W3C home > Mailing lists > Public > public-xg-webid@w3.org > January 2012

Re: Matter of DN and what's possible

From: Mo McRoberts <mo.mcroberts@bbc.co.uk>
Date: Mon, 9 Jan 2012 12:20:43 +0000
Cc: public-xg-webid@w3.org
Message-Id: <26C649C3-E179-49B0-A07E-E4A2F3E9E5A3@bbc.co.uk>
To: Kingsley Idehen <kidehen@openlinksw.com>

The point of mirroring the claim in a resource which can be retrieved by de-referencing the URI the holder assigns themselves is so that you can be sure they have a reasonable degree of authority over that URI, and so can use it as an identifier for them. It doesn't matter whether that's an http: or https: URI, or some other kind (acct:, ldap:, whatever) ó provided thereís an unambiguous function which can be handed that URI and will de-reference it to a resource which contains the mirrored claims.

If the resource youíre fetching isnít de-referenced from the that identifier ó i.e., it comes from somewhere else entirely, as you suggested would be the case (see quote below), then the claim over the URI isnít mirrored any more.

>> If I'm understanding correctly, you're saying (for example), that sIA might contain a URL,
> Yep!
> This reference (an Address) resolves to a profile resource bearing claims mirror.
>> while the sAN contains the URI of the certificate holder which appears within the document published at the sIA URL?
> Yep!

Thus, Peter might have:

sIA: <http://rdf-translator.appspot.com/parse?url=http%3A%2F%2Fyorkporc2.blogspot.com%2F&of=n3>

sAN: <http://yorkpc2.blogspot.com/#me>

(And the data at yorkpc2.blogspot.com might be in some random format, or might not even be published there at all ó itís just used as a key by rdf-translator.appspot.com).

Thereís nothing wrong with this *per se* but youíre changing the landscape somewhat: it reduces the scope of everything in the the resource to 'untrusted, unverified input' ó itís just a self-asserted attribute exchange document, at which point thereís no point in verifying that the key matches any more, because it doesnít make a jot of difference to anything if it does. What you *canít* do any more is use the self-asserted identifier of the holder as any sort of confirmed identifier, because the claim isn't mirrored there ó itís mirrored somewhere else entirely.

In the above example, Peter has no confirmed claim over <http://yorkpc2.blogspot.com/#me> because the data which would otherwise mirror that claim and confirm it is retrieved from <http://rdf-translator.appspot.com/parse?url=http%3A%2F%2Fyorkporc2.blogspot.com%2F&of=n3> without ever touching the resources retrieved when de-referencing the sAN URI.

At this point, the only piece of actual confirmed information you have (and so the only thing you can use as an identifier) is the public key itself, the content of the profile document is no different from presenting a form and asking the user to fill it in.


Mo McRoberts - Technical Lead - The Space,
0141 422 6036 (Internal: 01-26036) - PGP key CEBCF03E,
Project Office: Room 7083, BBC Television Centre, London W12 7RJ

This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.
Received on Monday, 9 January 2012 12:23:47 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:29 UTC