W3C home > Mailing lists > Public > public-xg-webid@w3.org > November 2011

RE: Limit public keys and SAN entries? (was Re: Updated IdP to new spec.)

From: Peter Williams <home_pw@msn.com>
Date: Mon, 28 Nov 2011 21:11:10 -0800
Message-ID: <SNT143-W556C160E4204E2243322C692B30@phx.gbl>
To: <scorlosquet@gmail.com>
CC: "public-xg-webid@w3.org" <public-xg-webid@w3.org>


So do think about it, not functionally, but in "what is best" to get liftoff.

 

Rememebr the exams where you had to pick the "best option" (not the correct answer)? One was being forced to learn subjective reasoning, from cues in the question, turns of phrase, subtle hints? (the stuff of reality)

 

To confirm Im not being manipulative, see http://tinyurl.com/88mhzat. Your comment made me add 5 lines of code Ive been meaning to add for 2 years. But, at least I did it.. now.

 

Compared to the type of programming work I did on certs 20 years ago (sheesh!), its fun to see ASN1 built into dotNet. This is way it was SUPPOSED to be done all along!

 


________________________________
> Date: Mon, 28 Nov 2011 21:05:06 -0500 
> From: scorlosquet@gmail.com 
> To: home_pw@msn.com 
> CC: andrei@fcns.eu; public-xg-webid@w3.org 
> Subject: Limit public keys and SAN entries? (was Re: Updated IdP to new 
> spec.) 
> 
> Hi Peter, 
> 
> On Mon, Nov 28, 2011 at 8:39 PM, Peter Williams 
> <home_pw@msn.com<mailto:home_pw@msn.com>> wrote: 
> 
> 
> I vote we impose a limit of one, but that the text says... a future 
> version of the standard will very likely reconsider this limit, as user 
> experience is gained. 
> 
> I'm assuming you are talking about public keys of a given WebID 
> profile? That won't for multi browser support, unless you either manage 
> to generate certificates with the same pubkey in all your browsers, or 
> you use a separate WebID profile for each browser. 
> 
> 
> 
> Similarly, I vote that the hexbinary format of the modulus in a webid 
> profile should be required to be only lower-case hex digits (rather 
> than free form). 
> 
> 
> I'm tempted to suggests that only 1 URI be permitted in the cert too, 
> with similar language about the strong likelihood of this changing as 
> anticipated needs actually materialize. 
> 
> Have you considered the reasons for allowing multiple SANs? [1] (there 
> are more) What's your reasoning for limiting it to one? I recall you 
> had some limitation from your library? Surely that is not the only 
> reason I hope. 
> 
> Steph. 
> 
> [1] http://www.w3.org/2005/Incubator/webid/track/issues/1 
> 
> 
> 
> 
> ________________________________ 
> > Date: Tue, 29 Nov 2011 00:18:23 +0100 
> > From: andrei@fcns.eu<mailto:andrei@fcns.eu> 
> > To: public-xg-webid@w3.org<mailto:public-xg-webid@w3.org> 
> > Subject: Re: Updated IdP to new spec. 
> > 
> > Hi Kingsley, 
> > 
> > Yeah, it looks like I forgot to limit the test for the number of public 
> > keys a foaf profile can have. Maybe we can have a formal discussion on 
> > this subject. 
> > 
> > What would be a "best practice" in this case? 
> > 
> > How many keys can we have in a single profile, so that it will not look 
> > like a DoS attack? 
> > 
> > Andrei 
> > 
> > 
> > On 11/28/11 22:01, Kingsley Idehen wrote: 
> > Andrei, 
> > 
> > Output from testing a latest WebID from our generator [1][2] against 
> > your verifier. I notice you scan all six of the public key relations in 
> > my graph. What happens it there were more? Wouldn't your system 
> > timeout? Luckily I cleaned out the 30+ relations I had prior to this 
> > test. What about performing an explicit lookup? 
> > 
> > 
> > * Checking ownership of certificate (public key matches private 
