Re: S/Mime signing with WebID and certificate expiration from Melvin Carvalho on 2012-10-01 (public-webid@w3.org from October 2012)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Mon, 1 Oct 2012 12:01:20 +0200
To: Sebastian Trueg <trueg@openlinksw.com>
Cc: public-webid@w3.org, public-xg-webid@w3.org
Message-ID: <CAKaEYh+NMj9tUxmTcPaajYDPZ0Vy8khm2ByEFqJcKFwDmCe74w@mail.gmail.com>

On 1 October 2012 11:47, Sebastian Trueg <trueg@openlinksw.com> wrote:

> When I was introduced to WebID in my head it was mostly about
> authentication-related scenarios, situations in which one needs to
> authenticate to get access to something. Let's call them "immediate
> identity-proof" scenarios.
> In these situations a compromised private key is no big deal: you simply
> remove the public key from your profile and you are safe.
>
> However, when it comes to email-signing this is not practical anymore. If
> you would do that then suddenly all the emails you sent before the change
> of the key will show up as unverified in the recipients' inboxes.
>
> I briefly discussed this problem with Henry who told me that it had been
> discussed before[1]. In the light of us all signing our emails with
> WebID-enabled certificates I would like to bring this up again, find a
> solution, and start implementing it.
>
> The simplest way to go AFAICS would be to introduce a new property to add
> "expired" keys to a profile. This would retain compatibility with existing
> implementations which are mostly about authentication and do not need to be
> bothered with this extension.
>
> To get the ball rolling let me throw some Turtle at you:
>
> <#me> cert:expiredKey [
>     a cert:RSAPublicKey, cert:ExpiredKey;
>     rdfs:label "Key from back when" ;
>     cert:modulus "...." ;
>     cert:exponent 65537 ;
>     cert:expired "2012-06-12T12:42"^^xsd:**datetime ] .
>
> (IMHO it would be much cleaner to use the good old cert:key property and
> just make the key another type but that might break implementations.)
>
> Using this extension email clients could still verify old emails even
> though the key has been compromised in the meantime.
>
> Regards,
> Sebastian
>
> [1] http://lists.w3.org/Archives/**Public/public-webid/2012Jan/**0031.html<http://lists.w3.org/Archives/Public/public-webid/2012Jan/0031.html>
>

I wonder if "Cool URIs dont change" is related to this.

IE cool keys dont change?

I have set my key for 100 years expiry which I will try to take care of.

Of course you can have multiple keys and throw away keys.

Perhaps we should have a preferred or canonical key much like we have a
preferredURI

... just thinking out loud ...


>
> --
> Sebastian Trueg
> Technical Consultant
> OpenLink Software
> trueg@openlinkws.com
> http://openlinksw.com
> http://trueg.wordpress.com
> http://www.linkedin.com/in/**trueg <http://www.linkedin.com/in/trueg>
>
>

Received on Monday, 1 October 2012 10:01:56 UTC