Re: PKI signing of certs with SAN URIs : NVSI : openid domain procedures

On Sat, 2011-04-30 at 22:54 +0200, Melvin Carvalho wrote:
> On 30 April 2011 22:31, Andrei Sambra <andrei@fcns.eu> wrote:
> > If I understand the first question, it should suffice for the CA to
> > extract the WebID and then dereference the foaf card indicated by the
> > URI. It's pretty much the same steps involved in performing WebID
> > authentication.
> >
> > For the second question, I don't why we couldn't. However, I wonder why
> > we should do it. The question is, what are you looking to do? Trust a
> > certificate (it's owner), or trust the people using it (the owner of the
> > FOAF card)?
> >
> > If you are referring to something similar to the PGP, then there is an
> > article on one of the wiki pages which describes why WebID makes it
> > easier to implement a web of trust, without signing anything. If you are
> > referring to the general case, as a way to improve trust, then I still
> > don't see why signing anything would improve trust.
> >
> > Now, let me rant for a little, since I've seen lots of emails on this
> > list discussing CAs and general issues related to PKI, and I also fear
> > some of the mailing list members still don't understand WebID.
> >
> > Quick recap: WebID offers first and foremost a way to authenticate
> > users. This is done using self-signed certificates (as far as CAs/PKI
> > systems are concerned) which contain a reference to the certificate
> > owner's public foaf card. This card serves as the user's "identity", and
> > contains one or more public keys belonging to one or more x509
> > certificates, which in turn serve to verify that browser certificate
> > which was used to point to this foaf card does indeed belong to the
> > card's identity.
> >
> > As you can see, the browser certificate is only useful to establish that
> > a user connecting to a service is indeed the owner of the foaf card
> > which contains his/her identity. Whatever trust relationships we intend
> > to form, do not involve the certificates! This is where the linked data
> > comes into play, and for example, we could simply use foaf:knows to
> > create a web of trust.
> >
> > I hope I've made myself clear. Oh, please do not consider this post as
> > personal attack to someone, or my way to start a flame war.
> 
> I guess my question is asking:  As a verifying agent, do you even need
> to check the FOAF card if you already trust the CA?  Of course you can
> do both.
> 
It all comes down to what you are trying to verify. Do you want to check
the validity of the certificate or the validity of the WebID? 

For example: a certificate could be issued by a trusted CA, but it does
not mean that it can contain a valid WebID URI in its subjectAltName,
nor a valid foaf card dereferenced by the URI -- and a matching
modulus/exponent pair in the card.

> >
> > Andrei
> >
> > On Sat, 2011-04-30 at 21:49 +0200, Melvin Carvalho wrote:
> >> A couple of questions:
> >>
> >> Is it possible for a trusted CA to assert that a certificate is tied to a WebID?
> >>
> >> Can we become notaries or CAs ourselves and sign each others certs?
> >>
> >> >
> >> >
> >> >
> >> >
> >>
> >
> >
> >

Received on Saturday, 30 April 2011 20:59:36 UTC