Re: Fixing TLS Trust from Henry Story on 2012-05-01 (public-webid@w3.org from May 2012)

From: Henry Story <henry.story@bblfish.net>
Date: Tue, 1 May 2012 10:12:11 +0200
To: Geoffrey Keating <geoffk@geoffk.org>
Cc: "tls@ietf.org List" <tls@ietf.org>, public-webid <public-webid@w3.org>
Message-Id: <721E54BA-FD27-4BAC-98D5-87EC33A09C21@bblfish.net>
On 1 May 2012, at 05:03, Geoffrey Keating wrote:

> Henry Story <henry.story@bblfish.net> writes:
> 
>> TLS currently helps one know that when opens a connection to a
>> service (domain:port pair) one is actually connected to the machine
>> that officially owns that domain. It does not give one the big
>> picture of what kind of entity one is actually connected to: ie. it
>> does not answer the following questions:
>> 
>> - is this a legal entity?
>> - which country is it based in (or which legal framework is it responsible to)
>> - who are the owners
>> - what kind of organisation is it? (individual, bank, commerce, school, university, charity...)
> 
> Isn't this mostly covered by EV certificates?
> 
> - The 'is this a legal entity' part is answered with 'yes'.
> 
> - The country/legal framework part is the
>  jurisdictionOfIncorporationCountryName field and similar.

yes.

> 
> - It doesn't describe the owners, but of course that information could
>  change between the time the connection is opened and the packets
>  reach the other end; except in the case where a certificate is
>  issued to a sole proprietor, in which case that individual is named
>  in the certificate.  In the case of a company it does provide
>  sufficient information to track down the company and find its owners
>  if they are publicly available.

This is the advantage of placing this information on the web rather than
in the certificate. A Web page (enriched with RDFa or with a content negotiated
RDF representation such as Turtle, RDF/XML, or JSON-LD) can be updated much 
more easily and readily than a certificate. So if the management changes
the certificates of the company does not have to change in step.

This is similar to the argument for using WebID for distributed social networks.
Where PGP and X509 tend to place the information about the entity in a signed
certificate that cannot be changed, WebID places the information about a user
and his social network on the web in such a way that information can be partially
revealed using access control depending on the user connecting (authenticated with
WebID)

http://www.w3.org/wiki/Foaf%2Bssl/FAQ#How_does_this_improve_over_X.509_or_GPG_Certificates.3F

> 
> - The kind of organisation is covered by the businessCategory field.

Thanks for filling that in.  I think the RDF linked data web can be complimentary
to the role played by the EV Certificates, which can continue to provide this 
information. What would be possible would be for a much richer set of relations
to be expressed then in RDF, that have furthermore much clearer semantics, and
are much easier to read and write for a much larger body of people that the ASN.1
expertise required to work with X509 certificates. In fact it would probably 
be an interesting exercise to provide RDF semantics for X509, making X509 just a
another RDF serialisation. (the way GRDDL allows any XML format to be thought of
as a serialisation of RDF http://www.w3.org/TR/grddl/ )

Certificate organisations may be very well placed to provide such a service 
( a profile document for each of the organisations they certify containing
richer information ) given that they understand the security space, could 
easily acquire the  linked data knowledge, and are aware of the need to 
evolve their business model. 
But certificate authorities need not be the only ones to participate in this 
process. Other organisations such as local authorities could certify local 
businesses for example, which they have a much closer relation to than the 
current certificate authorities. (Of course it will take presumably a lot lot
longer before the knowledge, and processes develop for how to do this trickles 
down to that level (I'd guess 10-15 years or so).

> 
> The presentation seemed interesting.

Thanks :-) 
Beside the overlap between the EV Certificates and the richer model
available from the linked data web, there is another part of the presentation
that shows how this can be used by banks to create account certificates for 
their users, which could then be used for commercial transactions. There again
the richness of the semantic web, makes it easy to see how account profiles can
link to payment forms/collections that can be used to automate payments. IBM and
others have done some very interesting work here to put in place some framework
for this in the Linked Data Profile submission which will soon form a W3C 
working group. http://www.w3.org/Submission/2012/02/ This essentially specifies
how RESTful semantic services can be described.

Henry

Social Web Architect
http://bblfish.net/
Received on Tuesday, 1 May 2012 08:12:47 UTC