Re: self-signed from Mo McRoberts on 2011-04-15 (public-xg-webid@w3.org from April 2011)

From: Mo McRoberts <mo.mcroberts@bbc.co.uk>
Date: Fri, 15 Apr 2011 11:41:01 +0100
To: peter williams <home_pw@msn.com>
Cc: public-xg-webid@w3.org
Message-Id: <EC3045B0-9391-4686-9C86-DB1866233F5A@bbc.co.uk>

On 15 Apr 2011, at 11:28, peter williams wrote:

> That's fine. But what are we saying in terms of standards?
> 
> Are we saying that
> (a) one must have v3 certs
> (b) one must have extensions x y x
> (c) if one does meet (b), x must not do this or that?
> 
> I believe webid should be *required* to work with v1 certs, and v3 certs
> with zero extensions.

Why? WebID certs are going to be generated by software designed to generate WebID certs, and v3 cert generation tools and libraries aren't merely prevalent, they're the norm nowadays.

> Im cannot believe Im about to say this, but, given the nature of webid
> protocol, one could go further. A webid validator is required to ignore all
> extensions, critical or not. (this is because the signature on the cert need
> not validate).

The X.509 critical extension mechanism is a compatibility system: marking an extension as critical is a way of saying “this extension is important — it alters the meaning of the certificate; if you don't understand it, you shouldn't accept the certificate for any purpose”. 

I would be _extremely_ wary of throwing caution to the wind with regards to this and simply throwing it away; rather, documentation concerned with certificate generation should explain what “critical extension” means and what its impact is. Between that and a validator which can say _why_ a certificate is or isn't acceptable, somebody would have to be recklessly negligent (i.e., not test it at all) to produce a “WebID certificate generation tool” (be it standalone, or rolled into something else) which got it wrong.

Critical extensions may seem like a big head-scratcher now while certificates are being generated by hand, tools are still being developed, good documentation is lacking, and the validator isn't yet ready, but these challenges should be used to highlight the “gotchas” that people are likely to run into, rather than deciding which bits of the rules need to be changed.

M.

-- 
Mo McRoberts - Data Analyst - Digital Public Space,
Zone 1.08, BBC Scotland, 40 Pacific Quay, Glasgow G51 1DA,
Room 7066, BBC Television Centre, London W12 7RJ,
0141 422 6036 (Internal: 01-26036) - PGP key 0x663E2B4A

http://www.bbc.co.uk/
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

Received on Friday, 15 April 2011 10:41:30 UTC