Re: Signed Email WebID from Nathan on 2012-07-16 (public-rww@w3.org from July 2012)

From: Nathan <nathan@webr3.org>
Date: Mon, 16 Jul 2012 21:42:59 +0100
To: Jürgen Jakobitsch <j.jakobitsch@semantic-web.at>
CC: Kingsley Idehen <kidehen@openlinksw.com>, public-rww@w3.org
Message-ID: <50047CD3.8090709@webr3.org>

Jürgen Jakobitsch wrote:
> how can i (as a normal user) create a certificate that is trusted
> by a common ca authority with a webID.

It's a great question without an easy answer.

theoretically it should be a case of configuring openssl using 
openssl.conf in the usual round-about god awful way to get a 
subjectAltName in there, then submit the generated CSR to get it signed 
by a well known CA.

I've only self signed so far and not tested the CA bit, however I know 
people have been doing it for years with certificate with subjectAltName 
values in there, for LDAP - so rather sure it'll work as expected.

> or the other way round : i have a valid (from a ca authority) certificate 
> how do i get a webID in there..

You can't - requires a new cert.

> the problem comes to light, when you sign your emails with a certificate
> created with any of the webID generators and most clients 
> will say that this signature is not valid.
> i only have evolution and thunderbird at hand, but i assume the outlook and co. will also complain.
> 
> i'd really like to sign my mails and have absolutely no problem with it, but
> i'm not gonna do it, when i must assume that 90% of the recipients see some sort
> of warning, that i'm sending untrusted mails...

I share and understand your concerns, WebID is an awesome concept, but 
the practicalities of dealing with certs are a *major* put off, mine 
expired ages ago and I know that any attempt to re-issue it, with the 
same keys no less (as I use them for git/svn/scp etc) is going to be a 
complete nightmare. Thus I use an expired cert for git/svn/scp which 
still works on linux, but I can't use webid any more until I fix it and 
jump through a few hoops to reissue.

Shame, as WebID - at an abstract level, doesn't even need certificates, 
it just needs a public/private keypair and a way to pass the webid over.

Regardless, if you want to persist, I'm sure you can get this working 
with a new CA signed cert :)

Best,

Nathan

Received on Monday, 16 July 2012 20:44:04 UTC