- From: Henry Story <henry.story@bblfish.net>
- Date: Thu, 26 Jan 2012 15:39:59 +0100
- To: Joe Presbrey <presbrey@gmail.com>
- Cc: Melvin Carvalho <melvincarvalho@gmail.com>, Mischa Tuffield <mischa@mmt.me.uk>, public-webid@w3.org
On 26 Jan 2012, at 15:29, Joe Presbrey wrote: >>>> On 26 Jan 2012, at 08:33, Joe Presbrey wrote: >>>>> The notion of self-signed WebID certificates (securely) expiring is invalid and quite easily misunderstood. There are no assurances for start/end dates (or any other properties, eg. WebID URI!) within the certificate itself. > >>> On 26 January 2012 10:57, Henry Story <henry.story@bblfish.net> wrote: >>>> Not all WebID certificates are self signed. They can be signed by the service that creates them. > > So you agree then about not checking dates on self-signed certs. No, because I agree with Mo that if I sign the certificate myself, then I have made a claim that should at the least be respected. Not respecting it means I can't generate short lived certificates in public spaces, and it also means we'll have more trouble integrating with other systems like browserid. > >>>> This is probably not a bad thing, as the service that creates them can then have it's own WebID, >>>> and would end up constituting an extra verification layer. There is no requirement on self signed >>>> certificates in WebID. > > Yes, it is a bad thing. Asking services to sign users so you can trust > the X509 properties increases "total fail" significantly when the > service is compromised [1]. I was not thinking of of major CAs. Rather consider that your Freedom Box could generate it's own private key and Self Signed certificate and sign your client certificate with it. > When starting from zero, there is no > reason to trust a stand-alone "service" WebID if you can't trust a > stand-alone "user" WebID, and therefore their respective assurances do > not compound. The only time I can see signed WebIDs being useful is if > you want a managed/corporate/closed WebID environment. Henry, please > help us stay free and open! There is no requirement that Certificates be not self signed. But it turns out to be a lot more practical when they are not, as some of the demos here have shown. 1 click signature by your web server (on your freedom box) makes it easy to deploy. > X509 and CAs are not the good parts of WebID we should be > exploring/extending. eg. SSH and GPG-generated keys are also great for > WebID, as proven by Melvin. At Web scale, its best to strive for > decentralization. Yes, having limited number of CAs in the browser is what is problematic. But if each of us can be a "CA" then you know what's wrong with that :-) > >>>>> This is precisely why we resolve the WebID URI: to check if the claims in the certificate are true. We could also check the URI/LD to see if dates match, but we don't currently have schema for that > >> On 26 Jan 2012, at 11:01, Melvin Carvalho wrote: >>> Perhaps validFrom and validTo would make more sense than oldKey as a predicate > > I agree. Surely I meant: don't *yet* have schema for that :) > > [1] http://tech.slashdot.org/story/11/10/28/1954201/four-cas-have-been-compromised-since-june Social Web Architect http://bblfish.net/
Received on Thursday, 26 January 2012 14:40:33 UTC