W3C home > Mailing lists > Public > public-xg-webid@w3.org > February 2011

Re: WebID-ISSUE-33 (was [foaf-protocols] Webid Spec: Reference to the X.509 RFC 5280?)

From: Peter Williams <home_pw@msn.com>
Date: Tue, 15 Feb 2011 08:37:20 -0800
Message-ID: <BLU0-SMTP15213430FAD230D7036548892D30@phx.gbl>
CC: WebID XG <public-xg-webid@w3.org>
To: St├ęphane Corlosquet <scorlosquet@gmail.com>
Pkix is about the pki interpretation of x 509. It's not the only interpretation. It's not even the only pki-centric profile of the standard.

Should webid require pki?
Should webid requires pkix?

(2 different questions)

Can it use self signed certs that are not pkix conforming ?

Can pkix requiring sites using the webid protocol refuse to even process certs that are non conforming to pkix (eg missing this or that mandatory extension)? This Is a minimum interworking type question. Today, browsers and servers work with both pkix and non pkix (and non pki) certs.



On Feb 15, 2011, at 7:35 AM, St├ęphane Corlosquet <scorlosquet@gmail.com> wrote:

> 
> 
> ---------- Forwarded message ----------
> From: Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk>
> Date: Mon, Aug 16, 2010 at 7:16 AM
> Subject: Re: [foaf-protocols] Webid Spec: Reference to the X.509 RFC 5280?
> To: Akbar Hossain <akkiehossain@gmail.com>
> Cc: foaf-protocols@lists.foaf-project.org
> 
> 
> Hi,
> 
> The PKIX spec (RFC 5280) is based on X.509, so it does repeat some of
> the content of the X.509 spec and puts it into context (for a PKI).
> However, the permitted values for the SAN are in the X.509 Specification.
>    http://www.itu.int/rec/T-REC-X.509-200508-I/en
>    (section 8.3.2.1)
> 
> Regarding Webfinger/Fingerpoint, I'm not quite sure how widespread this
> is yet.
> 
> Best wishes,
> 
> Bruno.
> 
> On 13/08/2010 22:53, Akbar Hossain wrote:
> > Sorry -  I should have said why I was looking for it!
> >
> > I was reading thru http://tools.ietf.org/html/rfc5280#section-4.2.1.6
> >
> > Which I thought was the definition of the permitted values within the
> > Subject Alternative Name (SAN)
> >
> > I guess this is a possible reference too.
> >
> > http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_
> >
> > I was thinking that a section of the spec could be structured as a
> > table with the permitted entries in SAN
> > and the possible ways to deference the agent details.
> >
> > We dont need to (or cant) specify all but it would be easy to
> > visualise how other deferencing schemes to discover the identifying
> > agents profile could be added to the spec at a later stage if for
> > example against email we listed webfinger and fingerpoint for example.
> >
> > Just a thought.
> >
> > On Fri, Aug 13, 2010 at 9:55 PM, Bruno Harbulot
> > <Bruno.Harbulot@manchester.ac.uk> wrote:
> >>
> >>
> >> On 13/08/2010 20:53, Akbar Hossain wrote:
> >>> Hi,
> >>>
> >>> Minor suggestion. Perhaps we should add a link (reference) to the X.509 RFC.
> >>>
> >>> I think it is here. http://tools.ietf.org/html/rfc5280
> >>
> >> I'm not sure if we need to. This isn't the X.509 RFC but the PKIX RFC,
> >> which is exactly what we avoid to do. (The X.509 specification isn't an
> >> IETF RFC.)
> >>
> >> Best wishes,
> >>
> >> Bruno.
> >> _______________________________________________
> >> foaf-protocols mailing list
> >> foaf-protocols@lists.foaf-project.org
> >> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
> >>
> _______________________________________________
> foaf-protocols mailing list
> foaf-protocols@lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
> 
Received on Tuesday, 15 February 2011 16:38:15 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:22 UTC