W3C home > Mailing lists > Public > public-webid@w3.org > January 2012

Re: Certificate Expiry (summary)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Fri, 27 Jan 2012 13:55:25 +0100
Message-ID: <CAKaEYhKNm_B=o0wnC70J6wMg=FMnQcyQ_UvtG8vSSiSayp6pDg@mail.gmail.com>
To: Jürgen Jakobitsch <j.jakobitsch@semantic-web.at>
Cc: public-webid@w3.org
On 27 January 2012 13:47, Jürgen Jakobitsch
<j.jakobitsch@semantic-web.at> wrote:
> hi,
>
> is there a final conclusion on this issue yet,
> which an implementor can rely on?
>
> i think it would be a good idea to write a couple
> of lines into spec about this. from only reading
> the spec now, i have no clue what to do with the dates
> in a certificate.
>
> at current the best solution for WebIDRealm seems
> to simply have some boolean flags that get read on startup.
>
> mindCertificateNotYetValid (=true|false)
> mindCertificateExpired (=true|false)

Isn't this logic delegated to the X.509 spec?

>
> wkr j
>
> ----- Original Message -----
> From: "Kingsley Idehen" <kidehen@openlinksw.com>
> To: public-webid@w3.org
> Sent: Thursday, January 26, 2012 8:02:27 PM
> Subject: Re: Certificate Expiry (summary)
>
> On 1/26/12 1:32 PM, Henry Story wrote:
>> On 26 Jan 2012, at 19:12, Kingsley Idehen wrote:
>>
>>> On 1/26/12 12:08 PM, Joe Presbrey wrote:
>>>> Hi all,
>>>>
>>>> I caught up with Henry in a quick chat earlier about this and will let
>>>> you know a quick summary. Of course we all agree on extending the
>>>> trust network via URIs, resolving, issues and signers, cosigners,
>>>> freedom and liberty boxes, server clients, etc. all day long. In
>>>> addition:
>>>>
>>>> 1) we should distinguish old keys from current keys with status,
>>>> issuer, date, and/or other properties of the key in our profiles
>>> Okay, so do we tweak the Cert. Ontology accordingly? Or make an adjunct
>>> Assurance Ontology?
>> I don't see a problem adding a few notBefore/notAfter relations to the
>> cert ontology. We would want to state somehow that the relation between
>> the user and the public key as being one of identification was only valid
>> for a certain amount of time.
>>
>> What I am wondering is if that would make a difference to your argument
>> outlined in the thread. If someone were to use certificate with a WebID
>> that was backed up by a Profile whose key was described as being
>> expired, would not the argument you had outlined in the thread still
>> hold? Ie, that this is an issue with authorisation and not
>> authentication?
>
> Grey area that sits between the realms of Authentication and Authorization.
>
> Tweaking the ontology solves the problem.  Solomon was an ontologist :-)
>
>
> Kingsley
>>
>>>> 2) expired self-signed WebIDs should not "go out with the trash", if a
>>>> hacker finds it, they can pretend they are you unless (1)
>>>>
>>>> 3) we should regard x509 properties in addition to (1) while WebID is
>>>> delivered via x509, but prefer LD mechanisms to be compatible with
>>>> other containers and transports
>>> Yes.
>>>
>>> Kingsley
>>>
>>>> Best,
>>>>
>>>> --
>>>> Joe Presbrey
>>>>
>>>>
>>>> On Thu, Jan 26, 2012 at 11:40 AM, Henry Story<henry.story@bblfish.net>   wrote:
>>>>> yes make sense +1 - just add Summary to front of the e-mail subject.
>>>>> I think it would be good if each thread had a little summary.
>>>>>
>>>>> On 26 Jan 2012, at 17:35, Joe Presbrey wrote:
>>>>>
>>>>>> I drafted this summary email, if it looks good to you, do you want to send it?
>>>
>>> --
>>>
>>> Regards,
>>>
>>> Kingsley Idehen
>>> Founder&   CEO
>>> OpenLink Software
>>> Company Web: http://www.openlinksw.com
>>> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
>>> Twitter/Identi.ca handle: @kidehen
>>> Google+ Profile: https://plus.google.com/112399767740508618350/about
>>> LinkedIn Profile: http://www.linkedin.com/in/kidehen
>>>
>>>
>>>
>>>
>>>
>>>
>> Social Web Architect
>> http://bblfish.net/
>>
>>
>>
>
>
> --
>
> Regards,
>
> Kingsley Idehen
> Founder&  CEO
> OpenLink Software
> Company Web: http://www.openlinksw.com
> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
> Twitter/Identi.ca handle: @kidehen
> Google+ Profile: https://plus.google.com/112399767740508618350/about
> LinkedIn Profile: http://www.linkedin.com/in/kidehen
>
>
>
>
>
>
>
> --
> | Jürgen Jakobitsch,
> | Software Developer
> | Semantic Web Company GmbH
> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8
> | A - 1070 Wien, Austria
> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
>
> COMPANY INFORMATION
> | http://www.semantic-web.at/
>
> PERSONAL INFORMATION
> | web       : http://www.turnguard.com
> | foaf      : http://www.turnguard.com/turnguard
> | skype     : jakobitsch-punkt
> | xmlns:tg  = "http://www.turnguard.com/turnguard#"
>
Received on Friday, 27 January 2012 12:55:53 UTC

This archive was generated by hypermail 2.3.1 : Sunday, 31 March 2013 14:40:58 UTC