Re: Certificate Expiry (summary)

On 1/27/12 8:10 AM, Henry Story wrote:
> On 27 Jan 2012, at 13:55, Melvin Carvalho wrote:
>
>> On 27 January 2012 13:47, Jürgen Jakobitsch
>> <j.jakobitsch@semantic-web.at>  wrote:
>>> hi,
>>>
>>> is there a final conclusion on this issue yet,
>>> which an implementor can rely on?
>>>
>>> i think it would be a good idea to write a couple
>>> of lines into spec about this. from only reading
>>> the spec now, i have no clue what to do with the dates
>>> in a certificate.
>>>
>>> at current the best solution for WebIDRealm seems
>>> to simply have some boolean flags that get read on startup.
>>>
>>> mindCertificateNotYetValid (=true|false)
>>> mindCertificateExpired (=true|false)
>> Isn't this logic delegated to the X.509 spec?
> yes, but that does not mean we can't put a developer guide
> on our wiki.
>
> I would argue very simply:
>
>   - the client sends you a certificate which is a set of claims
>     if those claims contain an assertion that the certificate is
> expired there is prima facie reason to respect that assertion.
>
>   - if that claim is non expired and you fetch the profile which
>    does state that they key is expired (to be defined) then
>    there is reason to believe that your supporting evidence states
>    that the key is expired and hence that knowledge of the private key
>    does not constitute proof of webid = knower of private key identity.
>
> People who wish never to have issues with (1) can create very long
> lasting certificates. If people create short lasting certificates in
> (2) there may be a reason. Perhaps they have a game they are playing
> where n people each get 1 hour to accomplish a task. These n people
> act as one agent.
>
>     Does that make sense?

Yes.

+1

> If so perhaps we can put it up
> in some part of the wiki (HOWTO section?)

Yes.

Kingsley
>
>>> wkr j
>>>
>>> ----- Original Message -----
>>> From: "Kingsley Idehen"<kidehen@openlinksw.com>
>>> To: public-webid@w3.org
>>> Sent: Thursday, January 26, 2012 8:02:27 PM
>>> Subject: Re: Certificate Expiry (summary)
>>>
>>> On 1/26/12 1:32 PM, Henry Story wrote:
>>>> On 26 Jan 2012, at 19:12, Kingsley Idehen wrote:
>>>>
>>>>> On 1/26/12 12:08 PM, Joe Presbrey wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> I caught up with Henry in a quick chat earlier about this and will let
>>>>>> you know a quick summary. Of course we all agree on extending the
>>>>>> trust network via URIs, resolving, issues and signers, cosigners,
>>>>>> freedom and liberty boxes, server clients, etc. all day long. In
>>>>>> addition:
>>>>>>
>>>>>> 1) we should distinguish old keys from current keys with status,
>>>>>> issuer, date, and/or other properties of the key in our profiles
>>>>> Okay, so do we tweak the Cert. Ontology accordingly? Or make an adjunct
>>>>> Assurance Ontology?
>>>> I don't see a problem adding a few notBefore/notAfter relations to the
>>>> cert ontology. We would want to state somehow that the relation between
>>>> the user and the public key as being one of identification was only valid
>>>> for a certain amount of time.
>>>>
>>>> What I am wondering is if that would make a difference to your argument
>>>> outlined in the thread. If someone were to use certificate with a WebID
>>>> that was backed up by a Profile whose key was described as being
>>>> expired, would not the argument you had outlined in the thread still
>>>> hold? Ie, that this is an issue with authorisation and not
>>>> authentication?
>>> Grey area that sits between the realms of Authentication and Authorization.
>>>
>>> Tweaking the ontology solves the problem.  Solomon was an ontologist :-)
>>>
>>>
>>> Kingsley
>>>>>> 2) expired self-signed WebIDs should not "go out with the trash", if a
>>>>>> hacker finds it, they can pretend they are you unless (1)
>>>>>>
>>>>>> 3) we should regard x509 properties in addition to (1) while WebID is
>>>>>> delivered via x509, but prefer LD mechanisms to be compatible with
>>>>>> other containers and transports
>>>>> Yes.
>>>>>
>>>>> Kingsley
>>>>>
>>>>>> Best,
>>>>>>
>>>>>> --
>>>>>> Joe Presbrey
>>>>>>
>>>>>>
>>>>>> On Thu, Jan 26, 2012 at 11:40 AM, Henry Story<henry.story@bblfish.net>    wrote:
>>>>>>> yes make sense +1 - just add Summary to front of the e-mail subject.
>>>>>>> I think it would be good if each thread had a little summary.
>>>>>>>
>>>>>>> On 26 Jan 2012, at 17:35, Joe Presbrey wrote:
>>>>>>>
>>>>>>>> I drafted this summary email, if it looks good to you, do you want to send it?
>>>>> --
>>>>>
>>>>> Regards,
>>>>>
>>>>> Kingsley Idehen
>>>>> Founder&    CEO
>>>>> OpenLink Software
>>>>> Company Web: http://www.openlinksw.com
>>>>> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
>>>>> Twitter/Identi.ca handle: @kidehen
>>>>> Google+ Profile: https://plus.google.com/112399767740508618350/about
>>>>> LinkedIn Profile: http://www.linkedin.com/in/kidehen
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Social Web Architect
>>>> http://bblfish.net/
>>>>
>>>>
>>>>
>>>
>>> --
>>>
>>> Regards,
>>>
>>> Kingsley Idehen
>>> Founder&   CEO
>>> OpenLink Software
>>> Company Web: http://www.openlinksw.com
>>> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
>>> Twitter/Identi.ca handle: @kidehen
>>> Google+ Profile: https://plus.google.com/112399767740508618350/about
>>> LinkedIn Profile: http://www.linkedin.com/in/kidehen
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> | Jürgen Jakobitsch,
>>> | Software Developer
>>> | Semantic Web Company GmbH
>>> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8
>>> | A - 1070 Wien, Austria
>>> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
>>>
>>> COMPANY INFORMATION
>>> | http://www.semantic-web.at/
>>>
>>> PERSONAL INFORMATION
>>> | web       : http://www.turnguard.com
>>> | foaf      : http://www.turnguard.com/turnguard
>>> | skype     : jakobitsch-punkt
>>> | xmlns:tg  = "http://www.turnguard.com/turnguard#"
>>>
> Social Web Architect
> http://bblfish.net/
>
>
>


-- 

Regards,

Kingsley Idehen	
Founder&  CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen