Re: Signed Email WebID

On 7/16/12 5:49 PM, Nathan wrote:
> Kingsley Idehen wrote:
>> On 7/16/12 5:26 PM, Nathan wrote:
>>> Kingsley Idehen wrote:
>>>> On 7/16/12 4:42 PM, Nathan wrote:
>>>>> Jürgen Jakobitsch wrote:
>>>>>> how can i (as a normal user) create a certificate that is trusted
>>>>>> by a common ca authority with a webID.
>>>>>
>>>>> It's a great question without an easy answer.
>>>>>
>>>>> theoretically it should be a case of configuring openssl using 
>>>>> openssl.conf in the usual round-about god awful way to get a 
>>>>> subjectAltName in there, then submit the generated CSR to get it 
>>>>> signed by a well known CA.
>>>>>
>>>>> I've only self signed so far and not tested the CA bit, however I 
>>>>> know people have been doing it for years with certificate with 
>>>>> subjectAltName values in there, for LDAP - so rather sure it'll 
>>>>> work as expected.
>>>>>
>>>>>> or the other way round : i have a valid (from a ca authority) 
>>>>>> certificate how do i get a webID in there..
>>>>>
>>>>> You can't - requires a new cert.
>>>>>
>>>>>> the problem comes to light, when you sign your emails with a 
>>>>>> certificate
>>>>>> created with any of the webID generators and most clients will 
>>>>>> say that this signature is not valid.
>>>>>> i only have evolution and thunderbird at hand, but i assume the 
>>>>>> outlook and co. will also complain.
>>>>>>
>>>>>> i'd really like to sign my mails and have absolutely no problem 
>>>>>> with it, but
>>>>>> i'm not gonna do it, when i must assume that 90% of the 
>>>>>> recipients see some sort
>>>>>> of warning, that i'm sending untrusted mails...
>>>>>
>>>>> I share and understand your concerns, WebID is an awesome concept, 
>>>>> but the practicalities of dealing with certs are a *major* put 
>>>>> off, mine expired ages ago and I know that any attempt to re-issue 
>>>>> it, with the same keys no less (as I use them for git/svn/scp etc) 
>>>>> is going to be a complete nightmare. Thus I use an expired cert 
>>>>> for git/svn/scp which still works on linux, but I can't use webid 
>>>>> any more until I fix it and jump through a few hoops to reissue.
>>>>>
>>>>> Shame, as WebID - at an abstract level, doesn't even need 
>>>>> certificates, it just needs a public/private keypair and a way to 
>>>>> pass the webid over.
>>>>>
>>>>> Regardless, if you want to persist, I'm sure you can get this 
>>>>> working with a new CA signed cert :)
>>>>>
>>>>> Best,
>>>>>
>>>>> Nathan
>>>>>
>>>>>
>>>>>
>>>> Nathan,
>>>>
>>>> Why do you need a single Certificate for anything? How about having 
>>>> a certificate aligned to specific activities e.g., signed email via 
>>>> s/mime protocol? Thus, in this case you just generate a new cert 
>>>> that's specifically for email.
>>>>
>>>> WebID can't stand on its own during the early stages, it has to be 
>>>> hooked into existing protocols like S/MIME, OpenID, LDAP etc. to 
>>>> cost-effectively acquire both mindshare and appreciation. Of 
>>>> course, if it all pans out, the reality of keypairs will become 
>>>> even clearer and some of today's fluff will become much more 
>>>> optional. For today, we've gotta hone into bootstrap hacks and 
>>>> mechanics :-)
>>>
>>> Just personal preference to have a single certificate (although my 
>>> true preference is to have keys detached from certificates) - but 
>>> you raise good points as always, there's no reason for me (us) not 
>>> to have multiple certificates, especially if it helps with dog 
>>> fooding and getting this show on the road.
>>>
>>> Best, Nathan
>>>
>>>
>>>
>>
>> Yes, and it also addresses the Peter Parker and Spiderman identity 
>> conundrum .
>>
>> We carry many cards in our wallets already, so why not many WebID 
>> watermarked certs too :-)
>>
>> BTW -- did you try the social relationship ACL I setup re. one on my 
>> SPARQL endpoints? Its driven by SPARQL ASK. s
>>
>
> Ahh I kept getting notifications from an ODS briefcase of yours, is 
> that what it was? (will need to get new cert(s) before I do)
>
>
>

You get a notice anytime I share a resource for the foaf:Group of your 
WebID is a member.

Re. SPARQL endpoint test, you just need a WebID that resolves to a graph 
that has one of the requisite foaf:knows based social relationships. In 
this case, knowing one of:  TimBL, Henry, Melvin, Jurgen, or I will 
suffice. Basically, as folks respond to the test, I add them to the list 
of WebIDs that should be objects of foaf:knows relationships.

As you can see, its a social networking hack that taps into AWWW DNA, 
via WebID :-)

-- 

Regards,

Kingsley Idehen 
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen