W3C home > Mailing lists > Public > public-xg-webid@w3.org > January 2011

RE: test and comment on FOAF+SSL material

From: Peter Williams <home_pw@msn.com>
Date: Wed, 26 Jan 2011 05:17:19 -0800
Message-ID: <SNT143-w5D24723FD33E0F32BD47F92FF0@phx.gbl>
To: <danbri@danbri.org>
CC: <public-xg-webid@w3.org>

PKCS#x is a series of semi-standards. One of them is about storing keys, certs and cert properties, being defined as a UNIX-era stream using ASN.1 types and associated value notations. The stream is stored by web convention in a file, of extension .pfx. Being a file, it can be referenced by an http URI and downloaded  by HTTP retaining (file) type information. If the file is downloaded using a web browser to a local file on a PC file store and then this store is referenced by a (IE) browser using a file: URI, the browser will load keys & associated certs into the key/cert container used by the browser. (Users may well be challenged to know a password.)  Once done, web sites requesting the browser's user participate in the webid protocol can induce the browser to show the user a client cert picker/dialog, enabling the user to self-assert a foaf card to the site (for the purposes of access control). The same website can automatically induce the browser to re-assert the same card without the display of the dialog - for some use cases.
 
to generate a .pfx file in IE, one "exports" the cert (and associated keys) using the relevant browser application's menu option&preferences. IE has Windows construct the relevant PKCS#x-conforming data stream, and the browser manufactures a local file container for the data stream. I believe Mozilla browser does something very similar, and uses the same stream definition (PKCS#x) for file import/export. Please, just name the file: <something>.pfx to promote the convention.
 
The art is now to make 5 really good demo .pfx files. Each of the 5 should lead a novice though a set of experiments that she can replicate, very easily. Each should characterize an important use case.
 
The 2 .pfx files I generated 12+ months ago were research-grade use cases and used research grade tooling.  They may not be good cases for teaching. 5 well-thought out uses cases and the associated .pfx file would allow the new user to try out the "ideal" use cases, learning about the distinctions being drawn in each use cases as she goes through the list replicating the trials using her browser.
 
The 2 .pfx file I referenced could be trials #4 and #5, "advanced". This group needs to decide if the uses cases that they demo are even conforming to the design concept. Are they something to be advocated to new users, even if valid? Arguably, what I was doing is too experimental. The experiments sought to link the 2 certs and 2 foaf cards, showcasing that 2 different foaf cards could be being referenced by 2 distinct webids (stored in 2 distinct certs), where the certs in each case and the cards similarly in each case shared a common RSA public key. This is not a classical use case. A futher experiment built into those trials showed something that might appeal to IETF WG PKIX however. Each of the cert correctly uses certificate policy fields, that are also URIs. The presence of these fields arms (in IE) a feature of the the browser's certificate display dialog: the so-called "issuer policy" button. Press the button, when armed, and a browser will navigate to the resource referenced by the policy URI, using the webid protocol is required.
 
Perhaps we each make a foaf card, store it on the web, reference its URI in the cert using our favorite tools, and then export the key/cert stream in PKCS#x file format, calling the resulting file demo<me>.pfx. 
 
Then publish the URL to the demo<me>.pfx file. As a group, we evaluate what each trial claims to demo as a use case. Those that pass muster can be  sequence into a teaching about ideal use cases, allowing the user to learn one use case at a time. In a trial of each use case, the user can actually replicate the experiment easily - while also seeing the end product of the webid protocol: use SSL to get authorization to access a remote web resource. To help teach, one webid-capable resource server should be exposing 5 access controlled resources reinforcing the use case of the particular lesson. Ideally, this would be W3C hosted in a research space, so the W3C brand carries some weight.
 
 
 
> Date: Wed, 26 Jan 2011 08:12:18 +0100
> Subject: Re: test and comment on FOAF+SSL material
> From: danbri@danbri.org
> To: home_pw@msn.com
> CC: public-xg-webid@w3.org
> 
> Looking up .pfx I get a wikipedia ref to
> http://en.wikipedia.org/wiki/PKCS ... are distinctions of version and
> name here important, or you just mean anything that'll store the info
> that the relevant user's browser can actually read?
> 
> Perhaps say 5 fictional users (whose keys/passwords etc are all a
> matter of public record) would be useful for testing and exploration.
> Perhaps avoiding the names 'Alice' & 'Bob'...
> 
> cheers,
> 
> Dan
 		 	   		  
Received on Wednesday, 26 January 2011 13:18:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 26 January 2011 13:18:14 GMT