W3C home > Mailing lists > Public > public-xg-webid@w3.org > November 2012

Re: exiting the WebID email experiment - Was: Adding an email address to a SAN

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 14 Nov 2012 18:47:32 +0100
Cc: public-xg-webid@w3.org
Message-Id: <B657B32F-6941-40EB-9C01-E0AEBAD0F695@bblfish.net>
To: Kingsley Idehen <kidehen@openlinksw.com>

On 14 Nov 2012, at 18:40, Kingsley Idehen <kidehen@openlinksw.com> wrote:

> On 11/14/12 3:57 AM, Henry Story wrote:
>> Just to say, but I have stopped this experiment. For me sending mail is too 
>> important in communication.  If some existing servers start rejecting mail or
>> having trouble because they don't know my CA ( and of course few will know
>> WebID ) then the cost in communication is too high for the benefit. 
>> 
>> I had a report that my Certificate was causing some windows machine to 
>> spend ten minutes trying to verify my certificate. It is not a big step from there
>> until someone determines these are denial of service attacks and blocks my mail.
>> 
>> So in my view this experiment could be thought of as viral, but in the negative 
>> sense. It is exactly the kind of experiment that could cause the system to put 
>> up unnecessary antibodies and make it more difficult for members of our community
>> to spread their message.
>> 
> 
> -100
> 
> The Director of the CIA's email was compromised because he used GMAIL.
> 
> How can you state that not using an existing standard solves a problem is bad? At the same time you want to use TLS, X.509 etc.. to address identity and privacy challenges. Nothing to do with PKI is smooth right now, and that's for the very reasons most of us are trying to make WebID work.

There is a difference. With WebID over TLS the server asks me for a certificate,
and it could even ask me for a WebID enabled one if we agreed on the DN=WebID
CA name. With e-mail my mail gets passed around different intermediaries, each of
which may fail or throw away the mail if it is worried it is spam, which is a huge problem.

So With WebID over TLS you can fine tune certificate requests, and the server only asks for
it if it knows about the protocol.  With e-mail you need to be clear all the servers are ok 
with it, and the clients that receive it must also be  educated. And you cannot control 
their software stack.

So these are completely different ecosystems.

> 
> Kingsley 
>> 
>>  Henry
>> 
>> 
>> On 14 Nov 2012, at 09:34, Melvin Carvalho <melvincarvalho@gmail.com> wrote:
>> 
>>> 
>>> 
>>> On 18 October 2012 21:35, Kingsley Idehen <kidehen@openlinksw.com> wrote:
>>> On 10/18/12 2:31 PM, Melvin Carvalho wrote:
>>>> 
>>>> 
>>>> On 18 October 2012 20:26, Kingsley Idehen <kidehen@openlinksw.com> wrote:
>>>> On 10/18/12 2:12 PM, Andrei Sambra wrote:
>>>> On 10/18/12 19:19, Melvin Carvalho wrote:
>>>> It seems for the dogfooding use case of signing your emails for SMIME
>>>> you also need to add your email address to your SAN.
>>>> 
>>>> Assuming I have got that correct, does anyone know an easy way to do this?
>>>> You can use https://my-profile.eu :)
>>>> 
>>>> There's a cert generation page (https://my-profile.eu/certgen.php) in which you can specify an email address to be added along your WebID URI.
>>>> 
>>>> Andrei
>>>> 
>>>> 
>>>> 
>>>> Trouble is that Melvin wants to complete the process by hand :-)
>>>> 
>>>> I dont necessarily need to do this by hand.
>>>> 
>>> 
>>> If you don't need to do it by hand then you have existing services in place to help you. Andrei pointed you to my-profile.eu (which you are familiar with) and I you can also use the service at: http://id.myopenlink.net/certgen . 
>>> 
>>>> But I'd like to keep my existing cert just ADD the email on top of my http: URI.
>>> 
>>> You mean you want to keep your existing WebID since you can't patch a generated cert. 
>>> 
>>>> 
>>>> Reason is that I have the same key for a long time and it's also my GPG key, SSH, etc.
>>> 
>>> You can have multiple keys in the SAN of certificates that we produce. Or even simpler, cross reference your URIs in your profile graphs via owl:sameAs. 
>>> 
>>> OK, I've managed to create a special cert for email only with the same key.
>>> 
>>> What should be the EXACT SAN for signing email?
>>> 
>>> I have:
>>> 
>>> URI: http://melvincarvalho.com/#me, mailto:melvincarvalho@gmail.com
>>> 
>>> But it's still not working yet ...\
>> 
>> 
>> 
>> 
>>>  
>>> 
>>> 
>>>>  
>>>> 
>>>> -- 
>>>> 
>>>> Regards,
>>>> 
>>>> Kingsley Idehen 
>>>> Founder & CEO
>>>> OpenLink Software
>>>> Company Web: http://www.openlinksw.com
>>>> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
>>>> Twitter/Identi.ca handle: @kidehen
>>>> Google+ Profile: https://plus.google.com/112399767740508618350/about
>>>> LinkedIn Profile: http://www.linkedin.com/in/kidehen
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>>> 
>>> -- 
>>> 
>>> Regards,
>>> 
>>> Kingsley Idehen	      
>>> Founder & CEO 
>>> OpenLink Software     
>>> Company Web: http://www.openlinksw.com
>>> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
>>> Twitter/Identi.ca handle: @kidehen
>>> Google+ Profile: https://plus.google.com/112399767740508618350/about
>>> LinkedIn Profile: http://www.linkedin.com/in/kidehen
>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>> Social Web Architect
>> http://bblfish.net/
>> 
> 
> 
> -- 
> 
> Regards,
> 
> Kingsley Idehen	      
> Founder & CEO 
> OpenLink Software     
> Company Web: http://www.openlinksw.com
> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
> Twitter/Identi.ca handle: @kidehen
> Google+ Profile: https://plus.google.com/112399767740508618350/about
> LinkedIn Profile: http://www.linkedin.com/in/kidehen
> 
> 
> 
> 

Social Web Architect
http://bblfish.net/




Received on Wednesday, 14 November 2012 17:48:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 14 November 2012 17:48:08 GMT