W3C home > Mailing lists > Public > public-rww@w3.org > July 2012

Re: Signed Email WebID

From: Nathan <nathan@webr3.org>
Date: Mon, 16 Jul 2012 23:11:21 +0100
Message-ID: <50049189.7020102@webr3.org>
To: Kingsley Idehen <kidehen@openlinksw.com>
CC: public-rww@w3.org
Kingsley Idehen wrote:
> On 7/16/12 5:49 PM, Nathan wrote:
>> Kingsley Idehen wrote:
>>> On 7/16/12 5:26 PM, Nathan wrote:
>>>> Kingsley Idehen wrote:
>>>>> On 7/16/12 4:42 PM, Nathan wrote:
>>>>>> J├╝rgen Jakobitsch wrote:
>>>>>>> how can i (as a normal user) create a certificate that is trusted
>>>>>>> by a common ca authority with a webID.
>>>>>>
>>>>>> It's a great question without an easy answer.
>>>>>>
>>>>>> theoretically it should be a case of configuring openssl using 
>>>>>> openssl.conf in the usual round-about god awful way to get a 
>>>>>> subjectAltName in there, then submit the generated CSR to get it 
>>>>>> signed by a well known CA.
>>>>>>
>>>>>> I've only self signed so far and not tested the CA bit, however I 
>>>>>> know people have been doing it for years with certificate with 
>>>>>> subjectAltName values in there, for LDAP - so rather sure it'll 
>>>>>> work as expected.
>>>>>>
>>>>>>> or the other way round : i have a valid (from a ca authority) 
>>>>>>> certificate how do i get a webID in there..
>>>>>>
>>>>>> You can't - requires a new cert.
>>>>>>
>>>>>>> the problem comes to light, when you sign your emails with a 
>>>>>>> certificate
>>>>>>> created with any of the webID generators and most clients will 
>>>>>>> say that this signature is not valid.
>>>>>>> i only have evolution and thunderbird at hand, but i assume the 
>>>>>>> outlook and co. will also complain.
>>>>>>>
>>>>>>> i'd really like to sign my mails and have absolutely no problem 
>>>>>>> with it, but
>>>>>>> i'm not gonna do it, when i must assume that 90% of the 
>>>>>>> recipients see some sort
>>>>>>> of warning, that i'm sending untrusted mails...
>>>>>>
>>>>>> I share and understand your concerns, WebID is an awesome concept, 
>>>>>> but the practicalities of dealing with certs are a *major* put 
>>>>>> off, mine expired ages ago and I know that any attempt to re-issue 
>>>>>> it, with the same keys no less (as I use them for git/svn/scp etc) 
>>>>>> is going to be a complete nightmare. Thus I use an expired cert 
>>>>>> for git/svn/scp which still works on linux, but I can't use webid 
>>>>>> any more until I fix it and jump through a few hoops to reissue.
>>>>>>
>>>>>> Shame, as WebID - at an abstract level, doesn't even need 
>>>>>> certificates, it just needs a public/private keypair and a way to 
>>>>>> pass the webid over.
>>>>>>
>>>>>> Regardless, if you want to persist, I'm sure you can get this 
>>>>>> working with a new CA signed cert :)
>>>>>>
>>>>>> Best,
>>>>>>
>>>>>> Nathan
>>>>>>
>>>>>>
>>>>>>
>>>>> Nathan,
>>>>>
>>>>> Why do you need a single Certificate for anything? How about having 
>>>>> a certificate aligned to specific activities e.g., signed email via 
>>>>> s/mime protocol? Thus, in this case you just generate a new cert 
>>>>> that's specifically for email.
>>>>>
>>>>> WebID can't stand on its own during the early stages, it has to be 
>>>>> hooked into existing protocols like S/MIME, OpenID, LDAP etc. to 
>>>>> cost-effectively acquire both mindshare and appreciation. Of 
>>>>> course, if it all pans out, the reality of keypairs will become 
>>>>> even clearer and some of today's fluff will become much more 
>>>>> optional. For today, we've gotta hone into bootstrap hacks and 
>>>>> mechanics :-)
>>>>
>>>> Just personal preference to have a single certificate (although my 
>>>> true preference is to have keys detached from certificates) - but 
>>>> you raise good points as always, there's no reason for me (us) not 
>>>> to have multiple certificates, especially if it helps with dog 
>>>> fooding and getting this show on the road.
>>>>
>>>> Best, Nathan
>>>>
>>>>
>>>>
>>>
>>> Yes, and it also addresses the Peter Parker and Spiderman identity 
>>> conundrum .
>>>
>>> We carry many cards in our wallets already, so why not many WebID 
>>> watermarked certs too :-)
>>>
>>> BTW -- did you try the social relationship ACL I setup re. one on my 
>>> SPARQL endpoints? Its driven by SPARQL ASK. s
>>>
>>
>> Ahh I kept getting notifications from an ODS briefcase of yours, is 
>> that what it was? (will need to get new cert(s) before I do)
>>
>>
>>
> 
> You get a notice anytime I share a resource for the foaf:Group of your 
> WebID is a member.
> 
> Re. SPARQL endpoint test, you just need a WebID that resolves to a graph 
> that has one of the requisite foaf:knows based social relationships. In 
> this case, knowing one of:  TimBL, Henry, Melvin, Jurgen, or I will 
> suffice. Basically, as folks respond to the test, I add them to the list 
> of WebIDs that should be objects of foaf:knows relationships.

link?
Received on Monday, 16 July 2012 22:12:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 16 July 2012 22:12:34 GMT