Re: Signed Email WebID

On 7/16/12 5:26 PM, Nathan wrote:
> Kingsley Idehen wrote:
>> On 7/16/12 4:42 PM, Nathan wrote:
>>> Jürgen Jakobitsch wrote:
>>>> how can i (as a normal user) create a certificate that is trusted
>>>> by a common ca authority with a webID.
>>>
>>> It's a great question without an easy answer.
>>>
>>> theoretically it should be a case of configuring openssl using 
>>> openssl.conf in the usual round-about god awful way to get a 
>>> subjectAltName in there, then submit the generated CSR to get it 
>>> signed by a well known CA.
>>>
>>> I've only self signed so far and not tested the CA bit, however I 
>>> know people have been doing it for years with certificate with 
>>> subjectAltName values in there, for LDAP - so rather sure it'll work 
>>> as expected.
>>>
>>>> or the other way round : i have a valid (from a ca authority) 
>>>> certificate how do i get a webID in there..
>>>
>>> You can't - requires a new cert.
>>>
>>>> the problem comes to light, when you sign your emails with a 
>>>> certificate
>>>> created with any of the webID generators and most clients will say 
>>>> that this signature is not valid.
>>>> i only have evolution and thunderbird at hand, but i assume the 
>>>> outlook and co. will also complain.
>>>>
>>>> i'd really like to sign my mails and have absolutely no problem 
>>>> with it, but
>>>> i'm not gonna do it, when i must assume that 90% of the recipients 
>>>> see some sort
>>>> of warning, that i'm sending untrusted mails...
>>>
>>> I share and understand your concerns, WebID is an awesome concept, 
>>> but the practicalities of dealing with certs are a *major* put off, 
>>> mine expired ages ago and I know that any attempt to re-issue it, 
>>> with the same keys no less (as I use them for git/svn/scp etc) is 
>>> going to be a complete nightmare. Thus I use an expired cert for 
>>> git/svn/scp which still works on linux, but I can't use webid any 
>>> more until I fix it and jump through a few hoops to reissue.
>>>
>>> Shame, as WebID - at an abstract level, doesn't even need 
>>> certificates, it just needs a public/private keypair and a way to 
>>> pass the webid over.
>>>
>>> Regardless, if you want to persist, I'm sure you can get this 
>>> working with a new CA signed cert :)
>>>
>>> Best,
>>>
>>> Nathan
>>>
>>>
>>>
>> Nathan,
>>
>> Why do you need a single Certificate for anything? How about having a 
>> certificate aligned to specific activities e.g., signed email via 
>> s/mime protocol? Thus, in this case you just generate a new cert 
>> that's specifically for email.
>>
>> WebID can't stand on its own during the early stages, it has to be 
>> hooked into existing protocols like S/MIME, OpenID, LDAP etc. to 
>> cost-effectively acquire both mindshare and appreciation. Of course, 
>> if it all pans out, the reality of keypairs will become even clearer 
>> and some of today's fluff will become much more optional. For today, 
>> we've gotta hone into bootstrap hacks and mechanics :-)
>
> Just personal preference to have a single certificate (although my 
> true preference is to have keys detached from certificates) - but you 
> raise good points as always, there's no reason for me (us) not to have 
> multiple certificates, especially if it helps with dog fooding and 
> getting this show on the road.
>
> Best, Nathan
>
>
>

Yes, and it also addresses the Peter Parker and Spiderman identity 
conundrum .

We carry many cards in our wallets already, so why not many WebID 
watermarked certs too :-)

BTW -- did you try the social relationship ACL I setup re. one on my 
SPARQL endpoints? Its driven by SPARQL ASK. s

-- 

Regards,

Kingsley Idehen 
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen