- From: Nathan <nathan@webr3.org>
- Date: Mon, 16 Jul 2012 22:49:36 +0100
- To: Kingsley Idehen <kidehen@openlinksw.com>
- CC: public-rww@w3.org
Kingsley Idehen wrote: > On 7/16/12 5:26 PM, Nathan wrote: >> Kingsley Idehen wrote: >>> On 7/16/12 4:42 PM, Nathan wrote: >>>> Jürgen Jakobitsch wrote: >>>>> how can i (as a normal user) create a certificate that is trusted >>>>> by a common ca authority with a webID. >>>> >>>> It's a great question without an easy answer. >>>> >>>> theoretically it should be a case of configuring openssl using >>>> openssl.conf in the usual round-about god awful way to get a >>>> subjectAltName in there, then submit the generated CSR to get it >>>> signed by a well known CA. >>>> >>>> I've only self signed so far and not tested the CA bit, however I >>>> know people have been doing it for years with certificate with >>>> subjectAltName values in there, for LDAP - so rather sure it'll work >>>> as expected. >>>> >>>>> or the other way round : i have a valid (from a ca authority) >>>>> certificate how do i get a webID in there.. >>>> >>>> You can't - requires a new cert. >>>> >>>>> the problem comes to light, when you sign your emails with a >>>>> certificate >>>>> created with any of the webID generators and most clients will say >>>>> that this signature is not valid. >>>>> i only have evolution and thunderbird at hand, but i assume the >>>>> outlook and co. will also complain. >>>>> >>>>> i'd really like to sign my mails and have absolutely no problem >>>>> with it, but >>>>> i'm not gonna do it, when i must assume that 90% of the recipients >>>>> see some sort >>>>> of warning, that i'm sending untrusted mails... >>>> >>>> I share and understand your concerns, WebID is an awesome concept, >>>> but the practicalities of dealing with certs are a *major* put off, >>>> mine expired ages ago and I know that any attempt to re-issue it, >>>> with the same keys no less (as I use them for git/svn/scp etc) is >>>> going to be a complete nightmare. Thus I use an expired cert for >>>> git/svn/scp which still works on linux, but I can't use webid any >>>> more until I fix it and jump through a few hoops to reissue. >>>> >>>> Shame, as WebID - at an abstract level, doesn't even need >>>> certificates, it just needs a public/private keypair and a way to >>>> pass the webid over. >>>> >>>> Regardless, if you want to persist, I'm sure you can get this >>>> working with a new CA signed cert :) >>>> >>>> Best, >>>> >>>> Nathan >>>> >>>> >>>> >>> Nathan, >>> >>> Why do you need a single Certificate for anything? How about having a >>> certificate aligned to specific activities e.g., signed email via >>> s/mime protocol? Thus, in this case you just generate a new cert >>> that's specifically for email. >>> >>> WebID can't stand on its own during the early stages, it has to be >>> hooked into existing protocols like S/MIME, OpenID, LDAP etc. to >>> cost-effectively acquire both mindshare and appreciation. Of course, >>> if it all pans out, the reality of keypairs will become even clearer >>> and some of today's fluff will become much more optional. For today, >>> we've gotta hone into bootstrap hacks and mechanics :-) >> >> Just personal preference to have a single certificate (although my >> true preference is to have keys detached from certificates) - but you >> raise good points as always, there's no reason for me (us) not to have >> multiple certificates, especially if it helps with dog fooding and >> getting this show on the road. >> >> Best, Nathan >> >> >> > > Yes, and it also addresses the Peter Parker and Spiderman identity > conundrum . > > We carry many cards in our wallets already, so why not many WebID > watermarked certs too :-) > > BTW -- did you try the social relationship ACL I setup re. one on my > SPARQL endpoints? Its driven by SPARQL ASK. s > Ahh I kept getting notifications from an ODS briefcase of yours, is that what it was? (will need to get new cert(s) before I do)
Received on Monday, 16 July 2012 21:50:47 UTC