W3C home > Mailing lists > Public > public-xg-webid@w3.org > January 2012

RE: WebID equivalence

From: Peter Williams <home_pw@msn.com>
Date: Tue, 3 Jan 2012 13:20:40 -0800
Message-ID: <SNT143-W41A366A09A169C56981A6192960@phx.gbl>
To: <henry.story@bblfish.net>
CC: "public-xg-webid@w3.org" <public-xg-webid@w3.org>


Henry you keep referring to a MICROSOFT page about the DN type (used in the ldap API) The subject name in a cert IS NOT A DN TYPE. yes a DN is a sequence of RDNs, as is a Name. But NAMES are not DNs. This shoudl sound familiar. Try not to read PGP pages on X.509; its VERY biased (and about as fair as fox news). The folks running certs-based critical infrastructure are used to that crowd, and they have some utility (keeping folks honest). But, dont get TOO enamored with what is often a rant. kaminsky is NOT a reliable sourced of information on certs, for example. But, he gets a rapturous ovation every time he delivers the "ASN.1 IS EVIL (please clap)"  line, or the "UNIQUE NAMES ARE EVIL (clap here)" line. Its great entertainment. There is a long list of whiners (who make lots of money from the speaking on the hacker circuit). its a good business, being negative.        > From: henry.story@bblfish.net
> Date: Tue, 3 Jan 2012 21:16:15 +0100
> CC: public-xg-webid@w3.org
> To: home_pw@msn.com
> Subject: Re: WebID equivalence
> 
> 
> On 3 Jan 2012, at 18:32, Peter Williams wrote:
> 
> > 
> > henry is not correct about CNs.
> > 
> > 
> > 
> > CNs are unique in that their type is defined locally. Thats is definition. If one makes it a URI, its a URI.
> 
> 
> http://msdn.microsoft.com/en-us/library/windows/desktop/aa366101(v=vs.85).aspx
> 
> They give the following examples
> 
> DN: CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM
> 
> Is Jeff Smith globally unique? Ah no it's locally unique inside the company Fabrikam . Oh but then its not a URI. 
> 
> What has this got to do with the discussion btw? Is there something magical you can do by putting your URI in the CN? Probably not. So why bother? 
> 
> > 
> > 
> > 
> > One is prefecty entitled to do what folks to in plaintext email, on detecting a string with a URI syntax (make it clickable).
> 
> The distinction is the same as if someone wrote 
> 
> 	<a href="http://fabrikam.com/jeff">Jeff Smith</a>. 
> 
> "Jeff Smith" above is not a URI. Could you write
> 
> 	 <a href="http://fabrikam.com/jeff">fabrikam.com/jeff</a>
> 
> yes. Would it be user-friendly? In most cases no. Go check CNN.com or any major consumer web site and see how rarely that is done. is fabrikam.com/jeff a URI? No it needs to to be started by http:// if it were even to have the syntax of a URI.
> 
> Is the string inside anchor below a URI?
> 
> 	 <a href="http://fabrikam.com/jeff">http://fabrikam.com/jeff</a>
> 
> Not really either. It is a string that looks like a URI. And no browser will treat it as a URI. you have to distinguish between URI looking strings and URIs. 
> 
> 
> > 
> > 
> > 
> > Is the policy qualifier extension parameters type a URI? If you look at the Microsoft cert display UI (see Issue button), it interprets said field as a URI. Click it, and up pops a web page (or actually any resource, as identified by the scheme and path, as usual)
> 
> Click what? the CN or the DN? Click
> 
>    <a href="http://fabrikam.com/jeff">Jeff Smith</a>. 
> 
> And you will end up on http://fabrikam.com/jeff but that is not because "Jeff Smith" is a URI!
> 
> > 
> > Peter is not 100% correct that CN are unique in that feature. X.500 allows one to define ones own tags, and one can define ones own (with the CN properties). Its just that noone else knows about it, typically. CNs are used, BECUASE they are infinitely flexible. Thats why folks graictate towards using them (being "right" for operational modalities)
> > 
> > 
> > if you look in the Microsoft trust list (that by default cues on the first CN in the list (in most significant order), there is one set of root keys that have Idisplayed) CNs with URIs. They stand out when you look through the list. The rest indicate some kind of "official" name of the firm. In one case, the official name of the firm was the URI (cast as a string, I suppose). Thats becuase, in Scotland, one's official name is what one says it is. Its a free society (for naming).
> > 
> > 
> > 
> > However, if the cert does not have a CN, other rules apply to what gets shown.
> > 
> > 
> > 
> > So Scotland and CNs are very happy with each other. Scottish law doesnt have a cow, on account of the mere lack of 100% control by the state over official naming, as we discussed earlier.
> > 
> > 
> > 
> > Other countries based on the napoleanic tradition of naming (which includes the US) hate this. They want control in the hands of officialdom (so things like loyalty tests can be applied as a condition of citizenship). The state can exclude those from self-government who it deems not loyal (the old English "with-out-law [outlaw]" concept: to exist without the benefit of law and its perogative). In Scotland, one can only be excluded from Royal things, since the King/Queen (unlike the US president) does not have full perogative to define what the state is.
> > 
> > 
> > 
> > I seem to remember some civil war over this very point. it was about the only things Scots and the English really agree on (but its vital and binding).
> > 
> > 
> > 
> > 
> > 
> > Webid is supposed to be about decentralized this and that. In reality, its about removing one semi-centralized trust structure and replacing it with another, with a different set of guardians. But, so was openid. And openid and webid share common history.
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  		 	   		  
> 
> Social Web Architect
> http://bblfish.net/
> 
> 
 		 	   		  
Received on Tuesday, 3 January 2012 21:21:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 January 2012 21:21:13 GMT