> > key)... PASSED (Reason: GENEROUS) 
> > 
> > * Checking if certificate contains URIs in the subjectAltName 
> field... PASSED 
> > 
> > * Found 1 URIs in the certificate (a maximum of 3 will be tested). 
> > 
> > * Checking URI 
> > 1 
> (http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this).<http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this%29.>.. 
> > - Trying to fetch and process certificate(s) from webid profile... 
> > Testing if the modulus representation matches the one in the 
> > webid (found a modulus value)... 
> > 
> > Testing modulus... - FAILED 
> > WebID=f4990925e526be2.......a5c172d91fafa01 
> > Cert =994d0067dd21021.......ca1e663983345d3 
> > 
> > Testing if the modulus representation matches the one in the 
> > webid (found a modulus value)... 
> > 
> > Testing modulus... - FAILED 
> > WebID=c9cbdde371ea987.......c3d4e28dfe27423 
> > Cert =994d0067dd21021.......ca1e663983345d3 
> > 
> > Testing if the modulus representation matches the one in the 
> > webid (found a modulus value)... 
> > 
> > Testing modulus... - FAILED 
> > WebID=d633f04252a9b3f.......e719cb59227d8a7 
> > Cert =994d0067dd21021.......ca1e663983345d3 
> > 
> > Testing if the modulus representation matches the one in the 
> > webid (found a modulus value)... 
> > 
> > Testing modulus... - FAILED 
> > WebID=db0aec1b33f4909.......8ea627df06f60b3 
> > Cert =994d0067dd21021.......ca1e663983345d3 
> > 
> > Testing if the modulus representation matches the one in the 
> > webid (found a modulus value)... 
> > 
> > Testing modulus... - FAILED 
> > WebID=cd3ff1569dc66df.......e3ab848cfccd1e7 
> > Cert =994d0067dd21021.......ca1e663983345d3 
> > 
> > Testing if the modulus representation matches the one in the 
> > webid (found a modulus value)... 
> > 
> > Testing modulus... PASSED 
> > WebID=994d0067dd21021.......ca1e663983345d3 
> > Cert =994d0067dd21021.......ca1e663983345d3 
> > 
> > Match found, ignoring futher tests! 
> > 
> > * Authentication successful! 
> > 
> > 
> > 
> > 
> > Your certificate contains the following WebIDs: 
> > 
> > * http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this 
> > 
> > The WebID URI used to claim your identity is: 
> > 
> > * http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this 
> > (your claim was SUCCESSFUL!) 
> > 
> > The WebID URL suffix (to be signed) for your service provider is: 
> > 
> > * 
> > 
> ?webid=http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this&ts=2011-11-28UTC20:53:50+00:00<http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this%26ts%3d2011-11-28UTC20%3a53%3a50+00%3a00><http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this%26ts%3d2011-11-28UTC20%3a53%3a50+00%3a00> 
> > 
> > Unless both of those strings map to the same number, your 
> > identification experience will vary across clients. 
> > 
> > 
> > 
> > 
> > Your certificate in PEM format: 
> > 
> > -----BEGIN CERTIFICATE----- 
> > MIIDlDCCAv2gAwIBAgICALAwDQYJKoZIhvcNAQEFBQAwdjELMAkGA1UEBhMCVVMx 
> > FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEzARBgNVBAcUCkJ1cmxpbmd0b24xHjAc 
> > BgNVBAoUFU9wZW5saW5rIFNvZnR3YXJlIEluYzEaMBgGA1UEAxQRaWQubXlvcGVu 
> > bGluay5uZXQwHhcNMTExMTI4MjA1MDI4WhcNMTIxMTI3MjA1MDI4WjCBgzEtMCsG 
> > A1UEAxMkS2luZ3NsZXkgVXlpIElkZWhlbiAoTXlPcGVuTGluayBOZXcpMSswKQYD 
> > VQQKEyJPcGVuTGluayBTb2Z0d2FyZSAoTXlPcGVuTGluayBJZFApMSUwIwYJKoZI 
> > hvcNAQkBFhZraWRlaGVuQG9wZW5saW5rc3cuY29tMIIBIjANBgkqhkiG9w0BAQEF 
> > AAOCAQ8AMIIBCgKCAQEAmU0AZ90hAhmkSb6xhPIOpQ6ajKces9uLQl/1yPBW1PiK 
> > VZxhfk9LILVGNZEdRcYk1B+Ejmzfo62hpo9u3Iu9RbVBjsNsy7DAWtqNkdnCq16p 
> > P5gkuukObDMXmMLINCdgy0lMu9Mhg8E81Dy9wMInbGm85j9wkO3CCypN5E9WgAFu 
> > GeEgV76AAfOjMWHS/quH21o1Hn7aM+MHts1UonGg6kpHupOY1/ERGBIc7KcIYuhm 
> > cZj1/BmSQXHYdYsuHSd/c8d6DFjWKO/a3pdBhXVT6qTFTILEXwiy7xurj3RSrt57 
> > jjgsqcJFd2XBRRXJIVLFi93arnHPxpEcoeZjmDNF0wIDAQABo4GeMIGbMB0GA1Ud 
> > DgQWBBQQpXFH3GrJwhziRGoN6dvlFLF0fTBLBgNVHREERDBChkBodHRwOi8vaWQu 
> > bXlvcGVubGluay5uZXQvZGF0YXNwYWNlL3BlcnNvbi9LaW5nc2xleVV5aUlkZWhl 
> > biN0aGlzMC0GCWCGSAGG+EIBDQQgFh5WaXJ0dW9zbyBHZW5lcmF0ZWQgQ2VydGlm 
> > aWNhdGUwDQYJKoZIhvcNAQEFBQADgYEAuL9WUixSviSQA6AeIoTguFbam7XA/med 
> > eoPnQ13o0erjkAjui+5UBLIMzih4r6Ma/wMrO3HsmU3Zw9/jPyJd+sWXaeYdQOPt 
> > 7S+rDHLoYJrafoWA1UORCp/HuOpB2JIdX4pxAO4tNKPQr29I2GdCu3RoTgVrkdNP 
> > HrF0JktHuj0= 
> > -----END CERTIFICATE----- 
> > 
> > 
> > 
> > Your certificate in text format: 
> > 
> > Certificate: 
> > Data: 
> > Version: 3 (0x2) 
> > Serial Number: 176 (0xb0) 
> > Signature Algorithm: sha1WithRSAEncryption 
> > Issuer: C=US, ST=Massachusetts, L=Burlington, O=Openlink Software 
> Inc, CN=id.myopenlink.net<http://id.myopenlink.net> 
> > Validity 
> > Not Before: Nov 28 20:50:28 2011 GMT 
> > Not After : Nov 27 20:50:28 2012 GMT 
> > Subject: CN=Kingsley Uyi Idehen (MyOpenLink New), O=OpenLink Software 
> (MyOpenLink 
> IdP)/emailAddress=kidehen@openlinksw.com<mailto:kidehen@openlinksw.com><mailto:IdP%29<mailto:IdP%2529>/emailAddress=kidehen@openlinksw.com<mailto:kidehen@openlinksw.com>> 
> > Subject Public Key Info: 
> > Public Key Algorithm: rsaEncryption 
> > RSA Public Key: (2048 bit) 
> > Modulus (2048 bit): 
> > 00:99:4d:00:67:dd:21:02:19:a4:49:be:b1:84:f2: 
> > 0e:a5:0e:9a:8c:a7:1e:b3:db:8b:42:5f:f5:c8:f0: 
> > 56:d4:f8:8a:55:9c:61:7e:4f:4b:20:b5:46:35:91: 
> > 1d:45:c6:24:d4:1f:84:8e:6c:df:a3:ad:a1:a6:8f: 
> > 6e:dc:8b:bd:45:b5:41:8e:c3:6c:cb:b0:c0:5a:da: 
> > 8d:91:d9:c2:ab:5e:a9:3f:98:24:ba:e9:0e:6c:33: 
> > 17:98:c2:c8:34:27:60:cb:49:4c:bb:d3:21:83:c1: 
> > 3c:d4:3c:bd:c0:c2:27:6c:69:bc:e6:3f:70:90:ed: 
> > c2:0b:2a:4d:e4:4f:56:80:01:6e:19:e1:20:57:be: 
> > 80:01:f3:a3:31:61:d2:fe:ab:87:db:5a:35:1e:7e: 
> > da:33:e3:07:b6:cd:54:a2:71:a0:ea:4a:47:ba:93: 
> > 98:d7:f1:11:18:12:1c:ec:a7:08:62:e8:66:71:98: 
> > f5:fc:19:92:41:71:d8:75:8b:2e:1d:27:7f:73:c7: 
> > 7a:0c:58:d6:28:ef:da:de:97:41:85:75:53:ea:a4: 
> > c5:4c:82:c4:5f:08:b2:ef:1b:ab:8f:74:52:ae:de: 
> > 7b:8e:38:2c:a9:c2:45:77:65:c1:45:15:c9:21:52: 
> > c5:8b:dd:da:ae:71:cf:c6:91:1c:a1:e6:63:98:33: 
> > 45:d3 
> > Exponent: 65537 (0x10001) 
> > X509v3 extensions: 
> > X509v3 Subject Key Identifier: 
> > 10:A5:71:47:DC:6A:C9:C2:1C:E2:44:6A:0D:E9:DB:E5:14:B1:74:7D 
> > X509v3 Subject Alternative Name: 
> > URI:http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this 
> > Netscape Comment: 
> > Virtuoso Generated Certificate 
> > Signature Algorithm: sha1WithRSAEncryption 
> > b8:bf:56:52:2c:52:be:24:90:03:a0:1e:22:84:e0:b8:56:da: 
> > 9b:b5:c0:fe:67:9d:7a:83:e7:43:5d:e8:d1:ea:e3:90:08:ee: 
> > 8b:ee:54:04:b2:0c:ce:28:78:af:a3:1a:ff:03:2b:3b:71:ec: 
> > 99:4d:d9:c3:df:e3:3f:22:5d:fa:c5:97:69:e6:1d:40:e3:ed: 
> > ed:2f:ab:0c:72:e8:60:9a:da:7e:85:80:d5:43:91:0a:9f:c7: 
> > b8:ea:41:d8:92:1d:5f:8a:71:00:ee:2d:34:a3:d0:af:6f:48: 
> > d8:67:42:bb:74:68:4e:05:6b:91:d3:4f:1e:b1:74:26:4b:47: 
> > ba:3d 
> > 
> > 
> > -- 
> > 
> > Regards, 
> > 
> > Kingsley Idehen 
> > Founder & CEO 
> > OpenLink Software 
> > Company Web: http://www.openlinksw.com 
> > Personal Weblog: http://www.openlinksw.com/blog/~kidehen 
> > Twitter/Identi.ca handle: @kidehen 
> > Google+ Profile: https://plus.google.com/112399767740508618350/about 
> > LinkedIn Profile: http://www.linkedin.com/in/kidehen 
> > 
> > 
> > 
> > 
> > 
> > 
>  		 	   		  
Received on Tuesday, 29 November 2011 05:11:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 29 November 2011 05:11:52 GMT