W3C home > Mailing lists > Public > public-xg-webid@w3.org > November 2012

Re: exiting the WebID email experiment - Was: Adding an email address to a SAN

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Wed, 14 Nov 2012 13:17:48 -0500
Message-ID: <50A3E04C.7000100@openlinksw.com>
To: public-xg-webid@w3.org, "public-rww@w3.org" <public-rww@w3.org>
On 11/14/12 12:47 PM, Henry Story wrote:
>
> On 14 Nov 2012, at 18:40, Kingsley Idehen <kidehen@openlinksw.com 
> <mailto:kidehen@openlinksw.com>> wrote:
>
>> On 11/14/12 3:57 AM, Henry Story wrote:
>>> Just to say, but I have stopped this experiment. For me sending mail 
>>> is too
>>> important in communication.  If some existing servers start 
>>> rejecting mail or
>>> having trouble because they don't know my CA ( and of course few 
>>> will know
>>> WebID ) then the cost in communication is too high for the benefit.
>>>
>>> I had a report that my Certificate was causing some windows machine to
>>> spend ten minutes trying to verify my certificate. It is not a big 
>>> step from there
>>> until someone determines these are denial of service attacks and 
>>> blocks my mail.
>>>
>>> So in my view this experiment could be thought of as viral, but in 
>>> the negative
>>> sense. It is exactly the kind of experiment that could cause the 
>>> system to put
>>> up unnecessary antibodies and make it more difficult for members of 
>>> our community
>>> to spread their message.
>>>
>>
>> -100
>>
>> The Director of the CIA's email was compromised because he used GMAIL.
>>
>> How can you state that not using an existing standard solves a 
>> problem is bad? At the same time you want to use TLS, X.509 etc.. to 
>> address identity and privacy challenges. Nothing to do with PKI is 
>> smooth right now, and that's for the very reasons most of us are 
>> trying to make WebID work.
>
> There is a difference. With WebID over TLS the server asks me for a 
> certificate,
> and it could even ask me for a WebID enabled one if we agreed on the 
> DN=WebID
> CA name. With e-mail my mail gets passed around different 
> intermediaries, each of
> which may fail or throw away the mail if it is worried it is spam, 
> which is a huge problem.

No!

Toss out the WebID in SAN. You are still making the a broken claim about 
the utility of S/MIME, one that ultimately works against many of the 
things you seek.

Remember you "Principals" and IFP note? Well, what function did the 
Email address serve? In addition, if you get back to URI opacity and the 
fact that you have a .well-known pattern for resolving mailto: scheme 
URIs where to do think we end up ?

S/MIME serves a purpose and like the rest of PKI it has suffered from 
myopic implementations on both the client and sever sides.


>
> So With WebID over TLS you can fine tune certificate requests, and the 
> server only asks for
> it if it knows about the protocol.  With e-mail you need to be clear 
> all the servers are ok
> with it, and the clients that receive it must also be  educated. And 
> you cannot control
> their software stack.

No you don't have to be clear about the badly configured servers no more 
that you have to be clear about the broken CA network. You are being 
selective in a manner that's ultimately contradictory to the big picture 
(verifiable identity at Web-scale) and the infrastructure that makes it 
possible.

>
> So these are completely different ecosystems.
The are all related. They aren't silos! They are simply puzzle pieces in 
a massive jigsaw puzzle game.

Links:

1. http://hamptonroads.com/2012/11/5-gmail-lessons-petraeus-affair -- 
speaks for itself, even the Director of the CIA bought into the shambles 
of Email devoid of S/MIME exploitation (aka. GMAIL and friends)

2. http://en.wikipedia.org/wiki/Principal_(computer_security) -- 
orthogonal to this thread, the definition of "Principal" as it relates 
to security and identity
>
>>
>> Kingsley
>>>
>>> Henry
>>>
>>>
>>> On 14 Nov 2012, at 09:34, Melvin Carvalho <melvincarvalho@gmail.com 
>>> <mailto:melvincarvalho@gmail.com>> wrote:
>>>
>>>>
>>>>
>>>> On 18 October 2012 21:35, Kingsley Idehen <kidehen@openlinksw.com 
>>>> <mailto:kidehen@openlinksw.com>> wrote:
>>>>
>>>>     On 10/18/12 2:31 PM, Melvin Carvalho wrote:
>>>>>
>>>>>
>>>>>     On 18 October 2012 20:26, Kingsley Idehen
>>>>>     <kidehen@openlinksw.com <mailto:kidehen@openlinksw.com>> wrote:
>>>>>
>>>>>         On 10/18/12 2:12 PM, Andrei Sambra wrote:
>>>>>
>>>>>             On 10/18/12 19:19, Melvin Carvalho wrote:
>>>>>
>>>>>                 It seems for the dogfooding use case of signing
>>>>>                 your emails for SMIME
>>>>>                 you also need to add your email address to your SAN.
>>>>>
>>>>>                 Assuming I have got that correct, does anyone know
>>>>>                 an easy way to do this?
>>>>>
>>>>>             You can use https://my-profile.eu
>>>>>             <https://my-profile.eu/> :)
>>>>>
>>>>>             There's a cert generation page
>>>>>             (https://my-profile.eu/certgen.php) in which you can
>>>>>             specify an email address to be added along your WebID URI.
>>>>>
>>>>>             Andrei
>>>>>
>>>>>
>>>>>
>>>>>         Trouble is that Melvin wants to complete the process by
>>>>>         hand :-)
>>>>>
>>>>>
>>>>>     I dont necessarily need to do this by hand.
>>>>>
>>>>
>>>>     If you don't need to do it by hand then you have existing
>>>>     services in place to help you. Andrei pointed you to
>>>>     my-profile.eu <http://my-profile.eu/> (which you are familiar
>>>>     with) and I you can also use the service at:
>>>>     http://id.myopenlink.net/certgen .
>>>>
>>>>>     But I'd like to keep my existing cert just ADD the email on
>>>>>     top of my http: URI.
>>>>
>>>>     You mean you want to keep your existing WebID since you can't
>>>>     patch a generated cert.
>>>>
>>>>>
>>>>>     Reason is that I have the same key for a long time and it's
>>>>>     also my GPG key, SSH, etc.
>>>>
>>>>     You can have multiple keys in the SAN of certificates that we
>>>>     produce. Or even simpler, cross reference your URIs in your
>>>>     profile graphs via owl:sameAs.
>>>>
>>>>
>>>> OK, I've managed to create a special cert for email only with the 
>>>> same key.
>>>>
>>>> What should be the EXACT SAN for signing email?
>>>>
>>>> I have:
>>>>
>>>> URI: http://melvincarvalho.com/#me, mailto:melvincarvalho@gmail.com 
>>>> <mailto:melvincarvalho@gmail.com>
>>>>
>>>> But it's still not working yet ...\
>>>
>>>
>>>
>>>
>>>>
>>>>
>>>>>
>>>>>         -- 
>>>>>
>>>>>         Regards,
>>>>>
>>>>>         Kingsley Idehen
>>>>>         Founder & CEO
>>>>>         OpenLink Software
>>>>>         Company Web: http://www.openlinksw.com
>>>>>         <http://www.openlinksw.com/>
>>>>>         Personal Weblog: http://www.openlinksw.com/blog/~kidehen
>>>>>         <http://www.openlinksw.com/blog/%7Ekidehen>
>>>>>         Twitter/Identi.ca <http://identi.ca/> handle: @kidehen
>>>>>         Google+ Profile:
>>>>>         https://plus.google.com/112399767740508618350/about
>>>>>         LinkedIn Profile: http://www.linkedin.com/in/kidehen
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>     -- 
>>>>
>>>>     Regards,
>>>>
>>>>     Kingsley Idehen	
>>>>     Founder & CEO
>>>>     OpenLink Software
>>>>     Company Web:http://www.openlinksw.com  <http://www.openlinksw.com/>
>>>>     Personal Weblog:http://www.openlinksw.com/blog/~kidehen  <http://www.openlinksw.com/blog/%7Ekidehen>
>>>>     Twitter/Identi.ca  <http://identi.ca/>  handle: @kidehen
>>>>     Google+ Profile:https://plus.google.com/112399767740508618350/about
>>>>     LinkedIn Profile:http://www.linkedin.com/in/kidehen
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>> Social Web Architect
>>> http://bblfish.net/
>>>
>>
>>
>> -- 
>>
>> Regards,
>>
>> Kingsley Idehen	
>> Founder & CEO
>> OpenLink Software
>> Company Web:http://www.openlinksw.com
>> Personal Weblog:http://www.openlinksw.com/blog/~kidehen
>> Twitter/Identi.ca  <http://Identi.ca>  handle: @kidehen
>> Google+ Profile:https://plus.google.com/112399767740508618350/about
>> LinkedIn Profile:http://www.linkedin.com/in/kidehen
>>
>>
>>
>>
>
> Social Web Architect
> http://bblfish.net/
>


-- 

Regards,

Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen







Received on Wednesday, 14 November 2012 18:18:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 14 November 2012 18:18:14 GMT