W3C home > Mailing lists > Public > public-xg-webid@w3.org > October 2012

Re: Getting Serious about WebID Bootstrap

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Tue, 02 Oct 2012 15:50:18 -0400
Message-ID: <506B457A.4030208@openlinksw.com>
To: public-xg-webid@w3.org
On 10/2/12 3:33 PM, David Chadwick wrote:
> Hi Kingsley
>
> finally its working, but Thunderbird has a bug in it which fooled me 
> for some time. I imported your CA cert, said it was trusted to issue 
> email certs, but Thunderbird still kept saying your signature was 
> invalid, even though it showed the cert was issued by this trusted CA.
>
> Eventually I decided to shut down Thunderbird and restart it, and 
> magically your signature became trusted. So it appears that 
> Thunderbird is not dynamically updating its in-memory record of 
> trusted CAs used for signature verification, so that the list of 
> trusted CAs on disc becomes out of sync with the in-memory copy.

Great to see you've made progress. Thanks for the headsup re. 
Thunderbird, I need to update my howto guide accordingly.

Next stop, adding CA WebIDs to CA certs., then automatically adding said 
WebID to Issuer Alternative Name slot when issuing certificates. Net 
effect, via email you can follow-your-nose to the CA certs. public en 
route to importing into local key stores.


Kingsley
>
> regards
>
> David
>
> On 01/10/2012 15:48, Kingsley Idehen wrote:
>> On 10/1/12 7:57 AM, David Chadwick wrote:
>>> Kingsley
>>>
>>> the problem I have is that the signer's self signed certificate is not
>>> available to me.
>>
>> Good point! This where the value of Issuer Alternative Name would come
>> into play. Basically, the Cert issuer's WebID goes in there and it then
>> enables you de-ref the signers public key. We are adding that to all our
>> generators.
>>
>>> Your S/MIME cert did not include the issuer's cert in the certificate
>>> chain, so where do I get it from? Without this root cert I am not able
>>> to validate your cert. When sending signed email, isnt it possible to
>>> include the full cert path?
>>
>> In the meantime, our signer's cert is available from:
>> https://www.dropbox.com/s/uig83k71kym398f/OpenLink%20Local%20CA%20Cert.crt 
>>
>> .
>>>
>>> Or is that your email client is sending it, but Thunderbird is hiding
>>> it from me?
>>
>> No, right now you need to be able to de-reference its form a URL.
>>
>> Kingsley
>>>
>>> regards
>>>
>>> David
>>>
>>>
>>> On 30/09/2012 18:11, Kingsley Idehen wrote:
>>>> On 9/30/12 7:05 AM, Melvin Carvalho wrote:
>>>>>>> >>
>>>>>> >Why? what do I gain from doing this - consider me a naive outsider
>>>>>> >
>>>>>> >
>>>>> Essentially this links your email to your WebID / Social Graph in a,
>>>>> standards compliant, machine readable way.
>>>>>
>>>>> I've imported my cert into thunderbird and imported the root node as
>>>>> a CA
>>>>> but I get
>>>>>
>>>>> "Sending of message failed.
>>>>> Unable to sign message. Please check that the certificates 
>>>>> specified in
>>>>> Mail & Newsgroups Account Settings for this mail account are valid 
>>>>> and
>>>>> trusted"
>>>>>
>>>>> http://kb.mozillazine.org/Message_security
>>>>>
>>>>> Verify whether all parent nodes of the certificate are in your 
>>>>> list of
>>>>> trusted CAs, and whether they can be used to identify mail users
>>>>>
>>>>> Looks I've done this but it still throws an error.  I've had bugs in
>>>>> thunderbird before wrt security.  Not sure on this one ...
>>>>>
>>>>
>>>> You have to ensure the the following:
>>>>
>>>> 1. signer certificate is imported via "Authorities" tab
>>>> 2. personal certificates (signed using the signer cert.) are imported
>>>> into "Your Certificates" tab
>>>> 3. email address in the certificate matches the email address of the
>>>> Thunderbird account being configured.
>>>>
>>>> You can also read:
>>>>
>>>> 1. http://bit.ly/NrzHNY -- using Thunderbird to send digitally signed
>>>> email .
>>>>
>>>
>>>
>>
>>
>
>
>


-- 

Regards,

Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen







Received on Tuesday, 2 October 2012 19:50:45 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:31 UTC