W3C home > Mailing lists > Public > public-xg-webid@w3.org > January 2012

RE: WebID equivalence

From: Peter Williams <home_pw@msn.com>
Date: Tue, 3 Jan 2012 13:03:37 -0800
Message-ID: <SNT143-W428A4663FCF6EE5D67691792960@phx.gbl>
To: <henry.story@bblfish.net>
CC: "public-xg-webid@w3.org" <public-xg-webid@w3.org>


Putting a URI (string) in a CN is essentially the same as putting a domain-name (string) in the CN. I.e. its not just a printable label. But, some bit of software MAY decide to treat it as a value-syntax (and not a label). This is the unique property of CN (that is not true of OU=) In one community, they applied it to SSL security enforcement. I think its called browsers. In windows, you have to turn off the property that objects to a failed match between CN (or other sources of domain-names maes in certs) when showing web pages citing a particular authority field in the URI. In virtual hosting where sites have 10,000 certs for tentants, there are other rules. These involve having a match rule embedded in the CN (or other locations, in more prrofessinallyu engineered profiles that  came later). The can even invole engineering new fields in the Client Hello (as Nathan once used). But, stuffing in a wild card expression in a CN field for servers was all Netscape could do "in the time". And, it took no effort (and very little code). Of course, it cuased endless problems, but that is not how the web was built. The point is, is NOT always a label - contering your point. You tend to be super-perspective on web logic (but then act some amaterisctly on the logic and formalism of certs). while Im supprotive (Ive always dumbed certs down, to make the "have appeal") recogtnize times have changed. Certs are maintream, and critical infrastructure at this point. In windows, the new owner of the http://www.valicert.com/ CN'd subject name'd root does/did not own the valicert domain name in the CN (and was not licensed to cite it, to a billion web consumers, intentionally). Windows has the concept of a friendly name. This is what is shown (or can be done so, in retail builds). That is, its not even names from within the signed  may guide the UI the user sees. Its infact a property ABOUT the cert that "augments" the cert root display, so folks could buy and sell root keys (with "now" broken naming, stuck to be incorrect for 25 years ... due to the lifetime of the certs). IN some cases, microsoft had the new owner of the root key mint a new self-signed cert, and they used windows update to distibute the replacement, to a few billion nodes. They typically keep the same signed names the same, but they change the friendly name in the WINDOWS CERT STORE HOSTED properties that guide the actual UI (so it says Starcom industries, or something). Real world naming is fun. Its start crap, get crappier, and features endless workarounds once some good idea takes off at huge scape - and the poor original thought gets in the way (as with virtual hosting CNs for namespaces). But you know this. its the web, as normal. With certs, ive taught you what commercial folks worry about, which may impact webid as it appeals beyond folks doing R&D. Perhaps, you can do better, or at least stay up and consistent with the rest of the cert community.      > Subject: Re: WebID equivalence
> From: henry.story@bblfish.net
> Date: Tue, 3 Jan 2012 21:16:15 +0100
> CC: public-xg-webid@w3.org
> To: home_pw@msn.com
> 
> 
> On 3 Jan 2012, at 18:32, Peter Williams wrote:
> 
> > 
> > henry is not correct about CNs.
> > 
> > 
> > 
> > CNs are unique in that their type is defined locally. Thats is definition. If one makes it a URI, its a URI.
> 
> 
> http://msdn.microsoft.com/en-us/library/windows/desktop/aa366101(v=vs.85).aspx
> 
> They give the following examples
> 
> DN: CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM
> 
> Is Jeff Smith globally unique? Ah no it's locally unique inside the company Fabrikam . Oh but then its not a URI. 
> 
> What has this got to do with the discussion btw? Is there something magical you can do by putting your URI in the CN? Probably not. So why bother? 
> 
> > 
> > 
> > 
> > One is prefecty entitled to do what folks to in plaintext email, on detecting a string with a URI syntax (make it clickable).
> 
> The distinction is the same as if someone wrote 
> 
> 	<a href="http://fabrikam.com/jeff">Jeff Smith</a>. 
> 
> "Jeff Smith" above is not a URI. Could you write
> 
> 	 <a href="http://fabrikam.com/jeff">fabrikam.com/jeff</a>
> 
> yes. Would it be user-friendly? In most cases no. Go check CNN.com or any major consumer web site and see how rarely that is done. is fabrikam.com/jeff a URI? No it needs to to be started by http:// if it were even to have the syntax of a URI.
> 
> Is the string inside anchor below a URI?
> 
> 	 <a href="http://fabrikam.com/jeff">http://fabrikam.com/jeff</a>
> 
> Not really either. It is a string that looks like a URI. And no browser will treat it as a URI. you have to distinguish between URI looking strings and URIs. 
> 
> 
> > 
> > 
> > 
> > Is the policy qualifier extension parameters type a URI? If you look at the Microsoft cert display UI (see Issue button), it interprets said field as a URI. Click it, and up pops a web page (or actually any resource, as identified by the scheme and path, as usual)
> 
> Click what? the CN or the DN? Click
> 
>    <a href="http://fabrikam.com/jeff">Jeff Smith</a>. 
> 
> And you will end up on http://fabrikam.com/jeff but that is not because "Jeff Smith" is a URI!
> 
> > 
> > Peter is not 100% correct that CN are unique in that feature. X.500 allows one to define ones own tags, and one can define ones own (with the CN properties). Its just that noone else knows about it, typically. CNs are used, BECUASE they are infinitely flexible. Thats why folks graictate towards using them (being "right" for operational modalities)
> > 
> > 
> > if you look in the Microsoft trust list (that by default cues on the first CN in the list (in most significant order), there is one set of root keys that have Idisplayed) CNs with URIs. They stand out when you look through the list. The rest indicate some kind of "official" name of the firm. In one case, the official name of the firm was the URI (cast as a string, I suppose). Thats becuase, in Scotland, one's official name is what one says it is. Its a free society (for naming).
> > 
> > 
> > 
> > However, if the cert does not have a CN, other rules apply to what gets shown.
> > 
> > 
> > 
> > So Scotland and CNs are very happy with each other. Scottish law doesnt have a cow, on account of the mere lack of 100% control by the state over official naming, as we discussed earlier.
> > 
> > 
> > 
> > Other countries based on the napoleanic tradition of naming (which includes the US) hate this. They want control in the hands of officialdom (so things like loyalty tests can be applied as a condition of citizenship). The state can exclude those from self-government who it deems not loyal (the old English "with-out-law [outlaw]" concept: to exist without the benefit of law and its perogative). In Scotland, one can only be excluded from Royal things, since the King/Queen (unlike the US president) does not have full perogative to define what the state is.
> > 
> > 
> > 
> > I seem to remember some civil war over this very point. it was about the only things Scots and the English really agree on (but its vital and binding).
> > 
> > 
> > 
> > 
> > 
> > Webid is supposed to be about decentralized this and that. In reality, its about removing one semi-centralized trust structure and replacing it with another, with a different set of guardians. But, so was openid. And openid and webid share common history.
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  		 	   		  
> 
> Social Web Architect
> http://bblfish.net/
> 
 		 	   		  
Received on Tuesday, 3 January 2012 21:06:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 January 2012 21:06:41 GMT