Re: Signed Email WebID

On 7/16/12 4:09 PM, Jürgen Jakobitsch wrote:
> ok,
>
> i think sending signed email is not really the problem,
> i think every one of us should manage to get this done.
>
> however, at least for me the problem is :
>
> how can i (as a normal user) create a certificate that is trusted
> by a common ca authority with a webID.

You need to add the CA certificate of the cert issuer to your email 
clients trust chain. I am really keen to simplify this effort, so if you 
could try to set this up based on my instructions it will ultimately 
help me make the guide clearer.

YouID publishes its cert (which includes its public key) so that you can 
import it into the trust chain of your email client. You must do this 
for it to work.

If not using YouID, but generating the cert yourself, then you have to 
do the same thing:

1. make a self signed cert
2. add the cert to your email clients trust chain -- where it stores 
other CA certs
3. import the same cert into the persona/user certs store.

The client has to be able to validate the signature of your personal 
self-signed cert. Hence the steps above since most of these clients 
don't understand the dimensional implications of self-signed 
certificates etc..

>
> or the other way round : i have a valid (from a ca authority) certificate
> how do i get a webID in there..

You use a service like YouID which has an option for you to make a self 
signed or CA signed cert. I suspect you didn't look at the option for 
OpenLink Local CA when using YouID.

Basically, the Cert. generation service provider has to acquire a cert. 
signing certificate, which is what we've done.

>
> the problem comes to light, when you sign your emails with a certificate
> created with any of the webID generators and most clients
> will say that this signature is not valid.

Yes, I've been through this nightmare already, and I just need folks 
like you to test my guides so I can fix whatever isn't explained properly.

> i only have evolution and thunderbird at hand, but i assume the outlook and co. will also complain.

Please test my guide with Thunderbird. I've also written guides for 
others modulo evolution (which I don't use).
>
> i'd really like to sign my mails and have absolutely no problem with it, but
> i'm not gonna do it, when i must assume that 90% of the recipients see some sort
> of warning, that i'm sending untrusted mails...

We'll cross that bridge once you are able to configure and send signed 
emails. There's a way around that problem too, via social re-engineering 
based on some "in your face" benefits of signed mails with certs. 
bearing WebID watermarks  :-)

Kingsley


>
> wkr j
>
> ----- Original Message -----
> From: "Kingsley Idehen" <kidehen@openlinksw.com>
> To: public-rww@w3.org
> Sent: Monday, July 16, 2012 9:50:28 PM
> Subject: Re: Signed Email WebID
>
> On 7/16/12 3:44 PM, Henry Story wrote:
>> On 16 Jul 2012, at 19:35, Jürgen Jakobitsch wrote:
>>
>>> hi,
>>> thanks for input...
>>>
>>> just had a try with a cert created at my-profile..
>>>
>>> when opening an email, signed with said cert, there's a big red bar
>>> at the bottom of evolution with a broken cert icon.
>>> when i click on it, it says
>>>
>> Could be because my-profile needs to enable some of the magic x509 things, such
>> as e-mail signing options.
> Henry,
>
> You should configure your mail client of choice such that you can send
> signed emails. This exercise is crucial to WebID bootstrap, no matter
> how you look at it. Thus, I encourage you to start sending signed emails
> based on certs. with WebID watermarks :-)
>
> Kingsley
>>> Signer: SWC Juergen Jakobitsch <<unknown>>: Signing certificate not trusted
>>>
>>>
>>> hm... turnguard
>>>
>>>
>>> ----- Original Message -----
>>> From: "Henry Story" <henry.story@bblfish.net>
>>> To: "Jürgen Jakobitsch" <j.jakobitsch@semantic-web.at>
>>> Cc: public-rww@w3.org
>>> Sent: Monday, July 16, 2012 7:21:50 PM
>>> Subject: Re: Signed Email WebID
>>>
>>>
>>> On 16 Jul 2012, at 19:15, Jürgen Jakobitsch wrote:
>>>
>>>> hi,
>>>>
>>>> concerning kingsley's last mail.
>>>>
>>>> i stopped signing my mail, because i didn't figure out
>>>> how to create a NOT-self-signed certificate with a webID.
>>>>
>>>> gnome evolution and thunderbird showed them as broken
>>>> and i didn't want to scare people.
>>>>
>>>> is there a standard way of creating a NOT-self-signed  certificate
>>>> with a webID, without installing heaven and hell?
>>> Well I think if you make one on my-profile.eu, you get a not self signed
>>> certificate. Any system that uses keygen will tend to create non-self signed
>>> certs...
>>>
>>> Henry
>>>
>>>
>>>> any pointer really appreciated.
>>>>
>>>> wkr turnguard
>>>>
>>>> --
>>>> | Jürgen Jakobitsch,
>>>> | Software Developer
>>>> | Semantic Web Company GmbH
>>>> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8
>>>> | A - 1070 Wien, Austria
>>>> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
>>>>
>>>> COMPANY INFORMATION
>>>> | web       : http://www.semantic-web.at/
>>>> | foaf      : http://company.semantic-web.at/person/juergen_jakobitsch
>>>> PERSONAL INFORMATION
>>>> | web       : http://www.turnguard.com
>>>> | foaf      : http://www.turnguard.com/turnguard
>>>> | g+        : https://plus.google.com/111233759991616358206/posts
>>>> | skype     : jakobitsch-punkt
>>>> | xmlns:tg  = "http://www.turnguard.com/turnguard#"
>>>>
>>> Social Web Architect
>>> http://bblfish.net/
>>>
>>>
>>>
>>> --
>>> | Jürgen Jakobitsch,
>>> | Software Developer
>>> | Semantic Web Company GmbH
>>> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8
>>> | A - 1070 Wien, Austria
>>> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
>>>
>>> COMPANY INFORMATION
>>> | web       : http://www.semantic-web.at/
>>> | foaf      : http://company.semantic-web.at/person/juergen_jakobitsch
>>> PERSONAL INFORMATION
>>> | web       : http://www.turnguard.com
>>> | foaf      : http://www.turnguard.com/turnguard
>>> | g+        : https://plus.google.com/111233759991616358206/posts
>>> | skype     : jakobitsch-punkt
>>> | xmlns:tg  = "http://www.turnguard.com/turnguard#"
>> Social Web Architect
>> http://bblfish.net/
>>
>>
>>
>>
>


-- 

Regards,

Kingsley Idehen 
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen