W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

RE: PKI signing of certs with SAN URIs : NVSI : openid domain procedures

From: peter williams <home_pw@msn.com>
Date: Sat, 30 Apr 2011 16:01:05 -0700
Message-ID: <SNT143-ds17BD7235F3EBDACB98E542929D0@phx.gbl>
To: "'Andrei Sambra'" <andrei@fcns.eu>, "'Melvin Carvalho'" <melvincarvalho@gmail.com>
CC: "'WebID Incubator Group WG'" <public-xg-webid@w3.org>

I think the formulation below is good.

One has to confirm webid validation using the process, as specified.

Anything else is "extra evidence". Its upto relying parties to care about it (and require it).

Since a true webid validation will just ignore a cert chain (because a CONFORMING implementation WILL NOT insist the client is self-signed), both worlds cooperate.

80% of the world can do webid. 20% can overlay PKI, probably for fancy transactions like talking to e-Gov IDPs, etc. They may even required national id cards. But it's an opt-in - by relying party.

Typically, RPs do as little as possible. So, create a world in which 80% of what they need to do happens fine, using webid.
.
-----Original Message-----

It all comes down to what you are trying to verify. Do you want to check the validity of the certificate or the validity of the WebID? 

For example: a certificate could be issued by a trusted CA, but it does not mean that it can contain a valid WebID URI in its subjectAltName, nor a valid foaf card dereferenced by the URI -- and a matching modulus/exponent pair in the card.
Received on Saturday, 30 April 2011 23:01:33 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:24 UTC