W3C home > Mailing lists > Public > public-xg-webid@w3.org > March 2011

certs for signed assertions. doing webid

From: peter williams <home_pw@msn.com>
Date: Wed, 30 Mar 2011 10:56:48 -0700
Message-ID: <SNT143-ds44F8E36012F08879E6B8C92BC0@phx.gbl>
To: <public-xg-webid@w3.org>
As a sideeffect of implementing a demo of the webid process outlined in the
spec, out fell another use case: the code that "validates a https client
cert" can also validate the cert attached to an incoming signed assertion
issued by ActiveDirectory Federation Service (or any other similar IDP).

 

Is this webid, though?

 

The code I wrote doesn't know or care (given the way the spec is written)
whether the cert under inspection is an SSL client cert or an cert
supporting an Signed assertion posted to a website, due to a IDP/SP
ping/pong protocol run. Given a cert DER blob, it just calls uriburner to do
remote sparql,  testing for a the cert's pubkey in the foaf card identified
using the SAN field.

 

If this is webid, we should make sure it's clear to implementers that using
webid to validate a signed assertion's (self-signed) cert is an entirely
legitimate use case. 
Received on Wednesday, 30 March 2011 17:57:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 March 2011 17:57:37 GMT