Re: Getting Serious about WebID Bootstrap

On 2 Oct 2012, at 21:33, David Chadwick <d.w.chadwick@kent.ac.uk> wrote:

> Hi Kingsley
> 
> finally its working, but Thunderbird has a bug in it which fooled me for some time. I imported your CA cert, said it was trusted to issue email certs, but Thunderbird still kept saying your signature was invalid, even though it showed the cert was issued by this trusted CA.
> 
> Eventually I decided to shut down Thunderbird and restart it, and magically your signature became trusted. So it appears that Thunderbird is not dynamically updating its in-memory record of trusted CAs used for signature verification, so that the list of trusted CAs on disc becomes out of sync with the in-memory copy.

I have the same problem with Kingsley's messages in Apple Mail. I still get the yellow banner
"Unable to verify message signature" even though I added him to the keychain.

The problem here I think is that the w3c mail server changes some of the headers
or some of the text, so that the signature is indeed no longer correct.

We came to that conclusion earlier. Kinglsey should send you an e-mail directly to
see if this is indeed the problem.

Henry

> 
> regards
> 
> David
> 
> On 01/10/2012 15:48, Kingsley Idehen wrote:
>> On 10/1/12 7:57 AM, David Chadwick wrote:
>>> Kingsley
>>> 
>>> the problem I have is that the signer's self signed certificate is not
>>> available to me.
>> 
>> Good point! This where the value of Issuer Alternative Name would come
>> into play. Basically, the Cert issuer's WebID goes in there and it then
>> enables you de-ref the signers public key. We are adding that to all our
>> generators.
>> 
>>> Your S/MIME cert did not include the issuer's cert in the certificate
>>> chain, so where do I get it from? Without this root cert I am not able
>>> to validate your cert. When sending signed email, isnt it possible to
>>> include the full cert path?
>> 
>> In the meantime, our signer's cert is available from:
>> https://www.dropbox.com/s/uig83k71kym398f/OpenLink%20Local%20CA%20Cert.crt
>> .
>>> 
>>> Or is that your email client is sending it, but Thunderbird is hiding
>>> it from me?
>> 
>> No, right now you need to be able to de-reference its form a URL.
>> 
>> Kingsley
>>> 
>>> regards
>>> 
>>> David
>>> 
>>> 
>>> On 30/09/2012 18:11, Kingsley Idehen wrote:
>>>> On 9/30/12 7:05 AM, Melvin Carvalho wrote:
>>>>>>> >>
>>>>>> >Why? what do I gain from doing this - consider me a naive outsider
>>>>>> >
>>>>>> >
>>>>> Essentially this links your email to your WebID / Social Graph in a,
>>>>> standards compliant, machine readable way.
>>>>> 
>>>>> I've imported my cert into thunderbird and imported the root node as
>>>>> a CA
>>>>> but I get
>>>>> 
>>>>> "Sending of message failed.
>>>>> Unable to sign message. Please check that the certificates specified in
>>>>> Mail & Newsgroups Account Settings for this mail account are valid and
>>>>> trusted"
>>>>> 
>>>>> http://kb.mozillazine.org/Message_security
>>>>> 
>>>>> Verify whether all parent nodes of the certificate are in your list of
>>>>> trusted CAs, and whether they can be used to identify mail users
>>>>> 
>>>>> Looks I've done this but it still throws an error.  I've had bugs in
>>>>> thunderbird before wrt security.  Not sure on this one ...
>>>>> 
>>>> 
>>>> You have to ensure the the following:
>>>> 
>>>> 1. signer certificate is imported via "Authorities" tab
>>>> 2. personal certificates (signed using the signer cert.) are imported
>>>> into "Your Certificates" tab
>>>> 3. email address in the certificate matches the email address of the
>>>> Thunderbird account being configured.
>>>> 
>>>> You can also read:
>>>> 
>>>> 1. http://bit.ly/NrzHNY -- using Thunderbird to send digitally signed
>>>> email .
>>>> 
>>> 
>>> 
>> 
>> 
> 

Social Web Architect
http://bblfish.net/