W3C home > Mailing lists > Public > public-webid@w3.org > January 2012

Re: Certificate Expiry

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 26 Jan 2012 10:57:32 +0100
Cc: Mischa Tuffield <mischa@mmt.me.uk>, public-webid@w3.org
Message-Id: <4E8D9241-E7FF-4180-A837-AA0B74B81617@bblfish.net>
To: Joe Presbrey <presbrey@gmail.com>

On 26 Jan 2012, at 08:33, Joe Presbrey wrote:

> The notion of self-signed WebID certificates (securely) expiring is invalid and quite easily misunderstood. There are no assurances for start/end dates (or any other properties, eg. WebID URI!) within the certificate itself.

Not all WebID certificates are self signed. They can be signed by the service that creates them.
This is probably not a bad thing, as the service that creates them can then have it's own WebID,
and would end up constituting an extra verification layer. There is no requirement on self signed
certificates in WebID.


> 
> This is precisely why we resolve the WebID URI: to check if the claims in the certificate are true. We could also check the URI/LD to see if dates match, but we don't currently have schema for that, and why bother?
> 
> Remove the "expired" certificate's public key from your FOAF/LinkedData if you want to deactivate it.

I agree, removing the expired certificate PK is one thing to do.
( But one might not necessarily want to remove the key either. We may want to have
a relation for ex keys, so that people who used keys to sign documents in the
past can still verify those signatures. e.g.

<#me> cert:oldKey [ ...]
)




> Otherwise,
> 
> re-self-sign:
> https://gist.github.com/1653329
> 
> You won't need to update your FOAF/LD as your Public Key will not change.
> 
> 
> On Wed, 25 Jan 2012, Mischa Tuffield wrote:
>> Mischa *needs to generate a new cert I guess $todoList++.
> 
> 

Social Web Architect
http://bblfish.net/
Received on Thursday, 26 January 2012 09:58:04 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:54:33 UTC