W3C home > Mailing lists > Public > public-xg-webid@w3.org > December 2011

RE: Another Translator for RDF

From: Peter Williams <home_pw@msn.com>
Date: Sat, 31 Dec 2011 10:14:38 -0800
Message-ID: <SNT143-W6199DA92B11FEC2D6853092930@phx.gbl>
To: <kidehen@openlinksw.com>, "public-xg-webid@w3.org" <public-xg-webid@w3.org>


Identifier equivalence has been asserted in a signed claim via the use
of multiple URIs in a Certs. SAN. The effect here is that we have
synonyms so the public key associated with URI-B is now also a relation
with URI-A. The fact that we can't make a union of all the data the one
could de-reference via URI-A and URI-B doesn't matter re. this kind of
equivalence and the resulting assurance.





-------



ok. we are now starting to sound like professional security engineers working in an established language game (not web heads, or academics making new language games for research purposes).



we will (next month) need to go further than equivalencies, evalulated during validation at the time of _original_ assertion .



what we learned over 20 years of doing CA and PKI was the importance of validation, vs assertion.



The reason authenticode works at huge scale, and over decade time, is becuase they used a 2-timeframe validation model. The signed acknowlegement (by a validator) when ACCOMPANYING an assertion is what matters. When a webid validation agents says "yes", this is the (semantic) signature that matters, not just the one made by the subscriber.



thats getting abtract, so here is the example:



you get a cert. you sign an .exe. As author and original publisher, you have an initial validator verify the signature on the .exe, and the cert, and the CA MUST confirm (by new signature) that the cert is valid binding to the author/publishe, AT THE TIME of original publicction. Said timestamp of original-validty (back then) is attached to the .exe, along with the original signature and original cert.



Now the code validator 10 years later, can leverage with the first validator did, 10 years earlier, to RE-assert the validity of the .exe (still working and being test 10 years hence, long after the cert has become invalid due to temporal expiry). 		 	   		  
Received on Saturday, 31 December 2011 18:15:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 31 December 2011 18:15:12 GMT