- From: Nathan <nathan@webr3.org>
- Date: Mon, 16 Jul 2012 23:11:21 +0100
- To: Kingsley Idehen <kidehen@openlinksw.com>
- CC: public-rww@w3.org
Kingsley Idehen wrote: > On 7/16/12 5:49 PM, Nathan wrote: >> Kingsley Idehen wrote: >>> On 7/16/12 5:26 PM, Nathan wrote: >>>> Kingsley Idehen wrote: >>>>> On 7/16/12 4:42 PM, Nathan wrote: >>>>>> Jürgen Jakobitsch wrote: >>>>>>> how can i (as a normal user) create a certificate that is trusted >>>>>>> by a common ca authority with a webID. >>>>>> >>>>>> It's a great question without an easy answer. >>>>>> >>>>>> theoretically it should be a case of configuring openssl using >>>>>> openssl.conf in the usual round-about god awful way to get a >>>>>> subjectAltName in there, then submit the generated CSR to get it >>>>>> signed by a well known CA. >>>>>> >>>>>> I've only self signed so far and not tested the CA bit, however I >>>>>> know people have been doing it for years with certificate with >>>>>> subjectAltName values in there, for LDAP - so rather sure it'll >>>>>> work as expected. >>>>>> >>>>>>> or the other way round : i have a valid (from a ca authority) >>>>>>> certificate how do i get a webID in there.. >>>>>> >>>>>> You can't - requires a new cert. >>>>>> >>>>>>> the problem comes to light, when you sign your emails with a >>>>>>> certificate >>>>>>> created with any of the webID generators and most clients will >>>>>>> say that this signature is not valid. >>>>>>> i only have evolution and thunderbird at hand, but i assume the >>>>>>> outlook and co. will also complain. >>>>>>> >>>>>>> i'd really like to sign my mails and have absolutely no problem >>>>>>> with it, but >>>>>>> i'm not gonna do it, when i must assume that 90% of the >>>>>>> recipients see some sort >>>>>>> of warning, that i'm sending untrusted mails... >>>>>> >>>>>> I share and understand your concerns, WebID is an awesome concept, >>>>>> but the practicalities of dealing with certs are a *major* put >>>>>> off, mine expired ages ago and I know that any attempt to re-issue >>>>>> it, with the same keys no less (as I use them for git/svn/scp etc) >>>>>> is going to be a complete nightmare. Thus I use an expired cert >>>>>> for git/svn/scp which still works on linux, but I can't use webid >>>>>> any more until I fix it and jump through a few hoops to reissue. >>>>>> >>>>>> Shame, as WebID - at an abstract level, doesn't even need >>>>>> certificates, it just needs a public/private keypair and a way to >>>>>> pass the webid over. >>>>>> >>>>>> Regardless, if you want to persist, I'm sure you can get this >>>>>> working with a new CA signed cert :) >>>>>> >>>>>> Best, >>>>>> >>>>>> Nathan >>>>>> >>>>>> >>>>>> >>>>> Nathan, >>>>> >>>>> Why do you need a single Certificate for anything? How about having >>>>> a certificate aligned to specific activities e.g., signed email via >>>>> s/mime protocol? Thus, in this case you just generate a new cert >>>>> that's specifically for email. >>>>> >>>>> WebID can't stand on its own during the early stages, it has to be >>>>> hooked into existing protocols like S/MIME, OpenID, LDAP etc. to >>>>> cost-effectively acquire both mindshare and appreciation. Of >>>>> course, if it all pans out, the reality of keypairs will become >>>>> even clearer and some of today's fluff will become much more >>>>> optional. For today, we've gotta hone into bootstrap hacks and >>>>> mechanics :-) >>>> >>>> Just personal preference to have a single certificate (although my >>>> true preference is to have keys detached from certificates) - but >>>> you raise good points as always, there's no reason for me (us) not >>>> to have multiple certificates, especially if it helps with dog >>>> fooding and getting this show on the road. >>>> >>>> Best, Nathan >>>> >>>> >>>> >>> >>> Yes, and it also addresses the Peter Parker and Spiderman identity >>> conundrum . >>> >>> We carry many cards in our wallets already, so why not many WebID >>> watermarked certs too :-) >>> >>> BTW -- did you try the social relationship ACL I setup re. one on my >>> SPARQL endpoints? Its driven by SPARQL ASK. s >>> >> >> Ahh I kept getting notifications from an ODS briefcase of yours, is >> that what it was? (will need to get new cert(s) before I do) >> >> >> > > You get a notice anytime I share a resource for the foaf:Group of your > WebID is a member. > > Re. SPARQL endpoint test, you just need a WebID that resolves to a graph > that has one of the requisite foaf:knows based social relationships. In > this case, knowing one of: TimBL, Henry, Melvin, Jurgen, or I will > suffice. Basically, as folks respond to the test, I add them to the list > of WebIDs that should be objects of foaf:knows relationships. link?
Received on Monday, 16 July 2012 22:12:34 UTC