W3C home > Mailing lists > Public > public-xg-webid@w3.org > October 2012

Re: Getting Serious about WebID Bootstrap

From: David Chadwick <d.w.chadwick@kent.ac.uk>
Date: Tue, 02 Oct 2012 20:33:54 +0100
Message-ID: <506B41A2.8010403@kent.ac.uk>
To: Kingsley Idehen <kidehen@openlinksw.com>
CC: public-xg-webid@w3.org
Hi Kingsley

finally its working, but Thunderbird has a bug in it which fooled me for 
some time. I imported your CA cert, said it was trusted to issue email 
certs, but Thunderbird still kept saying your signature was invalid, 
even though it showed the cert was issued by this trusted CA.

Eventually I decided to shut down Thunderbird and restart it, and 
magically your signature became trusted. So it appears that Thunderbird 
is not dynamically updating its in-memory record of trusted CAs used for 
signature verification, so that the list of trusted CAs on disc becomes 
out of sync with the in-memory copy.



On 01/10/2012 15:48, Kingsley Idehen wrote:
> On 10/1/12 7:57 AM, David Chadwick wrote:
>> Kingsley
>> the problem I have is that the signer's self signed certificate is not
>> available to me.
> Good point! This where the value of Issuer Alternative Name would come
> into play. Basically, the Cert issuer's WebID goes in there and it then
> enables you de-ref the signers public key. We are adding that to all our
> generators.
>> Your S/MIME cert did not include the issuer's cert in the certificate
>> chain, so where do I get it from? Without this root cert I am not able
>> to validate your cert. When sending signed email, isnt it possible to
>> include the full cert path?
> In the meantime, our signer's cert is available from:
> https://www.dropbox.com/s/uig83k71kym398f/OpenLink%20Local%20CA%20Cert.crt
> .
>> Or is that your email client is sending it, but Thunderbird is hiding
>> it from me?
> No, right now you need to be able to de-reference its form a URL.
> Kingsley
>> regards
>> David
>> On 30/09/2012 18:11, Kingsley Idehen wrote:
>>> On 9/30/12 7:05 AM, Melvin Carvalho wrote:
>>>>>> >>
>>>>> >Why? what do I gain from doing this - consider me a naive outsider
>>>>> >
>>>>> >
>>>> Essentially this links your email to your WebID / Social Graph in a,
>>>> standards compliant, machine readable way.
>>>> I've imported my cert into thunderbird and imported the root node as
>>>> a CA
>>>> but I get
>>>> "Sending of message failed.
>>>> Unable to sign message. Please check that the certificates specified in
>>>> Mail & Newsgroups Account Settings for this mail account are valid and
>>>> trusted"
>>>> http://kb.mozillazine.org/Message_security
>>>> Verify whether all parent nodes of the certificate are in your list of
>>>> trusted CAs, and whether they can be used to identify mail users
>>>> Looks I've done this but it still throws an error.  I've had bugs in
>>>> thunderbird before wrt security.  Not sure on this one ...
>>> You have to ensure the the following:
>>> 1. signer certificate is imported via "Authorities" tab
>>> 2. personal certificates (signed using the signer cert.) are imported
>>> into "Your Certificates" tab
>>> 3. email address in the certificate matches the email address of the
>>> Thunderbird account being configured.
>>> You can also read:
>>> 1. http://bit.ly/NrzHNY -- using Thunderbird to send digitally signed
>>> email .
Received on Tuesday, 2 October 2012 19:34:22 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:31 UTC