W3C home > Mailing lists > Public > public-xg-webid@w3.org > January 2012

Re: Matter of DN and what's possible

From: Mo McRoberts <mo.mcroberts@bbc.co.uk>
Date: Mon, 9 Jan 2012 07:11:10 +0000
Cc: public-xg-webid@w3.org
Message-Id: <603350D3-AB97-4CCC-81DF-68F38D7BF791@bbc.co.uk>
To: Kingsley Idehen <kidehen@openlinksw.com>

On 9 Jan 2012, at 01:31, Kingsley Idehen wrote:

> On 1/8/12 6:55 PM, Mo McRoberts wrote:
>> On 8 Jan 2012, at 23:39, Kingsley Idehen wrote:
>> 
>>>> If I'm understanding correctly, you're saying (for example), that sIA might contain a URL,
>>> Yep!
>>> 
>>> This reference (an Address) resolves to a profile resource bearing claims mirror.
>>>> while the sAN contains the URI of the certificate holder which appears within the document published at the sIA URL?
>>> Yep!
>>> 
>>> Then you completely solve burden problem for publishers re. Linked Data publishing nuances that ultimately introduce control problems, as already demonstrated by Peter's experiments.
>> You introduce a new problem, however.
>> 
>> WebID revolves around the fact that the URI you provide in the subjectAltName is (in some fashion or another) dereferenceable and can be processed by verifiers because asserting the key there allows you to demonstrate that you control it — you’re effectively demonstrating “ownership” — and so applications can then use that URI to identify you.
> 
> No, there isn't a new problem, far from it. We are simply saying the route to proof doesn't have to go through a single URI.
> Proof lies in the directed graph that mirrors the claims in the cert.

Proof of authority over a particular URI has to go via that URI, by definition.


>> This isn't especially different from the “we have e-mailled you a verification link” automated processes which, having been followed, allow you to be identified by an e-mail address, nor terribly different to Google’s Webmaster Tools site verification or Apps CNAME.
> 
> Yes and No. We'll even get to that proof once we cross this initial bridge re. Name, Addresses, and Descriptor (of Information) Resources.
> 
>> 
>> How does this work when you’re instructed to look somewhere else entirely via a sIA?
> 
> You are indicating that there is a document, somewhere on a network that describes the certificate subject. It's easier and much more intuitive. It's this part of matters that confuses people re. Linked Data since you have > 1 level of indirection via a single HTTP URI.

I’m not sure that answers the question.

>> 
>> If my sAN says I am<http://billg.microsoft.com/#me>  and my sIA says to look at<http://data.nevali.net/billg>, you’re still none the wiser as to whether I really have any authority over the resource at<http://billg.microsoft.com/>  or not — instead, I’m effectively '<http://data.nevali.net/billg>  {<http://billg.microsoft.com/>  }', which is quite different.
> 
> The mirrored claim is the key to proof.

I’m sorry, I may be being dim, but I -really- don’t understand how that’s an answer. Key to the proof of *what*? If a verifier isn't directly dereferencing the sAN URI, how are you providing proof of anything to do with that sAN URI?

M.

-- 
Mo McRoberts - Technical Lead - The Space,
0141 422 6036 (Internal: 01-26036) - PGP key CEBCF03E,
Project Office: Room 7083, BBC Television Centre, London W12 7RJ
Received on Monday, 9 January 2012 07:11:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 9 January 2012 07:11:49 GMT