W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

Re: self-signed

From: Joe Presbrey <presbrey@csail.mit.edu>
Date: Wed, 13 Apr 2011 23:10:06 -0400
Message-ID: <BANLkTimot8Kh93PZO9bmh=m9kBwa8aHySw@mail.gmail.com>
To: peter williams <home_pw@msn.com>
Cc: nathan@webr3.org, Henry Story <henry.story@bblfish.net>, WebID XG <public-xg-webid@w3.org>
On Wed, Apr 13, 2011 at 10:16 PM, peter williams <home_pw@msn.com> wrote:
> A self-signed cert is not a cert. Therefore using one is not a cert-using
> system. We are just borrowing the format, formally.

Actually, a self-signed cert /is/ a cert. Root CA certificates of
todays PKI are great examples of self-signed certs [1].

It is up to the WebID authorizer and its own local policy whether to
validate a certificate's issuer (if any), check CRLs, OCSP, etc. Fully
open WebID authorizers will be very lenient (no cert validation).

You're right we borrowed the format. Lets standardize all
inter-operable metadata containers to RDF/JSON including x509. But why
wait for SSL to go RDF when we can bootstrap working endpoints and
users on todays Apache/SSL systems?

I agree that Hans' criticals verification is silly in a "WebID
environment" (SSLVerifyClient optional_no_ca). Here's the flag that
stops it: /usr/include/openssl/x509_vfy.h:371:#define
X509_V_FLAG_IGNORE_CRITICAL 0x10

[1].http://en.wikipedia.org/wiki/Self-signed_certificate

--
Joe Presbrey
Received on Thursday, 14 April 2011 03:26:25 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:24 UTC