Re: X509 and Verificable Creds: A Quick Note on WebID history - Re: All the Agents Challenge (ATAC) at ISWC 2021 from Kingsley Idehen on 2021-07-26 (public-rww@w3.org from July 2021)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Mon, 26 Jul 2021 10:18:19 -0400
To: public-rww@w3.org
Message-ID: <cb485ac1-6dce-fb11-c3f6-ebbf9d400200@openlinksw.com>
On 7/25/21 5:22 PM, Henry Story wrote:
>
>> On 25. Jul 2021, at 21:37, Kingsley Idehen <kidehen@openlinksw.com> wrote:
>>
>> On 7/24/21 3:44 PM, Henry Story wrote:
>>> A proof is that it took 10 years to get to the point where credentials
>>> could replace X509 certificates, and it is actually not quite there yet,
>>> as we need RDF canonicalization, which will take another 3 years.
>>
>> Hi Henry,
>>
>> Why is X.509 Certificate replacement important? Personally, I've always
>> felt its ubiquity enables one solve Identity challenges by simply
>> hooking in the magical powers of resolvable URIs.
> Indeed the extremely wide deployment of X509 is its major advantage.
> That is why we used it with WebID-TLS. Every browser from around 1999
> had a built in keystore for X509 certificates tied to TLS that allowed
> client authentication.  The wide deployment of this technology with
> the hope it could potentially be improved, led me to be very enthusiastic
> about using it. WebID-TLS was a clever logical hack on that deployed foundation
> to allow us to create decentralised social networks.
>
> One problem of X509 was that it was built on ASN.1 which is pre-web binary
> format. 


So you have ubiquity and structured data representation format
preferences (or trends) colliding.

Every modern computer operating systems knows what to do with an X.509
certificate. That kind of ubiquity should be sacrosanct.


> It’s an EAV format where relations are named by numbers, with no
> semantics and only belatedly a central registrar for registering these numbers.
> https://www.alvestrand.no/objectid/
> The gap between that and both JSON-LD, Turtle or any other RDF tech is huge.
> Indeed the heated debates between RDF formats are just storms in some folks’ teacups,
> in comparison.
>
>
> An RDF based certificate format based on linked data is compared to ASN1 something
> like a 40 year technology jump forward.


I don't see it that way.

What I've always seen is the use of a resolvable IRI to create a pathway
to credentials that build on what's in an X.509 cert i.e., embrace and
extend by meshing structured data across two sources.

You have an X.509 cross-referencing an RDF-based Profile document as the
underlying kernel of a protocol.


> It’s a huge step. 12 years ago it was a
> 28 year step forward. As was predictable, replacing something like ASN.1 with
> a RDF tech was a huge undertaking. 


The replacement part is expense and unnecessary, IMHO.


> It required not just replacing a binary format
> with a linked data one, but also building new keystores, developing ontologies,
> and a lot more…


Again, resolvable IRIs as the basis for WebID was never about replacing
ASN.1 based credentials. It was about using the power of de-reference to
augment various credential sources.


>
> Another problem with X509 and TLS is that TLS is at a layer below the HTTP stack,
> and even though some folks at Mozilla have been trying to link these together I think
> those have failed. Otherwise it would potentially be possible to use VCs as
> client side TLS replacements. But I think with HTTP Sig one can actually get a much
> simpler solution at the same layer as HTTP.


I see this issue as more to do with browser implementation choices by
browser vendors.

Delegation gets around this problem as we've demonstrated for many years.

Ultimately, you need delegation (expressed using machine-readable
semantics) in order to not conflate the user of a browser and the
browser itself (a piece of software).


>
> What may go a lot further would be the deployment of P2P extensions to HTTP.
> https://github.com/w3c/architecture/issues/14
>
> Henry Story
> https://twitter.com/bblfish
>
>
>
>
>
>
>

-- 
Regards,

Kingsley Idehen       
Founder & CEO 
OpenLink Software   
Home Page: http://www.openlinksw.com
Community Support: https://community.openlinksw.com
Weblogs (Blogs):
Company Blog: https://medium.com/openlink-software-blog
Virtuoso Blog: https://medium.com/virtuoso-blog
Data Access Drivers Blog: https://medium.com/openlink-odbc-jdbc-ado-net-data-access-drivers

Personal Weblogs (Blogs):
Medium Blog: https://medium.com/@kidehen
Legacy Blogs: http://www.openlinksw.com/blog/~kidehen/
              http://kidehen.blogspot.com

Profile Pages:
Pinterest: https://www.pinterest.com/kidehen/
Quora: https://www.quora.com/profile/Kingsley-Uyi-Idehen
Twitter: https://twitter.com/kidehen
Google+: https://plus.google.com/+KingsleyIdehen/about
LinkedIn: http://www.linkedin.com/in/kidehen

Web Identities (WebID):
Personal: http://kingsley.idehen.net/public_home/kidehen/profile.ttl#i
        : http://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/kingsley.ttl#this
Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Monday, 26 July 2021 14:18:38 UTC