W3C home > Mailing lists > Public > public-xg-webid@w3.org > November 2011

Re: cert:fingerprint ?

From: Mo McRoberts <mo.mcroberts@bbc.co.uk>
Date: Tue, 22 Nov 2011 19:43:37 +0000
Cc: public-xg-webid@w3.org
Message-Id: <F0A9B3E9-0DBA-4EA1-8E0D-8E03591586DF@bbc.co.uk>
To: Kingsley Idehen <kidehen@openlinksw.com>

On 22 Nov 2011, at 19:24, Kingsley Idehen wrote:

> Please look at the footer section, you have a plethora of data representation formats at your disposal. I opted to share an HTML document :-)

Ah, brilliant, thanks! Displaying the URL somewhere would be pretty useful all the same, FWIW.

> You have to explore the TBox (ontology links). 

I did, and because I couldn't see anything, I read the RDF behind it, too. It may be non-obviously-linked, but as far as I could see there is no spec nor human-readable description of what the fingerprint is meant to contain according to your schema, except for its datatype (string), range (hex) and domain (a certificate). How can one verify or even generate a fingerprint when there's nothing that tells you what the rules are? It has to -come- from somewhere, right? It’s not self-describing or self-explanatory. A fingerprint which has no generation rules has, by definition, no use.

> Think a little different. It is about letting you use a tweet to publish claims associated a verifiable identifier (aka. WebID). It also enables a simple tweet deletion to invalidate a certificate in a keystore/keychain e.g. when you PC, notebook, tablet, phone gets stolen.

Right… okay, that's a really horrid use of Twitter (I mean, technologically it's neat, but as a -user- it amounts to abuse of the medium and, more importantly, abuse of the people who follow me).

>> Your original point was "there's conflation between certs and keys going on", which I don't doubt — because everything which talks about 'fingerprints' tends to not specify *what* binary data is being hashed and how, but all of the real-world uses of fingerprints in their various guises seem to be key-oriented, not cert-oriented, even if they pretend otherwise by being attached to certificates and certificate-related things.
> 
> Yes, and be it public key components (modulus and exponent) or an entire certificate hash, the end game is use of "mirrored claims" and security tokens as mechanism for verifying subjects.

You’re either missing or ignoring my point: as underdocumented as the properties may be, no uses of “fingerprint” in the real world appear to be “certificate hashes” — they’re all key hashes.

M.
-- 
Mo McRoberts - Technical Lead - The Space,
0141 422 6036 (Internal: 01-26036) - PGP key CEBCF03E,
Project Office: Room 7083, BBC Television Centre, London W12 7RJ
Received on Tuesday, 22 November 2011 19:44:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 22 November 2011 19:44:13 GMT