- From: Kingsley Idehen <kidehen@openlinksw.com>
- Date: Mon, 16 Jul 2012 18:02:41 -0400
- To: public-rww@w3.org
- Message-ID: <50048F81.5050402@openlinksw.com>
On 7/16/12 5:49 PM, Nathan wrote: > Kingsley Idehen wrote: >> On 7/16/12 5:26 PM, Nathan wrote: >>> Kingsley Idehen wrote: >>>> On 7/16/12 4:42 PM, Nathan wrote: >>>>> Jürgen Jakobitsch wrote: >>>>>> how can i (as a normal user) create a certificate that is trusted >>>>>> by a common ca authority with a webID. >>>>> >>>>> It's a great question without an easy answer. >>>>> >>>>> theoretically it should be a case of configuring openssl using >>>>> openssl.conf in the usual round-about god awful way to get a >>>>> subjectAltName in there, then submit the generated CSR to get it >>>>> signed by a well known CA. >>>>> >>>>> I've only self signed so far and not tested the CA bit, however I >>>>> know people have been doing it for years with certificate with >>>>> subjectAltName values in there, for LDAP - so rather sure it'll >>>>> work as expected. >>>>> >>>>>> or the other way round : i have a valid (from a ca authority) >>>>>> certificate how do i get a webID in there.. >>>>> >>>>> You can't - requires a new cert. >>>>> >>>>>> the problem comes to light, when you sign your emails with a >>>>>> certificate >>>>>> created with any of the webID generators and most clients will >>>>>> say that this signature is not valid. >>>>>> i only have evolution and thunderbird at hand, but i assume the >>>>>> outlook and co. will also complain. >>>>>> >>>>>> i'd really like to sign my mails and have absolutely no problem >>>>>> with it, but >>>>>> i'm not gonna do it, when i must assume that 90% of the >>>>>> recipients see some sort >>>>>> of warning, that i'm sending untrusted mails... >>>>> >>>>> I share and understand your concerns, WebID is an awesome concept, >>>>> but the practicalities of dealing with certs are a *major* put >>>>> off, mine expired ages ago and I know that any attempt to re-issue >>>>> it, with the same keys no less (as I use them for git/svn/scp etc) >>>>> is going to be a complete nightmare. Thus I use an expired cert >>>>> for git/svn/scp which still works on linux, but I can't use webid >>>>> any more until I fix it and jump through a few hoops to reissue. >>>>> >>>>> Shame, as WebID - at an abstract level, doesn't even need >>>>> certificates, it just needs a public/private keypair and a way to >>>>> pass the webid over. >>>>> >>>>> Regardless, if you want to persist, I'm sure you can get this >>>>> working with a new CA signed cert :) >>>>> >>>>> Best, >>>>> >>>>> Nathan >>>>> >>>>> >>>>> >>>> Nathan, >>>> >>>> Why do you need a single Certificate for anything? How about having >>>> a certificate aligned to specific activities e.g., signed email via >>>> s/mime protocol? Thus, in this case you just generate a new cert >>>> that's specifically for email. >>>> >>>> WebID can't stand on its own during the early stages, it has to be >>>> hooked into existing protocols like S/MIME, OpenID, LDAP etc. to >>>> cost-effectively acquire both mindshare and appreciation. Of >>>> course, if it all pans out, the reality of keypairs will become >>>> even clearer and some of today's fluff will become much more >>>> optional. For today, we've gotta hone into bootstrap hacks and >>>> mechanics :-) >>> >>> Just personal preference to have a single certificate (although my >>> true preference is to have keys detached from certificates) - but >>> you raise good points as always, there's no reason for me (us) not >>> to have multiple certificates, especially if it helps with dog >>> fooding and getting this show on the road. >>> >>> Best, Nathan >>> >>> >>> >> >> Yes, and it also addresses the Peter Parker and Spiderman identity >> conundrum . >> >> We carry many cards in our wallets already, so why not many WebID >> watermarked certs too :-) >> >> BTW -- did you try the social relationship ACL I setup re. one on my >> SPARQL endpoints? Its driven by SPARQL ASK. s >> > > Ahh I kept getting notifications from an ODS briefcase of yours, is > that what it was? (will need to get new cert(s) before I do) > > > You get a notice anytime I share a resource for the foaf:Group of your WebID is a member. Re. SPARQL endpoint test, you just need a WebID that resolves to a graph that has one of the requisite foaf:knows based social relationships. In this case, knowing one of: TimBL, Henry, Melvin, Jurgen, or I will suffice. Basically, as folks respond to the test, I add them to the list of WebIDs that should be objects of foaf:knows relationships. As you can see, its a social networking hack that taps into AWWW DNA, via WebID :-) -- Regards, Kingsley Idehen Founder & CEO OpenLink Software Company Web: http://www.openlinksw.com Personal Weblog: http://www.openlinksw.com/blog/~kidehen Twitter/Identi.ca handle: @kidehen Google+ Profile: https://plus.google.com/112399767740508618350/about LinkedIn Profile: http://www.linkedin.com/in/kidehen
Attachments
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Monday, 16 July 2012 22:02:38 UTC