W3C home > Mailing lists > Public > public-rww@w3.org > July 2012

Re: Signed Email WebID

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Mon, 16 Jul 2012 17:40:37 -0400
Message-ID: <50048A55.3080708@openlinksw.com>
To: public-rww@w3.org
On 7/16/12 5:26 PM, Nathan wrote:
> Kingsley Idehen wrote:
>> On 7/16/12 4:42 PM, Nathan wrote:
>>> J├╝rgen Jakobitsch wrote:
>>>> how can i (as a normal user) create a certificate that is trusted
>>>> by a common ca authority with a webID.
>>> It's a great question without an easy answer.
>>> theoretically it should be a case of configuring openssl using 
>>> openssl.conf in the usual round-about god awful way to get a 
>>> subjectAltName in there, then submit the generated CSR to get it 
>>> signed by a well known CA.
>>> I've only self signed so far and not tested the CA bit, however I 
>>> know people have been doing it for years with certificate with 
>>> subjectAltName values in there, for LDAP - so rather sure it'll work 
>>> as expected.
>>>> or the other way round : i have a valid (from a ca authority) 
>>>> certificate how do i get a webID in there..
>>> You can't - requires a new cert.
>>>> the problem comes to light, when you sign your emails with a 
>>>> certificate
>>>> created with any of the webID generators and most clients will say 
>>>> that this signature is not valid.
>>>> i only have evolution and thunderbird at hand, but i assume the 
>>>> outlook and co. will also complain.
>>>> i'd really like to sign my mails and have absolutely no problem 
>>>> with it, but
>>>> i'm not gonna do it, when i must assume that 90% of the recipients 
>>>> see some sort
>>>> of warning, that i'm sending untrusted mails...
>>> I share and understand your concerns, WebID is an awesome concept, 
>>> but the practicalities of dealing with certs are a *major* put off, 
>>> mine expired ages ago and I know that any attempt to re-issue it, 
>>> with the same keys no less (as I use them for git/svn/scp etc) is 
>>> going to be a complete nightmare. Thus I use an expired cert for 
>>> git/svn/scp which still works on linux, but I can't use webid any 
>>> more until I fix it and jump through a few hoops to reissue.
>>> Shame, as WebID - at an abstract level, doesn't even need 
>>> certificates, it just needs a public/private keypair and a way to 
>>> pass the webid over.
>>> Regardless, if you want to persist, I'm sure you can get this 
>>> working with a new CA signed cert :)
>>> Best,
>>> Nathan
>> Nathan,
>> Why do you need a single Certificate for anything? How about having a 
>> certificate aligned to specific activities e.g., signed email via 
>> s/mime protocol? Thus, in this case you just generate a new cert 
>> that's specifically for email.
>> WebID can't stand on its own during the early stages, it has to be 
>> hooked into existing protocols like S/MIME, OpenID, LDAP etc. to 
>> cost-effectively acquire both mindshare and appreciation. Of course, 
>> if it all pans out, the reality of keypairs will become even clearer 
>> and some of today's fluff will become much more optional. For today, 
>> we've gotta hone into bootstrap hacks and mechanics :-)
> Just personal preference to have a single certificate (although my 
> true preference is to have keys detached from certificates) - but you 
> raise good points as always, there's no reason for me (us) not to have 
> multiple certificates, especially if it helps with dog fooding and 
> getting this show on the road.
> Best, Nathan

Yes, and it also addresses the Peter Parker and Spiderman identity 
conundrum .

We carry many cards in our wallets already, so why not many WebID 
watermarked certs too :-)

BTW -- did you try the social relationship ACL I setup re. one on my 
SPARQL endpoints? Its driven by SPARQL ASK. s



Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen

Received on Monday, 16 July 2012 21:40:33 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:40:01 UTC