W3C home > Mailing lists > Public > public-xg-webid@w3.org > January 2011

WebID-ISSUE-1: Multiple URI entries in the SAN extension

From: Stéphane Corlosquet <scorlosquet@gmail.com>
Date: Mon, 31 Jan 2011 11:36:22 -0500
Message-ID: <AANLkTi=gHT_E1NSc++2jD7iGdbiOqGhFN1h9XorNUzOS@mail.gmail.com>
To: WebID XG <public-xg-webid@w3.org>
---------- Forwarded message ----------
From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sat, Aug 14, 2010 at 11:22 AM
Subject: Re: [foaf-protocols] Multiple URIs in SAN extension
To: Stéphane Corlosquet <scorlosquet@gmail.com>
Cc: foaf-protocols@lists.foaf-project.org




On 5 August 2010 18:55, Stéphane Corlosquet <scorlosquet@gmail.com> wrote:

> Hi,
>
> The WebID spec does not currently cover the case where there are more than
> one SAN URI entry in the same certificate. Do we have scenario where this
> would be useful?
>
> In a typical WebID authentication workflow, if your WebID provider is down
> for some reason, then you cannot authenticate with your WebID (leaving aside
> the particular cases of caching and trusted data sources). If your
> certificate contained another WebID URI, the Verification Agent could then
> dereference this other WebID URI to attempt authentication (provided the
> same public key was published at the second WebID Profile Document as well).
> The problem though is to know what your WebID URI is once you've
> authenticated via an alternate WebID URI. Should the Verification Agent
> trust that you are WebID URI #1 when the authentication sequence via WebID
> URI #1 didn't work and only WebID URI #2 worked? Clearly no, unless you can
> prove that you also own WebID URI #1 by having logged in via this URI in the
> past (in which case the Verification Agent would merge the two identities).
> Is this a good use case to justify the use of multiple WebID URIs in the
> same certificate? It would be equivalent to having to separate certificates,
> but the great advantage is that from user point of view you just have to
> choose one identity, however many WebID URIs you have associated with this
> identity (and you're pretty much sure at least one of your providers/servers
> will be up).
>
> <side-note>This raises a related issue. If we expect WebID to take off and
> to be easy to publish your own WebID, there ought to be ways to work around
> the fact the servers go down, that's one reason why there are so few OpenID
> providers and they are all big players providing decent QoS. In the case of
> WebID, even if you choose the best software implementation you can find on
> the market, you're still dependent on your hosting provider. WebID
> provisioning should work on cheap hosting to be truly decentralized avoid
> the same centralization OpenID has.</side-node>
>
> Do we have other scenario where it is useful to have multiple URIs? There
> might be cases where a URI entry of the SAN extension is not meant to be a
> WebID (think other protocols sticking a URI in a certificate like we do).
> This might be fine and play nicely with the above scenario as long as the
> Verification Agent tries the authentication sequence with each URI entry
> until it finds a matching public key in whatever document each URI
> dereferences to.
>
> I believe the jabber folks were thinking about adding an entry for JID.
email+webfinger seems to be gaining some traction, tho im not sure if that's
yet able to store a public key, and you may not wish to disclose your email
address.


>
> thoughts? controversial opinions?
>
> Steph.
>
> _______________________________________________
> foaf-protocols mailing list
> foaf-protocols@lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
>
Received on Monday, 31 January 2011 16:39:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 31 January 2011 16:40:55 GMT