Re: Certificate Expiry

On 1/26/12 9:30 AM, Henry Story wrote:
> On 26 Jan 2012, at 14:55, Kingsley Idehen wrote:
>> I mean, anyone is in a position to construct a resource access policy based on
>> the credentials presented at resource access time. Thus, if I choose, I can
>> decide to not accept identity associated with an expired certificate.
> Nobody is denying that you can decide for each resource how secure and important
> it has to be. So most of my resources on bblfish.net are visible to everyone. I
> could put an  authorisation scheme in front of it, and then really completely
> ignore any results  of the authentication system - whatever that might well be,
> DNA fingerprinting or password, ... - because in the end I wanted the whole site
> to be public anyway. Or I could decide that if the person is not willing to try to
> access my resource with some identifying information, however true or false that
> information may be, I don't want to give them access. Or I could decide that I
> only want people with browsers that have client side authentication to connect,
> and that be all I care about. That is all fine and good.
>
> But I think with our WebID Verifiers we are trying to at least play a game
> where we are pretending the resource is something serious.

Yes, and in the Authentication realm, the best a verifier can do is make 
certificate expiration checking optional. We'll demonstrate this via a 
tweak to our verifier.

> These are the
> resources the military will be looking at to see which implementers are serious
> and which are liabilities to be sold to the enemy/competition. If you think
> about large corporations as military organisations, then you can see the same
> being said of them. And also of course hackers, as they will enjoy pulling
> apart any claim to  security that does not stand up.

Model dexterity is the key to putting hackers in a tizzy.

>
>
> So of course military players set up honeypots where they allow people with
> false ids to log in, and they can even give them information that partially
> true,  because they can use the other's actions to trace the intention of the
> enemy. But we are not playing at that stage of the game yet, because we need
> to first prove that our system is working under normal conditions. Nobody will
> even bother with these advanced scenarios if that is not shown.

There is nothing "advanced" re. separating Authentication and 
Authorization. WebID's verification protocol is just about 
authentication. Driver's licenses, Passports etc.. expire in the real 
world. Their expiration doesn't invalidate your identity. Of course, it 
might lead to issues associated with Authorization .

>
> Henry
>
> Social Web Architect
> http://bblfish.net/
>
>
>


-- 

Regards,

Kingsley Idehen	
Founder&  CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen