- From: Henry Story <henry.story@bblfish.net>
- Date: Wed, 25 Jan 2012 17:11:29 +0100
- To: Mischa Tuffield <mischa@mmt.me.uk>
- Cc: public-webid@w3.org
On 25 Jan 2012, at 16:36, Mischa Tuffield wrote: > Hello, > > After Melvin pointed me at his/a calendar APP (very cool btw) [1], I noticed that I managed to authenticate with my WebID[2] even though my cert had expired on 2012-01-17, am guessing this is not a feature and it shouldn't be the case. > > I have tested this expired cert on the following services, which I found on the WebID Test Suite[3]: > > https://auth.fcns.eu/auth/index.php?verbose=on (Failed to notice that my cert was expired) > https://id.myopenlink.net/webid_demo.html?webid=http%3A%2F%2Fmmt.me.uk%2Ffoaf.rdf%23mischa (Failed to notice that my cert was expired) > https://foafssl.org/test/WebId (This service noticed that my cert was expired) > https://resourceme.bergnet.org/test.php (My browser didn't even ask me for a cert in this case) > https://webid.turnguard.com:8443/WebIDTestServer/onlywithcert (This service noticed that my cert was expired) > > I just thought I would say :) Thanks Mischa. Of course we should justify why attending to certificate expiration is important, because otherwise why bother. So here are some thoughts: - a user may wish to create short lived certificates for a particular task, perhaps he is using a friends computer, or working on a public computer. - perhaps services like grid or cloud services want to distribute identities to their robots for a limited amount of time. - by being faithful to dates we make it possible to do something like identity ticketing: allowing agents to take on an identity only at a particular time. It would be fun to think up some interesting use cases - [a bit longer term] short lived certificates is what BrowserId uses. They purposefully have short lived certificates as they don't want WebID type dereferencing of the subject authentication and prefer to verify the Issuer, without dereferencing the user. So they don't get validation. We may want to use a similar mechanism for IANs which would help speed things up for large providers in the future. > > Great work everyone, > > Mischa *needs to generate a new cert I guess $todoList++. > > [1] http://calendar.data.fm/ > [2] http://mmt.me.uk/foaf.rdf#mischa > [3] http://www.w3.org/2005/Incubator/webid/wiki/Test_Suite#Some_WebID_Verification_Sites > _____________________________ > Mischa Tuffield PhD > http://mmt.me.uk/ > http://mmt.me.uk/foaf.rdf#mischa > Social Web Architect http://bblfish.net/
Received on Wednesday, 25 January 2012 16:12:12 UTC