best,
>>
>> Nathan
>>
>>
>>
> Nathan,
> 
> Why do you need a single Certificate for anything? How about having a 
> certificate aligned to specific activities e.g., signed email via s/mime 
> protocol? Thus, in this case you just generate a new cert that's 
> specifically for email.
> 
> WebID can't stand on its own during the early stages, it has to be 
> hooked into existing protocols like S/MIME, OpenID, LDAP etc. to 
> cost-effectively acquire both mindshare and appreciation. Of course, if 
> it all pans out, the reality of keypairs will become even clearer and 
> some of today's fluff will become much more optional. For today, we've 
> gotta hone into bootstrap hacks and mechanics :-)

Just personal preference to have a single certificate (although my true 
preference is to have keys detached from certificates) - but you raise 
good points as always, there's no reason for me (us) not to have 
multiple certificates, especially if it helps with dog fooding and 
getting this show on the road.

Best, Nathan
Received on Monday, 16 July 2012 21:28:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 16 July 2012 21:28:03 GMT