Re: Certificate Expiry from Melvin Carvalho on 2012-01-26 (public-webid@w3.org from January 2012)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Thu, 26 Jan 2012 13:17:43 +0100
To: Kingsley Idehen <kidehen@openlinksw.com>
Cc: public-webid@w3.org
Message-ID: <CAKaEYhKzY8XFCweiT626qtXmLnONyo=cMR=mEwprJVMwP7KZhg@mail.gmail.com>

On 26 January 2012 12:59, Kingsley Idehen <kidehen@openlinksw.com> wrote:
> On 1/26/12 2:33 AM, Joe Presbrey wrote:
>>
>> The notion of self-signed WebID certificates (securely) expiring is
>> invalid and quite easily misunderstood. There are no assurances for
>> start/end dates (or any other properties, eg. WebID URI!) within the
>> certificate itself.
>>
>> This is precisely why we resolve the WebID URI: to check if the claims in
>> the certificate are true. We could also check the URI/LD to see if dates
>> match, but we don't currently have schema for that, and why bother?
>>
>> Remove the "expired" certificate's public key from your FOAF/LinkedData if
>> you want to deactivate it. Otherwise,
>>
>> re-self-sign:
>> https://gist.github.com/1653329
>>
>> You won't need to update your FOAF/LD as your Public Key will not change.
>>
>>
>> On Wed, 25 Jan 2012, Mischa Tuffield wrote:
>>>
>>> Mischa *needs to generate a new cert I guess $todoList++.
>>
>>
>>
>>
> +1
>
> I've been mauling over this a bit and I don't think it really fits into the
> Authentication realm. This is an Authorization realm matter. Basically, one
> should be able to construct a resource access policy (via ACL) that
> determines how certificate expiration is to be handled.

+1 out of scope of this version of the Protocol spec ...

The proposed ideas of

:expiredKey predicate

maybe also with validFrom, validTo may possibly be modeled later
perhaps or in another vocab (already we have the security vocab) [1]
and webkeys spec [2]

there's also some commands in openssl to check expiry I believe

x509 -in <public crt.pem> -noout -enddate

[1] http://payswarm.com/vocabs/security
[2] http://payswarm.com/specs/ED/web-keys/2012-01-23/

>
>
> --
>
> Regards,
>
> Kingsley Idehen
> Founder&  CEO
> OpenLink Software
> Company Web: http://www.openlinksw.com
> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
> Twitter/Identi.ca handle: @kidehen
> Google+ Profile: https://plus.google.com/112399767740508618350/about
> LinkedIn Profile: http://www.linkedin.com/in/kidehen
>
>
>
>
>
>

Received on Thursday, 26 January 2012 12:18:14 UTC