- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Thu, 26 Jan 2012 13:17:43 +0100
- To: Kingsley Idehen <kidehen@openlinksw.com>
- Cc: public-webid@w3.org
On 26 January 2012 12:59, Kingsley Idehen <kidehen@openlinksw.com> wrote: > On 1/26/12 2:33 AM, Joe Presbrey wrote: >> >> The notion of self-signed WebID certificates (securely) expiring is >> invalid and quite easily misunderstood. There are no assurances for >> start/end dates (or any other properties, eg. WebID URI!) within the >> certificate itself. >> >> This is precisely why we resolve the WebID URI: to check if the claims in >> the certificate are true. We could also check the URI/LD to see if dates >> match, but we don't currently have schema for that, and why bother? >> >> Remove the "expired" certificate's public key from your FOAF/LinkedData if >> you want to deactivate it. Otherwise, >> >> re-self-sign: >> https://gist.github.com/1653329 >> >> You won't need to update your FOAF/LD as your Public Key will not change. >> >> >> On Wed, 25 Jan 2012, Mischa Tuffield wrote: >>> >>> Mischa *needs to generate a new cert I guess $todoList++. >> >> >> >> > +1 > > I've been mauling over this a bit and I don't think it really fits into the > Authentication realm. This is an Authorization realm matter. Basically, one > should be able to construct a resource access policy (via ACL) that > determines how certificate expiration is to be handled. +1 out of scope of this version of the Protocol spec ... The proposed ideas of :expiredKey predicate maybe also with validFrom, validTo may possibly be modeled later perhaps or in another vocab (already we have the security vocab) [1] and webkeys spec [2] there's also some commands in openssl to check expiry I believe x509 -in <public crt.pem> -noout -enddate [1] http://payswarm.com/vocabs/security [2] http://payswarm.com/specs/ED/web-keys/2012-01-23/ > > > -- > > Regards, > > Kingsley Idehen > Founder& CEO > OpenLink Software > Company Web: http://www.openlinksw.com > Personal Weblog: http://www.openlinksw.com/blog/~kidehen > Twitter/Identi.ca handle: @kidehen > Google+ Profile: https://plus.google.com/112399767740508618350/about > LinkedIn Profile: http://www.linkedin.com/in/kidehen > > > > > >
Received on Thursday, 26 January 2012 12:18:14 UTC