Re: Certificate Expiry from Henry Story on 2012-01-25 (public-webid@w3.org from January 2012)

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 25 Jan 2012 17:11:29 +0100
To: Mischa Tuffield <mischa@mmt.me.uk>
Cc: public-webid@w3.org
Message-Id: <92D73203-9841-40D7-90EE-C3CF20C43B9C@bblfish.net>

On 25 Jan 2012, at 16:36, Mischa Tuffield wrote:

> Hello, 
> 
> After Melvin pointed me at his/a calendar APP (very cool btw) [1], I noticed that I managed to authenticate with my WebID[2] even though my cert had expired on 2012-01-17, am guessing this is not a feature and it shouldn't be the case.
> 
> I have tested this expired cert on the following services, which I found on the WebID Test Suite[3]: 
> 
> https://auth.fcns.eu/auth/index.php?verbose=on (Failed to notice that my cert was expired) 
> https://id.myopenlink.net/webid_demo.html?webid=http%3A%2F%2Fmmt.me.uk%2Ffoaf.rdf%23mischa (Failed to notice that my cert was expired) 
> https://foafssl.org/test/WebId (This service noticed that my cert was expired) 
> https://resourceme.bergnet.org/test.php (My browser didn't even ask me for a cert in this case) 
> https://webid.turnguard.com:8443/WebIDTestServer/onlywithcert (This service noticed that my cert was expired) 
> 
> I just thought I would say :) 

Thanks Mischa. 

Of course we should justify why attending to certificate expiration is important, because otherwise why bother. 

So here are some thoughts:

  - a user may wish to create short lived certificates for a particular task, 
    perhaps he is using a friends computer, or working on a public computer. 

  - perhaps services like grid or cloud services want to distribute identities to their
    robots for a limited amount of time. 

  - by being faithful to dates we make it possible to do something like identity 
    ticketing: allowing agents to take on an identity only at a particular time.
    It would be fun to think up some interesting use cases  
 
  - [a bit longer term] 
    short lived certificates is what BrowserId uses. They purposefully have short lived
    certificates as they don't want WebID type dereferencing of the subject authentication  
    and prefer to verify the Issuer, without dereferencing the user. So they don't get 
    validation. We may want to use a similar mechanism for IANs which would help speed
    things up for large providers in the future. 



> 
> Great work everyone, 
> 
> Mischa *needs to generate a new cert I guess $todoList++.
> 
> [1] http://calendar.data.fm/ 
> [2] http://mmt.me.uk/foaf.rdf#mischa 
> [3] http://www.w3.org/2005/Incubator/webid/wiki/Test_Suite#Some_WebID_Verification_Sites 
> _____________________________
> Mischa Tuffield PhD
> http://mmt.me.uk/
> http://mmt.me.uk/foaf.rdf#mischa
> 

Social Web Architect
http://bblfish.net/

Received on Wednesday, 25 January 2012 16:12:12 UTC