W3C home > Mailing lists > Public > public-xg-webid@w3.org > January 2011

Re: WebID-ISSUE-15: Native browser-based WebID-only certificate display

From: Henry Story <henry.story@bblfish.net>
Date: Mon, 31 Jan 2011 19:30:42 +0100
Message-Id: <7E56BAEA-B481-44EA-822E-943C4294FF8E@bblfish.net>
To: WebID Incubator Group WG <public-xg-webid@w3.org>
This is the type of issue that is a real standardisation issue that will be
complex to solve correctly, that will need security experts, and a wider
discussion by interested parties to help find the right solution. With foaf+ssl
it was not worth going into details to solve this other than theoretically.

Assuming the solution of giving WebID enabled X509 certificates a particular
Issuer DN, so that servers can request certificates that are WebID enabled - 
just settling on a correct name requires us to have a spec and a process 
whereby such a decision can get the agreement of the widest number of
participants.

Henry Story


On 31 Jan 2011, at 17:54, Stéphane Corlosquet wrote:

> ---------- Forwarded message ----------
> From: Henry Story <henry.story@bblfish.net>
> Date: Tue, Sep 7, 2010 at 4:04 PM
> Subject: [foaf-protocols] Selective presentation of WebID-only certificates
> To: foaf-protocols@lists.foaf-project.org
> 
> 
> Manu Sporny logged this issue here:
> 
>   http://github.com/msporny/webid-spec/issues#issue/3
> 
> Bruno Harbulot brought this up in April 2009
> 
>   http://lists.foaf-project.org/pipermail/foaf-protocols/2009-April/000450.html
> 
> It came up again a few times such as in this thread
> 
>   http://foaf.markmail.org/thread/b2nfaspp3uqb5usz
> 
> The issues I think is
> 
>  1. to check what the browser behavior really is
>  2. to make sure the semantics of doing this is ok (I think it is)
>  3. what would the name of this Cert Authority be
>     Currently I have used the DN of
>   "O=FOAF+SSL, OU=The Community of Self Signers, CN=Not a Certification Authority";
>      but we would need to agree on this.
> 
>  I was thinking we should wait until we have a very formal process to decide on this, because we want as many people to be happy with it as possible - or else we would be in danger of not asking people with valid certificates for certificates, just because they decided to choose another DN.
> 
>  So the issue is also in part to understand how bad the issue of multiple certs is.  The advantage is that we could tie the DN to major spec version numbers, ....
> 
>   Anyway this is a complex issue. It seems there is a solution to it, so it's just a matter of working out the details.
> 
>        Henry
> 
> Social Web Architect
> http://bblfish.net/
> 
> On Mon, Jan 31, 2011 at 11:50 AM, WebID Incubator Group Issue Tracker <sysbot+tracker@w3.org> wrote:
> 
> WebID-ISSUE-15: Native browser-based WebID-only certificate display
> 
> http://www.w3.org/2005/Incubator/webid/track/issues/15
> 
> Raised by: Stéphane Corlosquet
> On product:
> 
> Issue raised by Manu Sporny at https://github.com/webid-community/webid-spec/issues#issue/3
> 
> When connecting to a WebID capable website, we need to understand how to display purely WebID-only certificates. This is an issue in corporate and university environments where client-side certificates are provided that could be selected when logging into WebID websites.
> 
> The usability concern is that people might select the wrong certificate when connecting with a service, or that they don't have a WebID certificate, but are given the certificate selection prompt anyway (which would be very confusing to someone that doesn't know about certificates).
> 
> We need to understand if there is a way to specify that only WebID certificates are requested on a WebID-capable website. If there is a way to do this, we need to settle on a naming convention or certificate authority name/chain that makes this possible.
> 
> 
> 
> 
> 

Social Web Architect
http://bblfish.net/
Received on Monday, 31 January 2011 18:31:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 31 January 2011 18:31:20 GMT