W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

RE: Multiple certificates belonging to a WebID (or multiple IDs).

From: peter williams <home_pw@msn.com>
Date: Fri, 1 Apr 2011 08:08:22 -0700
Message-ID: <SNT143-ds209FBE7548BDA638E0720892BE0@phx.gbl>
To: "'Andrei Sambra'" <andrei@fcns.eu>
CC: "'WebID XG'" <public-xg-webid@w3.org>
Assume 2 self-signed cert with different pubkeys. 1 self signed cert has 3
webids in the SAN field, furthermore. Webid#a is http://me.ego.com, and
webid#b http://me.ac.uk, and webid#c is http://me.eu. The other cert has 1
non-RSA pubkey, with webid#d http://me.grunt.nato

When the verifier with "protected" resources processes the request, perhaps
it picks one of the 3 webids, according to "match" process. The match
compares the verifiers own naming context with the 3 proposed naming
contexts. If the verifier is acting under EU data protection laws, it picks
the match focusing on the me as http://me.eu . It then queries the foaf card
at http://me.eu, which of course resolves to the same foaf card as the other
2 webids. (One could use the X.509 match rules for such matching, or invent
yet another expression for the same.)

Now, the agent releasing the foaf card COULD be being held responsible for
only releasing objects from the foaf card TO "that" requestor ...in a manner
subject to EU data protections, should the EU governance regime be in force
for that https connection.

If another verifier - in the UK - made the request, matching UK rules, UK
rules for data protection would apply. These rules have lots of exceptions
from EU standards, allowing for ISPs to enact "national security"
arrangements.

This kind of matching is not a framework for access control, or
authorization. It's an expression of "governing policy" concerning
information flows - which is a different way of looking at the issue set.
It's not  mandatory, but discretionary; being an opt in system for huge
scale systems - that keeps the peace so to speak, without imposing large
administrative burdens or cost structures (like PKI or DNSsec).

If anyone is interested, one can study the policy mapping and matching
algorithm in X.509. It allows qualifiers, which can extend the basis of
matching to almost anything, including the domain-names of URIs.

-----Original Message-----
From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of Henry Story
Sent: Friday, April 01, 2011 7:25 AM
To: Andrei Sambra
Cc: WebID XG
Subject: Re: Multiple certificates belonging to a WebID (or multiple IDs).


On 31 Mar 2011, at 12:54, Andrei Sambra wrote:

> First of all, a big Hello since this is my first post on the mailing 
> list!
> 
> After browsing through the specs for a while, I couldn't find any 
> mention to whether it's possible or not to have multiple certificates 
> associated to a WebID,

yes, you can. I have a different certificate with the different public keys
and the same webid in each of my browsers.

> or for this matter, how would they be processed by the authentication 
> system.

Are you trying to send the certificates simultaneously? Or perhaps you are
thinking of a chain of certificates? What is you use case?

> Also, could user have multiple identities associated to a profile file 
> (think of resources made available through ACLs)?

Yes, that's possible.
I am not sure what use it would be. It is likely that you could do what you
are trying to do in a better way.

> 
> Andrei
> 
> 
> 

Social Web Architect
http://bblfish.net/
Received on Friday, 1 April 2011 15:09:06 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:23 UTC