W3C home > Mailing lists > Public > public-rww@w3.org > July 2012

Re: Signed Email WebID

From: Nathan <nathan@webr3.org>
Date: Mon, 16 Jul 2012 22:49:36 +0100
Message-ID: <50048C70.5080907@webr3.org>
To: Kingsley Idehen <kidehen@openlinksw.com>
CC: public-rww@w3.org
Kingsley Idehen wrote:
> On 7/16/12 5:26 PM, Nathan wrote:
>> Kingsley Idehen wrote:
>>> On 7/16/12 4:42 PM, Nathan wrote:
>>>> J├╝rgen Jakobitsch wrote:
>>>>> how can i (as a normal user) create a certificate that is trusted
>>>>> by a common ca authority with a webID.
>>>>
>>>> It's a great question without an easy answer.
>>>>
>>>> theoretically it should be a case of configuring openssl using 
>>>> openssl.conf in the usual round-about god awful way to get a 
>>>> subjectAltName in there, then submit the generated CSR to get it 
>>>> signed by a well known CA.
>>>>
>>>> I've only self signed so far and not tested the CA bit, however I 
>>>> know people have been doing it for years with certificate with 
>>>> subjectAltName values in there, for LDAP - so rather sure it'll work 
>>>> as expected.
>>>>
>>>>> or the other way round : i have a valid (from a ca authority) 
>>>>> certificate how do i get a webID in there..
>>>>
>>>> You can't - requires a new cert.
>>>>
>>>>> the problem comes to light, when you sign your emails with a 
>>>>> certificate
>>>>> created with any of the webID generators and most clients will say 
>>>>> that this signature is not valid.
>>>>> i only have evolution and thunderbird at hand, but i assume the 
>>>>> outlook and co. will also complain.
>>>>>
>>>>> i'd really like to sign my mails and have absolutely no problem 
>>>>> with it, but
>>>>> i'm not gonna do it, when i must assume that 90% of the recipients 
>>>>> see some sort
>>>>> of warning, that i'm sending untrusted mails...
>>>>
>>>> I share and understand your concerns, WebID is an awesome concept, 
>>>> but the practicalities of dealing with certs are a *major* put off, 
>>>> mine expired ages ago and I know that any attempt to re-issue it, 
>>>> with the same keys no less (as I use them for git/svn/scp etc) is 
>>>> going to be a complete nightmare. Thus I use an expired cert for 
>>>> git/svn/scp which still works on linux, but I can't use webid any 
>>>> more until I fix it and jump through a few hoops to reissue.
>>>>
>>>> Shame, as WebID - at an abstract level, doesn't even need 
>>>> certificates, it just needs a public/private keypair and a way to 
>>>> pass the webid over.
>>>>
>>>> Regardless, if you want to persist, I'm sure you can get this 
>>>> working with a new CA signed cert :)
>>>>
>>>> Best,
>>>>
>>>> Nathan
>>>>
>>>>
>>>>
>>> Nathan,
>>>
>>> Why do you need a single Certificate for anything? How about having a 
>>> certificate aligned to specific activities e.g., signed email via 
>>> s/mime protocol? Thus, in this case you just generate a new cert 
>>> that's specifically for email.
>>>
>>> WebID can't stand on its own during the early stages, it has to be 
>>> hooked into existing protocols like S/MIME, OpenID, LDAP etc. to 
>>> cost-effectively acquire both mindshare and appreciation. Of course, 
>>> if it all pans out, the reality of keypairs will become even clearer 
>>> and some of today's fluff will become much more optional. For today, 
>>> we've gotta hone into bootstrap hacks and mechanics :-)
>>
>> Just personal preference to have a single certificate (although my 
>> true preference is to have keys detached from certificates) - but you 
>> raise good points as always, there's no reason for me (us) not to have 
>> multiple certificates, especially if it helps with dog fooding and 
>> getting this show on the road.
>>
>> Best, Nathan
>>
>>
>>
> 
> Yes, and it also addresses the Peter Parker and Spiderman identity 
> conundrum .
> 
> We carry many cards in our wallets already, so why not many WebID 
> watermarked certs too :-)
> 
> BTW -- did you try the social relationship ACL I setup re. one on my 
> SPARQL endpoints? Its driven by SPARQL ASK. s
> 

Ahh I kept getting notifications from an ODS briefcase of yours, is that 
what it was? (will need to get new cert(s) before I do)
Received on Monday, 16 July 2012 21:50:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 16 July 2012 21:50:48 GMT