- From: Henry Story <henry.story@bblfish.net>
- Date: Tue, 1 May 2012 10:12:11 +0200
- To: Geoffrey Keating <geoffk@geoffk.org>
- Cc: "tls@ietf.org List" <tls@ietf.org>, public-webid <public-webid@w3.org>
On 1 May 2012, at 05:03, Geoffrey Keating wrote: > Henry Story <henry.story@bblfish.net> writes: > >> TLS currently helps one know that when opens a connection to a >> service (domain:port pair) one is actually connected to the machine >> that officially owns that domain. It does not give one the big >> picture of what kind of entity one is actually connected to: ie. it >> does not answer the following questions: >> >> - is this a legal entity? >> - which country is it based in (or which legal framework is it responsible to) >> - who are the owners >> - what kind of organisation is it? (individual, bank, commerce, school, university, charity...) > > Isn't this mostly covered by EV certificates? > > - The 'is this a legal entity' part is answered with 'yes'. > > - The country/legal framework part is the > jurisdictionOfIncorporationCountryName field and similar. yes. > > - It doesn't describe the owners, but of course that information could > change between the time the connection is opened and the packets > reach the other end; except in the case where a certificate is > issued to a sole proprietor, in which case that individual is named > in the certificate. In the case of a company it does provide > sufficient information to track down the company and find its owners > if they are publicly available. This is the advantage of placing this information on the web rather than in the certificate. A Web page (enriched with RDFa or with a content negotiated RDF representation such as Turtle, RDF/XML, or JSON-LD) can be updated much more easily and readily than a certificate. So if the management changes the certificates of the company does not have to change in step. This is similar to the argument for using WebID for distributed social networks. Where PGP and X509 tend to place the information about the entity in a signed certificate that cannot be changed, WebID places the information about a user and his social network on the web in such a way that information can be partially revealed using access control depending on the user connecting (authenticated with WebID) http://www.w3.org/wiki/Foaf%2Bssl/FAQ#How_does_this_improve_over_X.509_or_GPG_Certificates.3F > > - The kind of organisation is covered by the businessCategory field. Thanks for filling that in. I think the RDF linked data web can be complimentary to the role played by the EV Certificates, which can continue to provide this information. What would be possible would be for a much richer set of relations to be expressed then in RDF, that have furthermore much clearer semantics, and are much easier to read and write for a much larger body of people that the ASN.1 expertise required to work with X509 certificates. In fact it would probably be an interesting exercise to provide RDF semantics for X509, making X509 just a another RDF serialisation. (the way GRDDL allows any XML format to be thought of as a serialisation of RDF http://www.w3.org/TR/grddl/ ) Certificate organisations may be very well placed to provide such a service ( a profile document for each of the organisations they certify containing richer information ) given that they understand the security space, could easily acquire the linked data knowledge, and are aware of the need to evolve their business model. But certificate authorities need not be the only ones to participate in this process. Other organisations such as local authorities could certify local businesses for example, which they have a much closer relation to than the current certificate authorities. (Of course it will take presumably a lot lot longer before the knowledge, and processes develop for how to do this trickles down to that level (I'd guess 10-15 years or so). > > The presentation seemed interesting. Thanks :-) Beside the overlap between the EV Certificates and the richer model available from the linked data web, there is another part of the presentation that shows how this can be used by banks to create account certificates for their users, which could then be used for commercial transactions. There again the richness of the semantic web, makes it easy to see how account profiles can link to payment forms/collections that can be used to automate payments. IBM and others have done some very interesting work here to put in place some framework for this in the Linked Data Profile submission which will soon form a W3C working group. http://www.w3.org/Submission/2012/02/ This essentially specifies how RESTful semantic services can be described. Henry Social Web Architect http://bblfish.net/
Received on Tuesday, 1 May 2012 08:12:47 UTC