W3C home > Mailing lists > Public > public-xg-webid@w3.org > November 2011

Re: include privat ekeys Re: rsa ontology in cert namespace

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 23 Nov 2011 21:11:55 +0100
Cc: Peter Williams <home_pw@msn.com>, public-xg-webid@w3.org
Message-Id: <D492D084-3852-4663-9023-B91964DCBE64@bblfish.net>
To: Mo McRoberts <mo.mcroberts@bbc.co.uk>

On 23 Nov 2011, at 20:31, Mo McRoberts wrote:

> 
> On 23 Nov 2011, at 19:05, Henry Story wrote:
> 
>> 
>> On 23 Nov 2011, at 20:00, Mo McRoberts wrote:
>> 
>>> 
>>> On 23 Nov 2011, at 18:42, Peter Williams wrote:
>>> 
>>>> 
>>>> Stop calling a "cert" ontology too, since it precious little to do with certificates - as anyone understands the term. The bindings are not signed, and in RDF land show no sign of being signed in the next decade. 
>>> 
>>> +1
>>> 
>>> People have enough trouble understanding the difference between certificates and keys as it is.
>> 
>> Mh it's a cert ontology because 
>> - we will be able to use it to describe certificates.
> 
> Okay… is the plan to, over time, add the properties and classes which allow description of an entire certificate?
> 
> _:cert a cert:Certificate ;
>    cert:subject "CN=example.com,C=GB"^^cert:DistinguishedName ;
>    cert:issuer "CN=Joe Bloggs,O=Widgets PTY,C=AU"^^cert:DistinguishedName ;
>    cert:notBefore "2010-01-05T00:00:00Z"^^xsd:dateTime ;
>    cert:notAfter "2012-01-04T23:59:59Z"^^xsd:dateTime ;
>    cert:subjectKey _:key ;
>    cert:extension _:basicConstraints ;
>    cert:extension _:subjectAltName .
> 
> _:key a cert:rsaPublicKey ;
>    ... .
> 
> _:basicConstraints a cert:Extension ;
>    cert:extension <oid:2.5.29.19> ;
>    ext:CA "false"^^xsd:boolean .
> 
> _:subjectAltName a cert:Extension ;
>    cert:extension <oid:2.5.29.17> ;
>    ext:URI <http://example.com/me#id> ;
>    ext:IP "169.254.0.1" .
> 
> ?

Yes, I was thinking along those lines initially. If you look at the ontology you'll see it has PGP and X509 classes. 

Then I realised that the WebID Profile itself was structured very much like a certificate. The only thing is that it is not signed. 
But say we put the WebID profile at the same location as an X509 .pem file, would the rdfa html not be a partial representation of the X509?

In any case it is not that difficult to sign rdf: you just put a signature file outside the file, and link from the file.  If you sign the representation then its completely feasible to do that. The issue is just you have to not be changing the representation all the time.
But all that gets complicated. 

you could also say that the cert ontology is where you can certify who you are by tying yourself to your public key which you do use to sign the certificate. You can also sign things with your private key, and then other people can certify that it is you who signed them by looking at your public key...




> 
> [I won't get into the thorny issue of comparison between RDF graphs and canonical DER form, comparing signatures, etc., etc...]

yes, 

> 
> M.
> 
> -- 
> Mo McRoberts - Technical Lead - The Space,
> 0141 422 6036 (Internal: 01-26036) - PGP key CEBCF03E,
> Project Office: Room 7083, BBC Television Centre, London W12 7RJ
> 
> 
> 

Social Web Architect
http://bblfish.net/
Received on Wednesday, 23 November 2011 20:12:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 23 November 2011 20:12:30 GMT