Re: Certificate Expiry from Henry Story on 2012-01-26 (public-webid@w3.org from January 2012)

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 26 Jan 2012 11:14:35 +0100
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: Joe Presbrey <presbrey@gmail.com>, Mischa Tuffield <mischa@mmt.me.uk>, public-webid@w3.org
Message-Id: <C7D0DE3F-344B-4052-8FD7-3EB8DCED4585@bblfish.net>

On 26 Jan 2012, at 11:01, Melvin Carvalho wrote:

> On 26 January 2012 10:57, Henry Story <henry.story@bblfish.net> wrote:
>> 
>> On 26 Jan 2012, at 08:33, Joe Presbrey wrote:
>> 
>>> The notion of self-signed WebID certificates (securely) expiring is invalid and quite easily misunderstood. There are no assurances for start/end dates (or any other properties, eg. WebID URI!) within the certificate itself.
>> 
>> Not all WebID certificates are self signed. They can be signed by the service that creates them.
>> This is probably not a bad thing, as the service that creates them can then have it's own WebID,
>> and would end up constituting an extra verification layer. There is no requirement on self signed
>> certificates in WebID.
>> 
>> 
>>> 
>>> This is precisely why we resolve the WebID URI: to check if the claims in the certificate are true. We could also check the URI/LD to see if dates match, but we don't currently have schema for that, and why bother?
>>> 
>>> Remove the "expired" certificate's public key from your FOAF/LinkedData if you want to deactivate it.
>> 
>> I agree, removing the expired certificate PK is one thing to do.
>> ( But one might not necessarily want to remove the key either. We may want to have
>> a relation for ex keys, so that people who used keys to sign documents in the
>> past can still verify those signatures. e.g.
>> 
>> <#me> cert:oldKey [ ...]
>> )
> 
> Perhaps validFrom and validTo would make more sense than oldKey as a predicate

If you do that then you make the verification of keys a lot more complex, as 
software would not have to check time stamps on keys. 

> 
>> 
>> 
>> 
>> 
>>> Otherwise,
>>> 
>>> re-self-sign:
>>> https://gist.github.com/1653329
>>> 
>>> You won't need to update your FOAF/LD as your Public Key will not change.
>>> 
>>> 
>>> On Wed, 25 Jan 2012, Mischa Tuffield wrote:
>>>> Mischa *needs to generate a new cert I guess $todoList++.
>>> 
>>> 
>> 
>> Social Web Architect
>> http://bblfish.net/
>> 
>> 

Social Web Architect
http://bblfish.net/

Received on Thursday, 26 January 2012 10:15:06 UTC